On August 26, 2022, KeyBank reported a data breach with the Attorney General of Montana and several other government entities stemming from what appears to have been an incident at a third-party vendor. According to KeyBank, the breach resulted in the names, mortgage information, phone numbers, property information, home insurance information and partial Social Security numbers of certain borrowers being compromised. After confirming the breach and identifying all affected parties, KeyBank began sending out data breach letters to all affected parties.

If you received a data breach notification, it is essential you understand what is at risk and what you can do about it. To learn more about how to protect yourself from becoming a victim of fraud or identity theft and what your legal options are in the wake of the KeyBank data breach, please see our recent piece on the topic here.

What We Know About the KeyBank Data Breach

The information about the KeyBank data breach comes from an official filing with the Attorney General of Montana. Based on the most recent reports, on August 4, 2022, KeyBank was contacted by one of the company’s third-party vendors, Overby-Seawell Company (“OSC”). Evidently, KeyBank uses the services of OSC to ensure that mortgage borrowers are maintaining the appropriate home insurance on their homes.

More specifically, Overby-Seawell Company reported that an unauthorized external party had gained remote access to its network and, on July 5, 2022, acquired certain information from a number of OSC clients, including certain personal information of KeyBank clients.

Upon discovering that sensitive consumer data was accessible to an unauthorized party, KeyBank began the process of reviewing all affected files to determine what information was compromised and which consumers were impacted by the incident. While the breached information varies depending on the individual, it may include your:

• Name

• Mortgage property address

• Mortgage account number(s) and mortgage account information

• Phone number

• Property information

• The first eight digits of your social security number

• Home insurance policy number and home insurance information

On August 26, 2022, KeyBank sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.

More Information About KeyBank

Founded in 1994 and based in Cleveland, Ohio, KeyBank is a regional bank and the primary subsidiary of KeyCorp. KeyBank has 1,197 branches and 1,572 ATMs in the following states: Alaska, Colorado, Connecticut, Delaware, Florida, Idaho, Illinois, Indiana, Iowa, Maine, Maryland, Massachusetts, Michigan, Minnesota, New Jersey, New York, Ohio, Oregon, Pennsylvania, Rhode Island, Texas, Utah, Vermont, Virginia, Washington, D.C. and Washington. KeyBank is the 24th largest bank in the United States and employs more than 17,110 people, and generates approximately $7 billion in annual revenue.

What Are Third-Party Data Breaches?

The KeyBank data breach is what is referred to as a third-party data breach. A third-party data breach occurs when the company that was the target of a cyberattack was not the company that interacted with the consumer and accepted their information. Most often, as is the case in the KeyBank data breach, these incidents involve cyberattacks at vendors the primary company relies on to perform certain services. Given this reality, it is common for victims of a data breach to have never heard of the company that was responsible for the leaking of their information.

Following a data breach, especially one involving multiple companies, victims may wonder which organization is liable for the breach. Generally speaking, under state and federal data breach laws, all organizations have an obligation to protect consumer information in their possession regardless if they were the company that took a consumer’s information. Thus, both KeyBank and Overby-Seawell Company would owe a duty of care to safely maintain consumer data.

In the case of the KeyBank / Overby-Seawell Company data breach, there is no indication that KeyBank’s data security systems were inadequate. However, depending on the outcome of the investigation, KeyBank could have been negligent in entrusting sensitive consumer data to OSC. For example, this may be the case if KeyBank had reason to believe that OSC’s data security systems were lacking or that the company had a history of mishandling consumer data.

Of course, because the breach occurred at OSC, it is the most likely liable party. The question in all data breach cases is whether the company took the necessary care to protect the consumer information in its possession. If OSC did not implement the necessary procedures to protect KeyBank customer information, the company may be liable. And, if KeyBank was aware of any inadequacies at OSC, KeyBank may also be liable.

Organizations must take their consumer privacy duties seriously, and those businesses that choose not to do so increase the likelihood of a breach. By bringing a data breach lawsuit, victims of a breach can pursue financial compensation for what they’ve been through. These cases also go a long way in encouraging companies to ensure they do everything possible to protect consumer data from cyber threats.