Rumors of a data breach at a major New York bank started circulating more than a week ago in cybersecurity circles. So for insiders, news that JPMorgan Chase had been victimized was more confirmation than revelation, just the latest headline from a digital crime wave that shows no sign of ebbing.
But for the millions of customers of JPMorgan Chase, the news reports that began appearing Wednesday were the first indication that their personal information might have been stolen by hackers. Like Target, Neiman Marcus and countless other companies, the nation’s largest bank chose to keep evidence of a cybercrime private until journalists forced the issue.
This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.
The result is that days, weeks or longer can pass between when a company learns of a cybercrime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties – such as a credit card company – that the risk of fraud or identity theft is elevated.
“There have been so many breaches where companies have held information for so long that more disclosure would force companies to do a better job being accountable to consumers,” said Ed Mierzwinski, consumer program director at U.S. Public Interest Research Group. “It’s a real pain in the neck to clear your name. … You have to spend time – a lot of time – clearing your name. And you don’t get paid for that.”
The seriousness of the JPMorgan Chase breach, which involves at least one other bank as well, remains uncertain, though some reports said account data may have been compromised for some customers.
Bloomberg News first reported the intrusion Wednesday afternoon, saying that the FBI was investigating the possibility that Russian hackers had launched an attack in retaliation for U.S. sanctions prompted by Russia’s actions in Ukraine. Other investigators have expressed skepticism about that possibility but not ruled it out.
JPMorgan Chase posted a notice on its website saying, “The security of your Chase accounts is one of our highest priorities,” with general tips on how to protect personal banking security. But it didn’t directly address the numerous news reports of a data breach, nor did it offer details about what happened and who might be affected.
A spokesperson for JPMorgan Chase said it will notify consumers if it determines they have been impacted but declined to say when or how. JPMorgan Chase also declined to comment on when it first learned of the data breach.
The interests of consumers and authorities sometimes diverge, said Neil MacBride, former U.S. Attorney for the Eastern District of Virginia and now a partner at Davis, Polk & Wardwell. “Consumers want immediate notification from the breached company while law enforcement may want several days or weeks to investigate a crime scene before hackers are tipped off that the cops are on their tail.”
Notification is a notoriously cumbersome and costly process for companies that have data breaches. Forty-seven states and the District of Columbia have laws governing such disclosures, and a company with a nationwide customer base may have to comply with them all.
There also are notification requirements specific to banks under federal law. Publicly traded companies must report “material breaches” from cybercrime in disclosures to investors. And the Federal Trade Commission investigates some corporate data breaches, especially when there is evidence that security measures were not up to industry standards.
The result is a mish-mash of rules and regulations that, in practice, force companies to disclose data breaches but rarely require them to do so quickly.