If a Financial Institution Mishandles My Data, What Recourse Do I Have?

grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.

The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?

Not a laywer.

You know a lawyer could lose their license if they gave advice to you in this situation (they'd be representing you).

Your options are: find a lawyer.

Re: Not a laywer.

[CronoCloud]

I just checked my e-mail client, Claws Mail. It doesn't have an option to encrypt e-mail. Maybe in an extension; it's not in the client itself.

Claws Mail supports both GnuPG and S/MIME encryption by default. The reason you don't have an option is that you haven't configured/setup claws-mail to do so.

Furthermore, I don't know of any current standard for e-mail encryption that is widely supported.

Any good e-mail client supports BOTH GnuPG and S/MIME.

No idea on how to create a key

Applications>Accessories>Passwords & Keys. File>New>PGP Key

let alone how to securely and easily exchange keys with random recipients (like a client who calls me asking me to send them some information by e-mail).

You can use out-of-band methods, or just use keyservers.

The obvious way to send an encrypted mail to someone would be to pull their public key from some kind of repository (which as yet doesn't exist

They do exist, they're called keyservers.

[CronoCloud ~]$ keylookup --frontend=plain Rob Malda
gpg: searching for "Rob Malda" from hkp server subkeys.pgp.net
1024R/BA9146D5239BB413 2000-2-9
                          Rob Malda <malda@slashdot.org>
 
1024D/D86FEB1F6CE3D482857AEB2809C2DB458662850F 1999-7-7
                          Rob Malda <malda@slashdot.org>
 
Now run gpg --recv-keys <key ids>

one and only piece of advice

[ihtoit]

Locate your State's Regulatory Data Commissioner. For CT, that would be the Ct. Banking Commissioner, via the Department of Banking, 260 Constitution Plaza, Hartford 06103-1800, and report as a protected data breach giving full details. They will carry it to closure. Contact there is the office of Bruce Adams, on (860) 240-8100.

HTH.