Slashdot Mirror
If a Financial Institution Mishandles My Data, What Recourse Do I Have?
grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.
The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?
The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?
You know a lawyer could lose their license if they gave advice to you in this situation (they'd be representing you).
Your options are: find a lawyer.
I wouldn't give out my email address over the phone.
This is because it is fairly long and easy to miss-spell.
Instead, I send an email to the bank, using their email address, and of course my correct addy is then available as Sender.
This step ensures we both know we are talking to each other.
This can only help if you are talking to a financial institution.
She might as well jump off a cliff and start a new credit file.
The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details.
Since similar usernames can also mean similar full names, it could make identity theft that much easier for that other person bearing a similar name as your sister.
Anyway, I hope that's not the case, and I hope that other person is not a criminal.
One of the main problems here is that people are given these technologies without understanding them completely. When I was working in the US, I made a big fuss once at my workplace about sending sensitive documents in unencrypted emails and was treated like I was hysterical and unreasonable. I managed to coerce the morons in charge to do this, but the incident was turned into a laughing matter from that point on. It's hard to convince drawer-minded bureaucrats to change their behavior when there aren't any regulations, created by other drawer-minded bureaucrats, that specify how it is that they should actually behave. I mean, god forbid, they might need to resort to independent thinking and resolution.
...that banks are 100% liable in cases such as this. It is up to them to verify that any access to the accounts that they hold are made by the legitimate account holders. Seriously, think of what the world would be like if any yahoo could write a check against any account without them veryifying the authenticity of the signature.
Time is what keeps everything from happening all at once.
I have a firstnamelastname@gmail email address (you can see it above this post), and I get a *lot* of correspondence for other me's out there - bank details, divorce proceedings, legal proceedings, a long running internal discussion surrounding someones cock up in the Republican Party in the US, internal memos for several political parties around the globe.
I've enjoyed free Netflix subscriptions (thanks!), invites to various exclusive clubs (not so great, most of them are in the US) and family meet ups. I know the progress of several children's schooling in Canada and the US, including an incident where the child was suspended for 3 days for kicking the teacher. I've had the ability to cancel several ISP connections, including business ones. Details of medical appointments and procedures, insurance documents etc etc.
I've also been threatened with legal action for simply owning the email address and not handing it over - twice now. Yes, apparently there are other me's out there that think they have a right to this email address.
So in short, without a recording of the telephone conversation, I wouldn't be so sure that it wasn't your sister that got the address wrong.
Banks are corporations, and as such, are above the law.
You'll be lucky if they dont charge you a fee for their screwup.
The American financial system seems terribly technologically impaired compared to Europe.. Checkbooks and emails.. Come on? I pay with cards and setup rental payments (as well as communicate) over an encrypted connection to my bank (one-time key-value codesheets for this connection -- which can only be used together with the agreed password -- and other physical documents are sent the old-fashioned way in a sealed envelope).
Aside from the sheer difficulty of litigating against a financial institution(If it is possible for your sister to have signed away her soul to mandatory binding arbitration in the venue of the bank's choice, those terms were probably included in at least one part of the fine print, probably several), there may not be much to go on. Not all states even require disclosure of a customer data breach, much less any particular action, standard of care, or other inconvenience.
You might get somewhere if the bank didn't comply with Connecticut's data breach notification laws; but even that probably won't get you as far as you might want, though it might make some lower mid level peon more likely to comp her a year of credit monitoring just to go away. Any actually-toothy penalties, or not using absurdly insecure channels, though, not so much.
Pro tip: Anyone claiming to be a lawyer on Slashdot, or indeed on the internet in general, is probably lying. Especially if it is while they are providing you with what appears to be legal advice.
Frankly, the risk of somebody doing something nefarious with the information they got it pretty low. Even on the internet the wast majority of people are nice and behave like decent human beings. Most people don't even know how they could use that information for financial gain. So if you go to a court you will have a hard time proving actually damage for what is obvious a mistake, which means any recuperation is either going to be based on good will or specific laws covering data breaches.
