Question: One of our software providers recently experienced a cyber breach impacting our bank’s data, and now a customer is threatening litigation based on the unauthorized disclosure of his information. We know we comply with the federal data security and privacy laws – are there any additional requirements under Indiana law with respect to protecting customer data, and can we be found liable for the vendor’s failure to secure our customer data?
Answer: There are several Indiana laws that address privacy and data security issues, including the Indiana Consumer Data Protection Act,1Ind. Code § 24-15 and the Indiana Disclosure of Security Breach Act (IDSBA), Ind. Code § 24-4.9. However, banks are either exempt from these laws2Financial institutions are exempt from the Indiana Consumer Data Protection Act, Ind. Code § 24-15 pursuant to IC 24-15-1-1(b)(2), which provides, “[t]his article does not apply to any of the following: (2) Any financial institutions and affiliates, or data subject to Title V of the federal Gramm-Leach-Bliley Act (15 U.S.C. 6801 et seq.).” by virtue of their compliance with federal data privacy and security requirements (the Gramm Leach Bliley Act/Regulation P, the Interagency Guidelines Establishing Information Security Standards, the Federal Trade Commission Safeguards Rule via GLBA, and the new FTC Standards for Safeguarding Customer Information), or when they are subject to these laws, are permitted to substitute compliance with the various federal data privacy and security requirements for complying with a different state standard. Perhaps the one notable exception being the requirement that financial institutions comply with the 45-day notice requirement under the IDSBA in the event of a breach.
State and federal bank regulators are becoming increasingly focused on the content of vendor agreements and their impact on the safety and soundness of financial institutions.
However, the third-party vendors to banks are generally not exempt from these Indiana laws. Further, there have been several lawsuits filed against Indiana financial institutions in recent years asserting that data breaches by the institution, or in some cases even their third-party service provider, constitute common law negligence, negligence per-se in the event the financial institution fails to adhere to the 45-day notice requirement under the IDSBA, and unfair and deceptive acts in violation of the Indiana Deceptive Consumer Sales Act (IDCSA).3Ind. Code § 24-5-0.5 The IDCSA claims focus on alleged misrepresentations by the financial institution of the ability to maintain adequate and necessary safeguards—in line with statutory, regulatory and industry requirements and standards—to ensure that the sensitive personally identifying information would be protected from disclosure to unauthorized third parties and/or by failing to disclose that it had not taken safeguards to protect their personally identifying information.
While banks often have limited leverage when negotiating vendor agreements, whether or not a bank faces significant liability in the scenario described above often depends on the extent to which it appreciates the potential risk associated with issues like data security when negotiating these contracts. Often, third-party vendors will demand relatively small liability caps and provide little to no indemnification for their failure to comply with required data security standards. Some vendors will even attempt to transfer liability for their breach of data privacy laws that the bank is exempted from, back to the bank via contract. Before accepting the vendor’s standard contract, keep in mind that state and federal bank regulators are becoming increasingly focused on the content of vendor agreements and their impact on the safety and soundness of financial institutions.4Ind. Code § 28-11-3-1 requires any vendor providing data processing or other similar services off-premises from the bank to provide authority to the Indiana Department of Financial Institutions to examine that vendor’s operations.
This information is provided for general education purposes and is not intended to be legal advice. Please consult legal counsel for specific guidance as to how this information applies to your institution’s circumstances or situation.
