Did you know that banks are not required to report data breaches unless it results in a financial loss to customers?
The intrusion also highlights a possible gap in United States regulations. Banks are not required to report data breaches and online intrusions unless the incident is deemed to have resulted in a financial loss to customers. Breach notification laws differ by state, but most laws require only that companies disclose a breach if customer names were stolen in conjunction with other information like a credit card, Social Security number or driver’s license number.
In some states, companies can wait up to a month to inform customers of a breach. Other state laws are more vague.
Lots of people have read that the JPMorgan Chase data intrusion started in June and went until mid-August. Maybe you read some of the technical publications that covered it like ARSTechnica, The long game: How hackers spent months pulling bank data from JPMorgan or maybe some business press back then JPMorgan Hackers Came In the Front Door — in June. Two Months of Mayhem (warning video autostart)
Now does it bother anyone else that maybe some of the 83 million customers might have wanted to have known sooner than October 3? Do you want to bet that a lot of really big customers did find out in advance? Anyone bother to ask them? Did they stay or quietly move their accounts? Or were they informed that nine other financial institution were hacked and that the public doesn’t know because the Treasury is afraid of a financial meltdown?
As the favorite, too big to fail bank, the US Government was there to help JPMorgan Chase as much as possible. I guess they felt guilty, what with forcing them to pay that big fine for their earlier massive fraud and asking them help with US imposed sanction on Russia.
What is interesting to me is that I’ve read about 30 stories now about the data breach and most are still treating JPMorgan Chase with kid gloves. Or downplaying the seriousness of this when asking questions. One story asked people on the street, and determined it’s a boring story and nobody cares.
Maybe all my questions have been asked and answered and I’m just slow. These questions might seem dumb or “out of the loop” by the savvy business press, but I’m just your average consumer Vulcan so I wrote the Consumer Financial Protection Bureau and asked a few questions:
- Do you have any comment about JPMorgan Chase’s announcement of the data breach from last June that was revealed more fully in October?
- What are your thoughts about their response, specifically their decision to tell people they don’t have to change passwords and that they aren’t offering credit monitoring?
- If there aren’t any requirements that they had to reveal the info sooner, why did they reveal it now? Was it only the SEC requirements that forced them? Different states have different laws about disclosure, did they violate any of these laws?
The burden of follow up and spot fraud was placed on the consumer following Chase’s failure to keep its network secure.
- Are there any regulations that they are violating here? Is anyone proposing new laws to protect the consumer in this case?
- During other data breeches the institution that failed offered services to protect the consumer for fraud. JPMorgan Chase has not. They say they cover credit card losses, but in this case the main concern is consumer fraud since personal information was obtained because of their failure.
What were the reasons JPMorgan gave the government that they shouldn’t be required to help consumers deal with possible fraud in the months or years to come?
- Was the reason JP Morgan wasn’t required to provide greater protection because The US government determined the attack was state-sponsored?
- If it is state-sponsored and that is why JPMorgan isn’t required to protect consumers, will the government step in?
- Are we at cyber war with Russia? Who can I talk to about this?
The media is still absorbing this story. Fox is running, “What can you to protect yourself?” stories. Maybe we will start seeing a deeper analysis of this soon, but only in the approved channels of inquiry. If it goes too far I’m guessing the “National Security” reasons will be invoked.
During the upcoming media, PR blitz I expect this attack on JPMorgan Chase will morph into “It’s your patriotic duty to stick with this bank or the
terrorists Russians win.” Fox News loves wars, I’m guessing that the “We are at Cyberwar with Russia!” story to start soon. I hear they will have some nice theme music.
Dimon’s political clout will protect him. Too bad the CEO of Target didn’t have that, he was forced to resign with the hack happened on his watch. Dimon will probably get a raise, and a Presidential Medal of Freedom. Like this guy.
Joint Operations train against cyber war photo by. Staff Sgt. Tracy J. Smith, Georgia National Guard Creative Commons License