In a larger perspective, you are right now encountering (and worrying about) a fundamental flaw in the way many American business work. There is a big confusion between identity, authentication and authorization. Identity (name, address, date of birth, social security number, bank account etc,) is not the same as authentication (I am the Identity) nor authorization (I am allowed to act as the Identity). None of the information the bank leaked really should be secret, and in Europe you could probably find most of it (except for bank account numbers) in public databases.
what they will use instead is either email in the plain, likely with proprietary-format attachments, or plain email containing a URL (in html sauce, of course) to some https site (third party, certificate of uncertain provenance) where you can go and fetch the message (if your browser can deal with all the obligatory but superfluous javascript and other crap), but then of course either require no password at all, or send the username/password in plain text in the mail. Maybe they won't do it directly but require you to sign up first, that also involves emails in the clear.
I have seen exactly one bank publish their GPG key, and it's a central bank so it doesn't do end-user accounts. Amazing mastery of technology, no?
Email the person they emailed it to and ask them nicely not to do anything with it. It's unlikely a random person will try to steal her identity, assuming they even know how. If her identity is stolen you know the first place to start the investigation. However if someone accidentally sent me info then threatened me over it, I'd probably do something with it. The person didn't make any mistakes, don't fault them for anything. You're taking up their time, they're not taking up yours.
It was an honest mistake on the bank's part. Why are you so sue happy? She could have easily asked the bank to read back the email address she gave them. That's how you prevent mistakes like this. You give out the info, then have them confirm it. You don't give it out twice and hope they heard it properly. If you're so upset about the banks security procedures you need to be equally upset at your sister for not following better practices as well.
Mishandled data means nothing until someone acts on it. Who knows, maybe the other person is rich, feels pity for her large loans, and pays some of them for her. I'd say that's as likely as the person using the info to steal something from her.
Just curious, but why did they email any of that information in the first place.
Where I live, the ONLY information I ever get from my bank is that my statement is available online. That's it.
The reason is that everybody should understand that banks don't send anything else.
If something needs to be signed, I will download it or I will get to them and sign it there. There is no reason to send me any other information I already have.
I know people who have asked the bank to send them papers to sign via email and the bank said no.
Don't fight for your country, if your country does not fight for you.
give them a stern lecture on how making money isn't as important as following security best practices. and tell them to stop sending you emails with links in them.
'nuff said.
I use a specific email address for any org that I deal with, something like @my.address.net So I can see who I get spam/malware from and I can block specific senders.
I used a specific_bank@my.address.net for a loan application once and I got malware from that bank a year or so late. I certainly did not use the email for anything else. The BANK had a virus somewhere that harvested my email and God knows what. I transferred the loan to another institute.
This is in Germany where there are actual laws about this.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
sorry.
never give email address to
lawyers
doctors
insurance agents
insurance companies
financial planners
tax preparers
accountants
banks
mortgage companies
utility companies
telephone companies
cable companies
car dealers
car manufacturers
credit card companies
employers (use employer provided account only and for employer related shit only)
or anyone else that has any (real) personal information on you.
never sign up for electronic billing, electronic payments, electronic anything. do business the old fashioned way.. in person, on the phone, and through the fucking mail. its actually safer these days to write checks and use the fucking normal mail and risk the odd chance someone steals a check and washes it, than it is to use the internet for that crap. just say no. do it the old way.
Those idiots kept sending me mail intended for some other guy whose email address is one letter off from mine. I really don't need to know about his mortgage details, and I've tried calling them up to tell them about it. The idiots on the phone go into brain vapor lock when I tell them that I'm not their customer and I don't HAVE A FUCKING ACCOUNT NUMBER.
1. Consult an attorney in person, one with the initial interview free. Consult two more attorneys as a second opinion. If she is absolutely sure she gave the correct email to the bank then you can pursue legal action. Regardless, the bank should not have sent confidential information to an email address without some form of encryption. Most banks would send a secure message via their online website, an email just notifying you there is a secure message waiting for you, etc. I don't know of any laws that require this but it is standard financial business practice in todays world if you wish to keep your client data secure.
2. You don't need a credit monitoring service but they can be convenient. It is possible to contact all three credit bureaus and freeze your credit, there may be a small fee involved. You can then thaw your credit temporarily when necessary. This will prevent identity thieves opening new lines of credit in your name. Anyone trying to do so will be blocked by the credit bureaus themselves. This is basically what LifeLock does on your behalf. LifeLock does offer additional services that may be of value.
