fb-pixelCompanies lag in revealing data breaches, consumer groups say - The Boston Globe Skip to main content

Companies lag in revealing data breaches, consumer groups say

Rumors of a data breach at a major New York bank started circulating more than a week ago in cybersecurity circles. So for insiders, news that JPMorgan Chase had been victimized was more confirmation than revelation, the latest headline from a digital crime wave that shows no sign of ebbing.

But for the millions of customers of JPMorgan Chase, the news reports that began appearing Wednesday were the first indication that their personal information might have been stolen by hackers. Like Target, Neiman Marcus, and countless other companies, the nation’s largest bank chose to keep evidence of a cybercrime private until journalists forced the issue.


This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

The result is that weeks, or longer, can pass between when a company learns of a cybercrime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties — such as a credit card company — that the risk of fraud or identity theft is elevated.

‘‘There have been so many breaches where companies have held information for so long that more disclosure would force companies to do a better job being accountable to consumers,’’ said Ed Mierzwinski, consumer program director at US Public Interest Research Group.

The seriousness of the JPMorgan Chase breach, which involves at least one other bank as well, remains uncertain, though some reports said account data may have been compromised for some customers.


Bloomberg News first reported the intrusion Wednesday, saying that the FBI was investigating the possibility that Russian hackers had launched an attack in retaliation for US sanctions. Other investigators have expressed skepticism about that possibility but have not ruled it out.

JPMorgan Chase posted a notice on its website saying, ‘‘The security of your Chase accounts is one of our highest priorities,’’ with general tips on how to protect personal banking security. But it didn’t directly address the numerous news reports of a data breach, nor did it offer details about what happened and who might be affected.

A spokesperson for JPMorgan Chase said it will notify consumers if it determines they have been impacted but declined to say when or how. JPMorgan Chase also declined to comment on when it first learned of the data breach.

The interests of consumers and authorities sometimes diverge, said Neil MacBride, former US attorney for the Eastern District of Virginia and now a partner at Davis, Polk & Wardwell. ‘‘Consumers want immediate notification from the breached company, while law enforcement may want several days or weeks to investigate a crime scene before hackers are tipped off that the cops are on their tail.’’

Notification is a notoriously cumbersome and costly process for companies that have data breaches. Forty-seven states and the District of Columbia have laws governing such disclosures, and a company with a nationwide customer base may have to comply with them all.

There also are notification requirements specific to banks under federal law. Publicly traded companies must report ‘‘material breaches’’ from cybercrime in disclosures to investors. And the Federal Trade Commission investigates some corporate data breaches, especially when there is evidence that security measures were not up to industry standards.


The result is a mish-mash of rules and regulations that, in practice, force companies to disclose data breaches but rarely require them to do so quickly.

The work involved in notification was a top goal of those who pushed for state notification laws. They wanted to raise the cost of data breaches in order to provide companies with incentive to implement better security practices.

‘‘It wasn’t about providing a lot of notice to consumers. It was about seeking some visibility about lax security procedures,’’ said Deirdre Mulligan, a professor at the University of California, Berkeley, School of Information who help craft California’s data breach law, which when it passed in 2002 was the nation’s first.

But 12 years later, as the incidents continue to pile up, some experts say the time has come to revisit the subject — with the goal of prioritizing the interests of the consumers who are affected.

‘‘We’ve got this kind of patchwork, but given the frequency and visibility of these breaches, we ought to have a much more rigorous conversation in this country about data security policy,’’ said Woodrow Hartzog, a Samford University law professor.

Until then, companies typically are free to take the initiative of notifying their customers quickly.