Today, Senate Majority Leader Bob Duff (D-Norwalk), Senator James Maroney (D-Milford), Senator Norm Needleman (D-Essex), and State Representative David Arconti (D-Danbury) voiced their disapproval to the ongoing details of the Ally Bank data leak. Recently, Ally Bank leaked user names and passwords to third-party marketing partners. It took the company two months to notify customers of the breach and continue to refuse to name who the data was leaked to.
Data leaks such as this one have become more commonplace. According to Risk Based Security, the number of records exposed increased to 36 billion in 2020 and there were 2,935 publicly reported breaches in the first three quarters of 2020. Other trends included a doubling of ransomware attacks from 2019 to 2020. Healthcare was the most victimized sector in 2020.
“Customer security should be foremost on businesses’ minds, especially essential services like banks that offer services directly impacting customers’ lives. For Ally Bank to not only leak customer information to marketing partners but take two months to even notify customers is a betrayal of those customers’ trust,” said Sen. Duff, Senate Majority Leader. “They even refuse to provide information on where and who the data was leaked to, vital information that customers need to know to know how serious this issue is and protect themselves from potential financial harm. It’s an abdication of their responsibilities.”
“It is critical that we fight for strong protections for Connecticut residents,” said Sen. Maroney. “To prevent leaks like this from happening, and in an unfortunate event that they do happen, there needs to some form of recourse action taken. I will continue to fight for data privacy protection for consumers in our state.”
“The decisions made by Ally Bank in this situation seem to have been made by committee and without urgency – when customers may face serious personal harm because of them,” said Sen. Needleman, Senate Chair of the Energy & Technology Committee. “When phishing and cyber vulnerability continue to grow as threats in the modern day, it’s a serious lapse of judgment for Ally to slow-walk such a precarious situation. This cannot become a regular occurrence.”
“This unfortunate personal data breach at Ally Bank, is another example of the imperative need to strengthen Connecticut’s data privacy laws to help protect customers from similar situations,” said Rep. David Arconti, House Chair of the Energy & Technology Committee. “Now more than ever, with the rise in technology and the many online options for conducting everyday business, our personal information must be protected.”
This past legislative session, legislation was introduced that would protect Connecticut residents’ privacy on electronic devices. The consumer bill of rights provision that would have provided consumers with rights and corporations with responsibility ultimately did not pass both chambers. The legislation would have given the Connecticut Attorney General the power to enforce the consumer rights in the event of corporate violations of those rights. The legislators will be working to reintroduce that legislation next session.
The Consumer Privacy legislation would have created a consumer data bill of rights and required big-tech companies to clearly state what data is being collected, how it’s being used, and why – and consumers would have the right to see that data, fix any errors in it, or delete it all. If a data breach were to happen to residents in Connecticut such as the data that was leaked by Ally Bank, the financial institution would have had to let their consumers know right away, it would not be allowed for them to take two months.