WESH reports that SunTrust Banks sent out letters this week to customers informing them that their cards were being replaced due to the Heartland breach.
WESH’s reporter asked what I would have asked: why are notifications first being sent now? The news station reports, “When asked why it took SunTrust so long to find out and notify customers, the representative said it takes months to sort it all out and SunTrust was probably part of the last wave of banks to learn that they could be affected.”
The value of breach notifications in reducing the risk or extent of identity theft has been a matter of research and debate in the past year. Certainly, however, if notification is to reduce the risk of misuse, it needs to be timely. The Heartland breach was announced three months ago. In this day and age, three months seem too long to notify. Yes, I know that consumers have no liability in some situations, but eventually we all pay for the fraudulent charges. The Heartland breach may have challenged card issuers and financial institutions due to the scale of the breach, but hopefully someone will do an analysis of the response to the incident to determine how quickly all affected institutions were notified and provided with necessary information, and how quickly financial institutions notified affected individuals and/or replaced cards.