JPMorgan Data Breach Involves Information on 76 Million Households, 7 Million Small Businesses, CRS Legal Sidebar, October 23, 2014

“JPMorgan did not provide individual customers with notice of the breach because it believed that it had no obligation to do so because no “sensitive customer information” was involved in the data breach. This means that JPMorgan apparently has complied with data breach notification standards promulgated by the federal banking regulators pursuant to the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). These standards specify the contents of breach notices that must be supplied by telephone, mail, or electronic mail to all affected customers when a data breach involves “sensitive customer information.” Should “sensitive customer information” be involved in a data breach, the guidelines require financial institutions, such as JPMorgan, to notify customers only if after a “reasonable investigation” the company determines that “misuse of its information about a customer has occurred or is reasonably possible.”