The attorneys general of 19 states have launched a multi-state investigation into JP Morgan, in the wake of its massive data breach last year that affected 76 million households and millions more small businesses.

The attorneys general launched the investigation into the data breach last month with a letter sent to JPMorgan’s global chief privacy officer. The letter, obtained by Compliance Week, seeks detailed information pertaining to the nature and status of the breach, as well as what safeguards JPMorgan has in place to protect sensitive data.

Examples of specific information that the states are requesting from JPMorgan include:

A copy of any and all compliance materials, both public and non-public, regarding compliance with Gramm-Leach-Bliley’s Financial Privacy and Safeguards Rule;

Whether JPMorgan is aware of any fraudulent activity regarding any compromised information including, but not limited to, any unauthorized account access and/or charges;

A copy of JPMorgan’s privacy policy, both current and as made available to consumers during the ten-year prior to the breach; and

Any internal or third-party investigative report or audit performed by or for JPMorgan relative to the breach.

JPMorgan said that hackers compromised users contact information—including names, addresses, phone numbers, and e-mail addresses—in the breach affecting customers who have used Chase’s web or mobile services:, JPMorganOnline, Chase Mobile or JPMorgan Mobile. The breach took place during June and July.

In a Form 8-K released in October, JPMorgan said it does not believe, however, that hackers compromised consumers’ account information—such as account numbers, passwords, user IDs, dates of birth or Social Security Numbers. The bank said that it “continues to vigilantly monitor the situation and is continuing to investigate the matter. The firm is fully cooperating with government agencies in connection with their investigations.”

In a statement, Rhode Island Attorney General Peter Kilmartin confirmed the multi-state investigation.  "While there is no indication that information including customers' account numbers, Social Security numbers, or date of birth was compromised, the scope of this breach is of great concern," he said.

JPMorgan is the latest company to face a multi-state probe after experiencing a data breach. Other companies include Target, Home Depot, Experian, and Zappos.  

Look for more information on the JPMorgan investigation in an upcoming edition of Compliance Week.