In a great piece of original reporting by Gripe Line Blogger Ed Foster, at least one of the banks whose customers were affected by the CardSystems security breach doesn’t feel it had any obligation to notify its customers.
I’ve previously covered the CardSystems security problems, and noted several times here and on the radio, that the main reason we’re learning about these privacy breaches is because of new laws — such as one in California — that requires companies to notify consumers whose private information has been compromised. These laws are a common sense requirement, allowing consumers to have the information they need to be on higher alert for evidence of identity theft.
But as Ed Foster reports, the folks at Chase Manhattan Bank think the law is open to interpretation and don’t think its customers need to know about the risks they face:
“Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or an account password be involved,” [a Chase spokesman] told me. “None of those things were accessed in this case.”
As Foster notes, many other financial institutions are taking a different approach, believing that their customers might appreciate knowing when trouble might be around the corner. And, as previously noted, at least one state attorney general has decided that a failure to provide timely notice to consumers was a crime.
If your bank hasn’t notified you about any privacy risk to your credit card, it might be worth giving their customer service department a call to see if they can tell you definitively whether your card was at risk. If they don’t know or refuse to tell you, this might be a good opportunity close your account, cut up your card, and consider reducing your risk by finding a bank that cares more about you.