3. Make sure all your email and major online accounts have two factor authentication.
4. Do not reuse passwords with these important online accounts
If identity thieves breach your email account they can then reset the passwords on various online accounts as they will receive the email confirmations. Two factor authentication aims to help stop this by sending a text to your cell phone with a code. Also notifying you that someone is trying to access your account or has completed account access. At the least, you know someone did something you were not expecting.
In future do not perform major banking loan operations online. I recently opened a loan and had to physically go to the bank in person, providing certain confidential information such as pay stubs, drivers license, and to sign the documents closing a loan. They refused to do this online and had no process to do it securely. I guess, I will keep this bank! When I had to refinance a mortgage, the bank was remote but they contracted with a local lawyer so I was able to go to that nearby office and sign papers till my hand cramped, then sign some more. They used a secure courier to send the documents to the bank's main office to complete the loan.
I work for a financial company and they have systems in place to perform secure email. An email is sent with an encrypted attachment. The email connects back to the server. The user authenticates and the attachment is decrypted via public/private key pair on the web page. They cannot forward this email, it can only be opened by the original recipient. The encryption certificate expires and the data is wiped after 30 days. The recipient would have to print or save the content to keep it. If an employee tries to email confidential information it is forwarded through the secure email system that then encrypts the data and replies back to the employee informing them of the policy of never using email to send confidential information and that their email was sent securely on their behalf. The incident is logged and both IT security, Risk Management, Compliance and the employees manager is notified of the infraction. Remedial training would be implemented.Repeat infractions are investigated.
A financial reputation is critical in todays world. For a company to do business in an insecure manner is a major red flag. I would switch banks. Hope the loan wasn't completed...
I work in IT security for a bank. Your plan of attack depends on the state where you live, how your bank is chartered (state charter or federal charter) and how large your bank is with respect to the dollar amount of assets. If they are above ten billion in assets they are subject to more regulations.
The federal laws are incredibly weak on this matter because the banks contribute so much to lobbying. The only federal regulator that scares the banks is the Consumer Financial Protection Bureau, www.consumerfinance.gov. They have an online complaint form. The primary regulator for banks is the Office of the Comptroller of the Currency www.occ.gov, but they are seen as weak on data protection matters. Lately they have been making a lot of noise about cybersecurity being a high priority but only from the hacking aspect and not consumer data protection.
The CFPB and the state laws are your best legal avenue. A certified letter to them as well as to the OCC will get attention. ALWAYS send a letter by certified mail as well as using an online method. Certified mail gets a lot of attention because that is how legal matters arrive.
It is not up to you to make sure the bank is using the correct contact information; it's up to the bank to validate it somehow and to protect the information while it is in transit and at rest on your ISP's mail server (yes, and that means no sending of unencrypted confidential docs by email). For email it's a preceding exchange of emails to validate the email address and the use of encryption on the files. You also could contact your local newspaper (if you still have one) or the local TV investigative reporter. If the bank is doing something so incredibly stupid with email they probably are doing other stupid things and TV stations love that kind of dirt. I'd also complain to your state Attorney General office in writing. New York has an incredibly proactive AG office on these matters. I'd also use the bank's Investor Relations contact information to make a complaint. That method is far, far more effective than trying to guess the CEO's email address. Every company watches their Investor Relations email or contact page closely, not just banks.
Your bank "told" you that they do not have any type of secure document delivery service. They also told you that they do not have a properly configured, if indeed any, type of Data Loss Prevention application or program. What they did NOT tell you is whether they used encrypted email. There is a form of automatic email encryption called TLS that transparently encrypts email between servers. Gmail sends and receives TLS email by default. So it's entirely possible that they did use TLS email to encrypt it across the Internet. www.checktls.com can tell you whether your email provider and the bank can use TLS email.
Good luck.
File a complaint with them at: http://www.consumerfinance.gov.... Then the bank will need to respond. But this sort of the situation is why they were created.
You have the same recourse you would have if someone typed in your street address incorrectly and your private information went to someone else. Mail sent through the post is almost always unencrypted and plain text.
Seriously, let's say the bank sent a credit card and its activation letter to the wrong address because of a typo, the recipient activates it and starts charging under your name. What will your bank do in that situation?
I don't know the answer, but I guarantee this has happened. It's why places carry errors and omissions insurance, which I'm sure your bank has, or whatever the bank equivalent is. Just because the internet and computers are involved doesn't magically make this different from every other time this has happened in the last 100 years.
she should find a competent bank.
