Two state attorneys general say they have been in contact with J.P. Morgan Chase & Co. about a recent cyberattack in which the personal information for 76 million households was compromised.
Among the issues being scrutinized is whether the bank alerted customers quickly enough about the breach, according to people familiar with the matter.
The office of Connecticut Attorney General George Jepsen has contacted the bank since its disclosure earlier this year, a spokeswoman for the attorney general said.
Illinois Attorney General Lisa Madigan is also looking into the breach. In a statement Friday, Ms. Madigan said this cyberattack is among the most "troubling" breaches, because it shows how vulnerable U.S. institutions and their databases are.
"Millions of Americans trusted Chase to secure their money and personal information," she said in a statement. But because the bank failed to be forthcoming, "they have lost their confidence in Chase."
Ms. Madigan noted that the bank's filing this past week about the attack "only revealed...limited details." She said the cyberattack demands a response from "the highest level of our government" and that the investigation results should be shared with the public, since consumers' information and financial security are at risk.
It isn't clear how many states are looking into the issue. The Federal Bureau of Investigation previously has said it was looking into the matter, and a spokeswoman for the agency said Friday that investigation is continuing.
Rep. Maxine Waters (D., Calif.), a member of the House Committee on Financial Services, called on Congress to " bolster data security requirements and strengthen consumer protections that ensure victims are notified in a timely manner when their financial and personal information is stolen."
A J.P. Morgan spokeswoman said it communicated with customers three times--once after the attack was disclosed in August, once in mid-September and again Thursday, in each instance giving the status of the investigation and saying that the bank hasn't seen unusual levels of fraud.
After initially acknowledging the attack, the bank waited about a month to further describe the extent of the breach because it didn't want to give information that was overly optimistic or information that might scare customers unnecessarily until it knew more, the spokeswoman said.
Probes by the two attorneys general are examining whether the bank followed the appropriate steps and timelines in accordance with Illinois and Connecticut data-breach laws, people familiar with the matter said.
Most states have notification laws that largely dictate whether institutions have to inform clients of a data breach and when, with the details varying by state, said Jim McCullagh, a partner at Perkins Coie LLP, a Seattle-based law firm that represents companies that are victims of data breaches.
In most cases, this time period is loosely defined, experts say, and it can often be extended if law enforcement is involved.
Legal experts say it doesn't appear J.P. Morgan ran afoul of the state notification laws, since sensitive customer information such as Social Security numbers, account numbers and passwords weren't accessed. J.P. Morgan said Thursday that contact information such as phone numbers and e-mail addresses were taken.
"We were not surprised that it was going to take some time for them to figure out what was compromised," said Eva Velasquez, president and chief executive of the Identity Theft Resource Center, a nonprofit group based in San Diego. Since sensitive information wasn't threatened, there's "no time clock ticking for them to notify consumers," she said.
Other consumer advocates, however, say the bank should have done more to put customers on notice even if it wasn't aware of the full extent of the breach weeks ago, especially since the cyberattack leaves customers vulnerable to " phishing" attacks. Phishing involves criminals contacting customers while pretending to be the bank and asking them for more personal information.
There is no sign of increased phishing activity against Chase customers, a person with knowledge of the investigation said.
"Delayed notification could pose greater risks, because it gives bad guys more time to abuse or sell to other bad guys the hacked information, " said Ed Mierzwinski, consumer-program director at U.S. Public Interest Research Group, a nonprofit group based in Washington.
Customer Stephen Collins, 47 years old, said the bank needs "to make it a priority to tighten up their security." Mr. Collins, who is a driver from Brooklyn, N.Y., said he plans to call the bank to see if he has been affected. But he was circumspect about its impact on customers. "You just have to deal with it when it comes up," he said.
Read the full story at WSJ.com