In what is likely the first of many state inquires to come, the Connecticut Attorney General sent a letter on June 13, 2011 to Citigroup, Inc. requesting more information about the recent data breach it announced last week.
On June 9, 2011, Citigroup announced that unidentified hackers had breached its system and accessed data belonging to hundreds of thousands of its North American credit card clients. The information accessed included client names, credit card numbers, addresses and email addresses. Social security numbers were reportedly protected and not accessed during the breach.
Since that time, it has been reported that Citigroup waited 3 weeks to notify its clients and the public of the breach. The delay was reportedly due, in part, to the length of the bank’s internal investigation, which began within 24 hours of the discovery of the breach and took 10 to 12 days. Under Connecticut law, any company doing business in the state must notify any Connecticut residents of a breach of their personal information “without unreasonable delay.” Notification is not required if, “after an appropriate investigation” and consultation with law enforcement, the company determines that “the breach will not likely result in harm” to the affected individuals.
The Connecticut AG’s letter requests information pertaining to: the number of individuals affected; the circumstances surrounding the breach and its discovery; security measures used prior to the breach, as well as those implemented following the breach; the types of information accessed; any unauthorized charges; notification materials to Citigroup clients; and internal computer and data policies. The AG has demanded the responses by June 22, 2011.
Given the high profile nature of this breach and the increase in enforcement activity we are seeing at the state level, we expect that this is the first of many government inquiries to come.