The correct way to do this would be to make the paperwork available through her e-banking logon, and send her an email asking her to log on to access it.
No bank (or organisation!) should be sending your personal information or important paperwork by email, just as you wouldn't expect to receive your monthly statement on a postcard. They shouldn't even use email for setting up the e-banking account in the first place: my bank lets me request an e-banking logon either by phone, at an ATM or in a branch. They already have my address so the logon and password get sent out by post, separately; I then log on and any details that should be encrypted are kept encrypted through the e-banking system. And they use 2-factor for authorising anything, so if I want to change a standing order, for example, I have to enter a pin that gets sent to my phone.
So when she's looking for a replacement bank she should ask them questions about what security measures they have in place to protect her personal information, not just what their headline interest rate is.
Comment removed based on user account deletion
Simply call all 4 credit bureaus and lock your account. Do NOT use life-lock (pure crap).
By locking up your data, the bureaus do not even get to sell your data. And if you are not using life-lock, nor can they.
I prefer the "u" in honour as it seems to be missing these days.
Shit happens, I'm sure you've never fucked up. Your idiot sister fucked up by having them email it in the first place. You think google doesn't have that info as well?
Bank shouldn't have sent it, however it was her request.
Lawyer up, lol, fuck off.
I live in the UK. My bank wants me to sign up for internet banking, but they will not use email to request an appointment. Apparently the internet is safe enough for _my_ money, but not _their_ letters.
The only industry that has more power over the government than the banking/financial industry is the insurance industry - and the two are in cahoots. You won't get anywhere against them legally. Your sister should probably go request a new social security number immediately and cancel all her credit cards, then get ready to watch for activity. They banks aren't obligated to do much of anything, and they will dig in their heels to do as little of that as possible.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Disclaimer: I work for a small community bank. In the US, all banks are required to adhere to the Gramm-Leach-Bliley Act (GLBA). See: http://en.wikipedia.org/wiki/G...
As such, banks are required by both their state and federal regulators to follow a series of basic security protocols as laid out in the FFIEC IT Examination Handbook. Google this document for further details.
I'm not sure what recourse she would have, specifically, under GLBA, but if she is truly interested in following up on this mistake by the bank, the place to begin would be consulting an attorney and contacting either the FDIC or the state's Department of Financial Institutions to make a formal complaint. Banks are usually required to have a formal complaint resolution process in place, and they are required to respond to both FDIC and state regulatory complaints as well.
The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information
No, the real issue is that she gave them her email address and in so doing she gave the bank the opportunity to use it poorly. Don't give your email address to financial institutions, or any organisation that holds sensitive information about you. You can't predict what they'll send via email, as has been demonstrated here.
My bank has a secure online document portal and notifies me of the presence of documents via email. It never transmits them, in fact I have been told their email system extracts attachments and sends them to said portal.
Your bank apparently does not do this, and therefore may not be following established industry best practices, and may even be out of compliance with certain regulatory standards.
A knowledgeable lawyer may be able to carry that argument forward in the form of a letter to the bank.
If the bank is small enough, a calm call to the Chairman's office letting them know what happened might yield results.
IANAL
None. They're bigger than you.
This may be a violation of various state consumer protection laws. There may be statutory damages and actual damages which may be recovered, plus attorney fees.
Contact a good consumer lawyer to discuss this with. One place to find one in your state is Naca.net, the website for the National Association of Consumer Advocates.
The have more money and more lawyers, so you're fucked.
I recently filed a complaint with the CFPB for a situation wherein a major bank processed my mortgage application manual entirely via email. They did this because they managed to waste weeks of my time and then lose my first web form based application.
Well, I get an email response back re: second application and I'm denied because my credit scores are atrocious. This is surprising, so I immediately ask if they can give me more info, and they say no they are legally only allowed to tell me the credit scores. Huh. Ok. So I get my credit reports and for various reasons involving general credit bureau assholishness this takes several more weeks and by this point THE HOUSE WE'RE TRYING TO BUY HAS BEEN SOLD TO SOMEONE ELSE... and there are no inquiries on my reports. Did some more digging and all three FICOs are great.
They sent me someone else's credit scores. Never pulled my credit at all. And the CFPB really could not give fuck about any of it. By all means file the complaint--it may get someone at the bank to pay attention and issue a response so as not to look like a douche--but the CFPB complaint process appears to exist only so they can gauge big picture tends, not to get involve in individual cases.
