If a Financial Institution Mishandles My Data, What Recourse Do I Have?

grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.

The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?

Re:Technophobic bureaucrats

[fuzzyfuzzyfungus]

Aside from understanding, you also have to care. And not just care; but care enough to overcome the practical inconveniences of doing it properly, especially if everyone around you doesn't understand why you are wasting time with the 'unnecessary' extra steps.

Depending on the situation, not caring can easily be a greater obstacle than not understanding. This is the major reason why the existence of regulations carries weight. Regulations aren't very educational; but it is very, very, easy to understand 'doing X violates The Rules', while the logic behind The Rules can be of any level of complexity, or nonexistent. On the minus side, this means that arbitrarily stupid practices can be incorporated into The Rules without challenge. On the plus side, this means that brutally complex; but necessary, procedures can be laid out without the need to explain them to everyone from first principles.

Why do they email it in the first place?

[houghi]

Just curious, but why did they email any of that information in the first place.
Where I live, the ONLY information I ever get from my bank is that my statement is available online. That's it.
The reason is that everybody should understand that banks don't send anything else.

If something needs to be signed, I will download it or I will get to them and sign it there. There is no reason to send me any other information I already have.

I know people who have asked the bank to send them papers to sign via email and the bank said no.

Re:You are probably SOL...

[fuzzyfuzzyfungus]

As best I can tell, "identity theft" is a brilliant invention on the part of institutions that are too lazy to authenticate people: as if by magic, this construction transforms fraud perpetrated against them into your problem. "Ooh, your identity got stolen, that sucks. Have fun fighting with the credit reporting agencies forever." rather than "Oh, another instance of fraud by impersonation against our pitifully weak systems. Maybe we have to do something about that..."

I have to admit, it's elegant enough that I'd be forced to shake the hand of the person responsible before punching him in the face, just as a gesture of respect for carrying off something that audacious successfully.

Re: Not a laywer.

[Sique]

HOW DOES SENDING EMAIL OVER ENCRYPTED CHANNELS "PREVENT" EMAIL ADDRESS TYPOS?

It does insofar as the public keys of the intended receiver and the actual receiver don't match, and thus the actual receiver gets nothing but encrypted gibberish, thus no data is leaked.

Re:You are probably SOL...

[mrchaotica]

In a sane and just world, a credit reporting agency giving out incorrect information would be considered libel.