The J.P. Morgan Chase & Co. data breach has drawn the attention of a number of state attorneys general, including Illinois attorney general, Lisa Madigan. Madigan, who is at the forefront of the investigations, remarked that the breach was among “the most troubling breaches ever” because it proved that “there is probably no database that cybercriminals cannot compromise.” The J.P. Morgan breach impacted 76 million households and 7 million small business in June and July of this year. At this point, the investigations by the attorneys general center on whether J.P. Morgan breached state notification laws by failing to provide timely notification to affected customers.
Forty-seven states have enacted different variations of data breach notification laws, which provide mandatory notification procedures and timelines for companies that have been affected by a data breach. However, whether a company is subject to a state notification law depends on whether the breach compromised “personal information,” as it is defined under the relevant state statute. J.P. Morgan has reported that its data breach only compromised information like names and e-mail addresses, rather than social security numbers or credit card information. As such, the investigations by the attorneys general may result in the conclusion that J.P Morgan did not violate the state notification laws because its data breach did not compromise “personal information.” While J.P. Morgan could be off the hook for liability under these notification laws, this could spur states to broaden their definition of “personal information” for future data breaches.