In my case, the bank refused to respond to me at all until after I'd submitted the CFPB complaint. The official response: "Hey, you're right! Our bad. Feel free to submit a third application if you want! "
Despite losing the god damned house (and there isn't anything remotely equivalent on the market right now) and having written documentation for everything, the lawyer I've been in contact with still isn't sure we have a case; he wants to check some more case law first.
I think I may look into getting a shack in Montana next...
...your sister is an adult and she should be handling this - not you coming to /.
...at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough.
Really? Exactly what damages has she suffered? Exactly what future damages do you reasonably anticipate?
I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen.
Did you know that assholes like you are why our doctors will not answer even the most trivial questions using e-mail? Thanks.
Sorry to say it, but name the financial institution and what they did on social media. It'll get picked up really quick. Hopefully then when it has enough attention, they come up with a better system to ensure secure communication.
A Bank should never send sensitive information in an email, particularly SS# and Account numbers. The OCC will have a field day with this and likely raise a trouble status on their next audit.
I'm surprised the Bank doesn't have a DLP system to catch this.
In my experience, If you hire an attorney to send them letter pointing out their error and demand some resolution, you will get a useful reply.
I'd send an email to that wrong address, explaining my concerns and asking them in the most friendly way not to abuse the information they unintentionally received and to please delete the banks' email. If they answer, I'd take it from there (at least I would have some info about that person). Stay polite and don't make threats because they could cause a lot of damage in return.
If they don't answer, then I would talk to a lawyer.
In the mean time I would monitor my bank account(s) closely.
This is not the sig you're looking for.
She assumes the data belongs to her. It does not.
Let the free market work it out. Only do business with banks that make fewer typos than other banks. ;) yes this is a snarky comment to all the proto-libertarians out there about how "the market" solves all problems via competition.
Locate your State's Regulatory Data Commissioner. For CT, that would be the Ct. Banking Commissioner, via the Department of Banking, 260 Constitution Plaza, Hartford 06103-1800, and report as a protected data breach giving full details. They will carry it to closure. Contact there is the office of Bruce Adams, on (860) 240-8100.
HTH.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
Your sister unwittingly abetted the lender in doing a dumb thing, now you think she should get some kind of compensation?
You really want to help? Go educate your sister on this topic.
But many financial institutions throw this at the end of their emails (amongst a larger disclaimer):
"If you have received this communication in error please delete or destroy it and notify the sender immediately."
Does anyone know if these statements hold any water?
Why on earth did she EVER agree to receive the information by email? When I refinanced I told them no when they asked about email. Either a secure document serving website where I could login and download the documents (which they had, surprise surprise) OR they go by fax. People don't generally know how to use email encryption properly, especially those that work in the mortgage area. I'd rather fax it 20 times than email it.
The mentality of people desiring to be "victims" when no crime has occurred. There is a word in a dictionary this person needs to look up, it's "accident". Mistakes happen, you are not owed shit.
Buying my home a couple years back I was shocked that the agents and mortgage brokers were oblivious to how stupid it is to pass personal information via e-mail.
I'm certain that even though I supplied hard copies and encrypted pdfs (lesser evil) that they just re-scanned and passed my data along....
First thing to do is tell us all what bank did this so we can avoid this bank that appears to have no clue about securing personally identifiable information.
Transport Layer Security doesn't really make much of a difference in this case. Sure, it helps secure against interception en-route, but it works like an armoured car transporting cash. If the idiot driving the thing screws up and drops the cash off at the wrong bank, it makes very little difference what vehicle was used to transport it.
Many places that handle this type of data will encrypt it and direct you to a https link to download it. When you hit the site, you'll be asked for a password that was given to you by the folks on the phone. It will then decrypt the contents and allow you to download it right to your machine.
They know most folks are incapable of implementing or even understanding encryption, thus the simplified method above.
Banks ( and any institution that handles SPI data ) will get their ass handed to them for exposing that data. ( and they know it ) SPI data is the primary reason all laptops for my company are full disk encryption. Losing a laptop isn't news. Losing one with 100k Social Security numbers, bank accounts, or Customer names, passwords, addresses DOES make the news.
They're paranoid about it ( and rightfully so ) and will fire you on the spot if your actions expose SPI data of any kind.
