If a Financial Institution Mishandles My Data, What Recourse Do I Have?

grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.

The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?

Not over the phone

[OolimPhon]

I wouldn't give out my email address over the phone.

This is because it is fairly long and easy to miss-spell.

Instead, I send an email to the bank, using their email address, and of course my correct addy is then available as Sender.

This step ensures we both know we are talking to each other.

This can only help if you are talking to a financial institution.

Technophobic bureaucrats

[GenieGenieGenie]

One of the main problems here is that people are given these technologies without understanding them completely. When I was working in the US, I made a big fuss once at my workplace about sending sensitive documents in unencrypted emails and was treated like I was hysterical and unreasonable. I managed to coerce the morons in charge to do this, but the incident was turned into a laughing matter from that point on. It's hard to convince drawer-minded bureaucrats to change their behavior when there aren't any regulations, created by other drawer-minded bureaucrats, that specify how it is that they should actually behave. I mean, god forbid, they might need to resort to independent thinking and resolution.

Re:Technophobic bureaucrats

[Xest]

Yep, it's amazing how many just don't get it.

I used to work for an engineering firm doing development, but prior to that my experience was in network administration. The IT department was managed by an engineer who had zero IT experience but took the job when the firm split from it's other half years before and the other half took all the IT staff, and all his staff were just people who had moved sideways. The net result was an IT department run wholly by amateurs wanting to be professionals.

Because I had real actual IT experience of a 10,000 user network from my previous job I tended to help them a lot, and I really didn't mind that, and they appreciated it.

But there were some things they just wouldn't get, security was one. I told them time and time again about the complete and utter lack of security and security policy and explained the risks. I was frankly laughed at by everyone in IT and even the directors and CEO I mentioned it to. I was told I was paranoid and being silly, and why would they ever be a hacking target, because it's not like they were drilling in the arctic or suing people for copyright infringement. All this was true despite the fact I'd set up a firewall around my net facing dev servers even if they weren't going to properly defend the rest of the company and I provided them IDS logs showing many probes from countries such as China and a number of South American countries like Colombia and Argentina, where they were also active and had an office.

It's a shame because they actually had a proper R&D department and had some genuinely unique data, designs and techniques for the field in question, I left there about 7 years ago, and in the time since I'm aware that they repeatedly became loss making, in part because of the recession, but primarily because it turns out a company in China started doing everything they could do cheaper and had to have had all their data. This didn't particularly surprise me because they had on a number of occasions had problems with Chinese sales staff probing for more information than necessary when visiting the UK offices - it seemed pretty clear someone in China was interested in entering that industry, and probes on my dev servers from China were more prolific than anything I'd seen before and since. They have now been consumed by a German company and asset stripped for the remaining useful bits of IP, but are gone as an individual company - a good hundred or so jobs were lost.

This is the greatest example I've witnessed personally where IT security and ignoring the risks due to naivety led to tragic consequences. It's possible they wouldn't have survived the prolonged downturn regardless, but it's pretty clear that espionage accelerated their end.

But what do you do? If they don't listen to the warnings and advice I don't see how you can help them. There was an attempt to shift the responsibility onto me ("You write the security document and implement the procedures if you think we need them"), of writing the security policy, implementing all the measures, but I wasn't there for that, I'd moved into development precisely because I wanted to get out of that and whilst I said I'd be happy to train and review I wasn't willing to let it become my full time job - I didn't see why I should be forced into a job I hated because IT didn't want to do the job they were supposed to be doing, hence why I left.

It's a shame that so many places learn the lesson too late, or not at all in some cases (e.g. Sony).

Is she sure she told them the correct address?

[Richard_at_work]

I have a firstnamelastname@gmail email address (you can see it above this post), and I get a *lot* of correspondence for other me's out there - bank details, divorce proceedings, legal proceedings, a long running internal discussion surrounding someones cock up in the Republican Party in the US, internal memos for several political parties around the globe.

I've enjoyed free Netflix subscriptions (thanks!), invites to various exclusive clubs (not so great, most of them are in the US) and family meet ups. I know the progress of several children's schooling in Canada and the US, including an incident where the child was suspended for 3 days for kicking the teacher. I've had the ability to cancel several ISP connections, including business ones. Details of medical appointments and procedures, insurance documents etc etc.

I've also been threatened with legal action for simply owning the email address and not handing it over - twice now. Yes, apparently there are other me's out there that think they have a right to this email address.

So in short, without a recording of the telephone conversation, I wouldn't be so sure that it wasn't your sister that got the address wrong.

From a security perspective...

[pehrs]

Frankly, the risk of somebody doing something nefarious with the information they got it pretty low. Even on the internet the wast majority of people are nice and behave like decent human beings. Most people don't even know how they could use that information for financial gain. So if you go to a court you will have a hard time proving actually damage for what is obvious a mistake, which means any recuperation is either going to be based on good will or specific laws covering data breaches.

In a larger perspective, you are right now encountering (and worrying about) a fundamental flaw in the way many American business work. There is a big confusion between identity, authentication and authorization. Identity (name, address, date of birth, social security number, bank account etc,) is not the same as authentication (I am the Identity) nor authorization (I am allowed to act as the Identity). None of the information the bank leaked really should be secret, and in Europe you could probably find most of it (except for bank account numbers) in public databases.

Bank Security

[Old+Aylesburian]

I live in the UK. My bank wants me to sign up for internet banking, but they will not use email to request an appointment. Apparently the internet is safe enough for _my_ money, but not _their_ letters.

Re: Not a laywer.

[TapeCutter]

The password protected pdf thing is pretty common, they ask you to pick a password when you call to request the paperwork.

Encryption the easy way

[nehumanuscrede]

Many places that handle this type of data will encrypt it and direct you to a https link to download it. When you hit the site, you'll be asked for a password that was given to you by the folks on the phone. It will then decrypt the contents and allow you to download it right to your machine.

They know most folks are incapable of implementing or even understanding encryption, thus the simplified method above.

Banks ( and any institution that handles SPI data ) will get their ass handed to them for exposing that data. ( and they know it ) SPI data is the primary reason all laptops for my company are full disk encryption. Losing a laptop isn't news. Losing one with 100k Social Security numbers, bank accounts, or Customer names, passwords, addresses DOES make the news.

They're paranoid about it ( and rightfully so ) and will fire you on the spot if your actions expose SPI data of any kind.

*SPI = Sensitive Personal Information