If a Financial Institution Mishandles My Data, What Recourse Do I Have?

grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.

The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?

Not a laywer.

You know a lawyer could lose their license if they gave advice to you in this situation (they'd be representing you).

Your options are: find a lawyer.

Re: Not a laywer.

[CronoCloud]

I just checked my e-mail client, Claws Mail. It doesn't have an option to encrypt e-mail. Maybe in an extension; it's not in the client itself.

Claws Mail supports both GnuPG and S/MIME encryption by default. The reason you don't have an option is that you haven't configured/setup claws-mail to do so.

Furthermore, I don't know of any current standard for e-mail encryption that is widely supported.

Any good e-mail client supports BOTH GnuPG and S/MIME.

No idea on how to create a key

Applications>Accessories>Passwords & Keys. File>New>PGP Key

let alone how to securely and easily exchange keys with random recipients (like a client who calls me asking me to send them some information by e-mail).

You can use out-of-band methods, or just use keyservers.

The obvious way to send an encrypted mail to someone would be to pull their public key from some kind of repository (which as yet doesn't exist

They do exist, they're called keyservers.

[CronoCloud ~]$ keylookup --frontend=plain Rob Malda
gpg: searching for "Rob Malda" from hkp server subkeys.pgp.net
1024R/BA9146D5239BB413 2000-2-9
                          Rob Malda <malda@slashdot.org>
 
1024D/D86FEB1F6CE3D482857AEB2809C2DB458662850F 1999-7-7
                          Rob Malda <malda@slashdot.org>
 
Now run gpg --recv-keys <key ids>

Welcome to 2015

The American financial system seems terribly technologically impaired compared to Europe.. Checkbooks and emails.. Come on? I pay with cards and setup rental payments (as well as communicate) over an encrypted connection to my bank (one-time key-value codesheets for this connection -- which can only be used together with the agreed password -- and other physical documents are sent the old-fashioned way in a sealed envelope).

Use your state laws, the CFPB and Investor Relat.

I work in IT security for a bank. Your plan of attack depends on the state where you live, how your bank is chartered (state charter or federal charter) and how large your bank is with respect to the dollar amount of assets. If they are above ten billion in assets they are subject to more regulations.

The federal laws are incredibly weak on this matter because the banks contribute so much to lobbying. The only federal regulator that scares the banks is the Consumer Financial Protection Bureau, www.consumerfinance.gov. They have an online complaint form. The primary regulator for banks is the Office of the Comptroller of the Currency www.occ.gov, but they are seen as weak on data protection matters. Lately they have been making a lot of noise about cybersecurity being a high priority but only from the hacking aspect and not consumer data protection.

The CFPB and the state laws are your best legal avenue. A certified letter to them as well as to the OCC will get attention. ALWAYS send a letter by certified mail as well as using an online method. Certified mail gets a lot of attention because that is how legal matters arrive.

It is not up to you to make sure the bank is using the correct contact information; it's up to the bank to validate it somehow and to protect the information while it is in transit and at rest on your ISP's mail server (yes, and that means no sending of unencrypted confidential docs by email). For email it's a preceding exchange of emails to validate the email address and the use of encryption on the files. You also could contact your local newspaper (if you still have one) or the local TV investigative reporter. If the bank is doing something so incredibly stupid with email they probably are doing other stupid things and TV stations love that kind of dirt. I'd also complain to your state Attorney General office in writing. New York has an incredibly proactive AG office on these matters. I'd also use the bank's Investor Relations contact information to make a complaint. That method is far, far more effective than trying to guess the CEO's email address. Every company watches their Investor Relations email or contact page closely, not just banks.

Your bank "told" you that they do not have any type of secure document delivery service. They also told you that they do not have a properly configured, if indeed any, type of Data Loss Prevention application or program. What they did NOT tell you is whether they used encrypted email. There is a form of automatic email encryption called TLS that transparently encrypts email between servers. Gmail sends and receives TLS email by default. So it's entirely possible that they did use TLS email to encrypt it across the Internet. www.checktls.com can tell you whether your email provider and the bank can use TLS email.

Good luck.

GLBA

[Pagey123]

Disclaimer: I work for a small community bank. In the US, all banks are required to adhere to the Gramm-Leach-Bliley Act (GLBA). See: http://en.wikipedia.org/wiki/G...

As such, banks are required by both their state and federal regulators to follow a series of basic security protocols as laid out in the FFIEC IT Examination Handbook. Google this document for further details.

I'm not sure what recourse she would have, specifically, under GLBA, but if she is truly interested in following up on this mistake by the bank, the place to begin would be consulting an attorney and contacting either the FDIC or the state's Department of Financial Institutions to make a formal complaint. Banks are usually required to have a formal complaint resolution process in place, and they are required to respond to both FDIC and state regulatory complaints as well.

one and only piece of advice

[ihtoit]

Locate your State's Regulatory Data Commissioner. For CT, that would be the Ct. Banking Commissioner, via the Department of Banking, 260 Constitution Plaza, Hartford 06103-1800, and report as a protected data breach giving full details. They will carry it to closure. Contact there is the office of Bruce Adams, on (860) 240-8100.

HTH.