*SPI = Sensitive Personal Information
The Connecticut Attorney General has a website for reporting breaches. Do it. http://www.ct.gov/ag/cwp/view.asp?a=2105&q=511090
You need to get in touch with their Security Officer or their Officer responsible for Bank Secrecy Act compliance. This officer is responsible for launching a "reasonable investigation" of the incident and reporting it to an Executive Officer of the bank to determine what action should be taken, if any. The first employee she talked to should have notified their immediate supervisor and therefore could be subject to disciplinary action if they refused to report the disclosure.
***Disclaimer*** I am not a lawer but I do work in the banking industry so I am simply repeating the information that is publically available . I do not believe that you need a lawer to see action but you would get results if you know the right bank officers to contact. If you recieve no assistance from them then contact the FDIC https://www.fdic.gov/consumers/consumer/rights/
I have a friend. Back when he was building a house, he was fighting the bank for the mortgage. His mom was co-signing... and some moron at the bank (can't remember if it was Wells Fargo or BoA) emailed ALL THEIR DEPOSIT records, with account info, to them in an email.
They got a lawyer. The bank paid 100% to a) change all of their accounts, b) all costs incurred by them to make changes elsewhere.
Call a lawyer. I mean, do you actually *trust* banks (look up "Great Recession", 2008, subpriime lending....)
mark
as one poster noted here ... ... ... hopefully not with the passwd in the file)
1) Send an email to that person so that they have your email address. Do this while on the phone if possible to confirm they got it. Can use something about your address or something in the email to confirm
Additionally
2) Put in writing that you will not send X, Y and/or Z (where those are SSN, DL#, whatever) over email
3) Ask (in writing in your email, cc yourself, print a copy as well if you like) that they also not send them in an unencrypted fashion (they may have a way to send unencrypted email, but encrypt the file/s
For this time ...
check with a lawyer. I'm sure data privacy/protection is a growing legal field now.
Good luck
Fairly high up the food chain in IT, actually. And while it's too late in this case, I'd say that any bank telling you that they don't have a secure method for exchanging sensitive data is not a bank you ought to be doing business with.
There's a whole raft of regulatory compliance and audit requirements that US financial institutions are subject to, and the one in question here is GLBA (Graham-Leach-Bliley Act), which governs how sensitive information must be handled. I'd place a call to the FFIEC and either the FDIC (if it's a bank) or the NCUA (if it's a credit union) and file a complaint. Trust me, regulators don't mess around when applying the smackdown to a bank for something like this.
The CFPB doesn't really have much to do with a bank until it's bigger than $10 Billion in assets, and anybody that big isn't making these mistakes. This is bush-league stuff and the bank in question could use a wake-up call in the form of a fine of MOU so they don't screw other people.
Last year I had two organisations - a global telco and a bank - respectively get my email address wrong by 1 character, and my phone number wrong by 1 digit. What was odd was that in both cases I'd entered these myself - correctly - onto online forms.
It transpires that both organisations were *manually transcribing* my electronic data from one system to another, introducing errors in the process. What the actual?
Really simple -- limit your exposure.
Don't get student loans. Period.
I didn't take out student loans for my college and graduate educations.
My students didn't take out student for their college.
I wasn't rich when I went to college or graduate school.
I wasn't rich when my students went to college.
I'm not rich now and neither I or my former-students have student loans to pay back and suffer with.
We need a campaign, something with a catchier name that puts the onus on the right institutions to change... Hell if I know what it'd be, though. ... Authentication Malpractice?
I don't want every single institution and business and person I communicate with to require me to log into their own fucking website to communicate with them. It doesn't scale. How many fucking passwords am I supposed to memorize al-fucking-ready?
I'd be drawn and quartered, end of contract. Especially for a financial institution.
Every customer I've ever had made it crystal clear what the PII requirements were, and they were no joke.
I guess it's different if you're not in software?
Why does this have to be so difficult to do?
Stop using them and switch to a competitive, small, fiscally responsible bank or credit union. They deserve to grow, the morons deserve to be unemployed.
Why do we have too-big-too-fail and all the mortgage and derivative fraud in this country? Because of big banks.
Switch to small ones, force the big banks to sell off their bad debt to the smaller institutions who will go to court to prosecute the fraud, and all of those problems miraculously disappear.
The luster of using a big bank for business and personal finances is gone, everyone's knee deep in sh!@ and tired of the smell.