Slashdot Mirror
If a Financial Institution Mishandles My Data, What Recourse Do I Have?
grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.
The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?
The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?
You know a lawyer could lose their license if they gave advice to you in this situation (they'd be representing you).
Your options are: find a lawyer.
I wouldn't give out my email address over the phone.
This is because it is fairly long and easy to miss-spell.
Instead, I send an email to the bank, using their email address, and of course my correct addy is then available as Sender.
This step ensures we both know we are talking to each other.
This can only help if you are talking to a financial institution.
The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details.
Since similar usernames can also mean similar full names, it could make identity theft that much easier for that other person bearing a similar name as your sister.
Anyway, I hope that's not the case, and I hope that other person is not a criminal.
One of the main problems here is that people are given these technologies without understanding them completely. When I was working in the US, I made a big fuss once at my workplace about sending sensitive documents in unencrypted emails and was treated like I was hysterical and unreasonable. I managed to coerce the morons in charge to do this, but the incident was turned into a laughing matter from that point on. It's hard to convince drawer-minded bureaucrats to change their behavior when there aren't any regulations, created by other drawer-minded bureaucrats, that specify how it is that they should actually behave. I mean, god forbid, they might need to resort to independent thinking and resolution.
...that banks are 100% liable in cases such as this. It is up to them to verify that any access to the accounts that they hold are made by the legitimate account holders. Seriously, think of what the world would be like if any yahoo could write a check against any account without them veryifying the authenticity of the signature.
Time is what keeps everything from happening all at once.
I have a firstnamelastname@gmail email address (you can see it above this post), and I get a *lot* of correspondence for other me's out there - bank details, divorce proceedings, legal proceedings, a long running internal discussion surrounding someones cock up in the Republican Party in the US, internal memos for several political parties around the globe.
I've enjoyed free Netflix subscriptions (thanks!), invites to various exclusive clubs (not so great, most of them are in the US) and family meet ups. I know the progress of several children's schooling in Canada and the US, including an incident where the child was suspended for 3 days for kicking the teacher. I've had the ability to cancel several ISP connections, including business ones. Details of medical appointments and procedures, insurance documents etc etc.
I've also been threatened with legal action for simply owning the email address and not handing it over - twice now. Yes, apparently there are other me's out there that think they have a right to this email address.
So in short, without a recording of the telephone conversation, I wouldn't be so sure that it wasn't your sister that got the address wrong.
Banks are corporations, and as such, are above the law.
You'll be lucky if they dont charge you a fee for their screwup.
Aside from the sheer difficulty of litigating against a financial institution(If it is possible for your sister to have signed away her soul to mandatory binding arbitration in the venue of the bank's choice, those terms were probably included in at least one part of the fine print, probably several), there may not be much to go on. Not all states even require disclosure of a customer data breach, much less any particular action, standard of care, or other inconvenience.
You might get somewhere if the bank didn't comply with Connecticut's data breach notification laws; but even that probably won't get you as far as you might want, though it might make some lower mid level peon more likely to comp her a year of credit monitoring just to go away. Any actually-toothy penalties, or not using absurdly insecure channels, though, not so much.
Pro tip: Anyone claiming to be a lawyer on Slashdot, or indeed on the internet in general, is probably lying. Especially if it is while they are providing you with what appears to be legal advice.
Frankly, the risk of somebody doing something nefarious with the information they got it pretty low. Even on the internet the wast majority of people are nice and behave like decent human beings. Most people don't even know how they could use that information for financial gain. So if you go to a court you will have a hard time proving actually damage for what is obvious a mistake, which means any recuperation is either going to be based on good will or specific laws covering data breaches.
In a larger perspective, you are right now encountering (and worrying about) a fundamental flaw in the way many American business work. There is a big confusion between identity, authentication and authorization. Identity (name, address, date of birth, social security number, bank account etc,) is not the same as authentication (I am the Identity) nor authorization (I am allowed to act as the Identity). None of the information the bank leaked really should be secret, and in Europe you could probably find most of it (except for bank account numbers) in public databases.
Just curious, but why did they email any of that information in the first place.
Where I live, the ONLY information I ever get from my bank is that my statement is available online. That's it.
The reason is that everybody should understand that banks don't send anything else.
If something needs to be signed, I will download it or I will get to them and sign it there. There is no reason to send me any other information I already have.
I know people who have asked the bank to send them papers to sign via email and the bank said no.
Don't fight for your country, if your country does not fight for you.
'nuff said.
I use a specific email address for any org that I deal with, something like @my.address.net So I can see who I get spam/malware from and I can block specific senders.
I used a specific_bank@my.address.net for a loan application once and I got malware from that bank a year or so late. I certainly did not use the email for anything else. The BANK had a virus somewhere that harvested my email and God knows what. I transferred the loan to another institute.
This is in Germany where there are actual laws about this.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
Those idiots kept sending me mail intended for some other guy whose email address is one letter off from mine. I really don't need to know about his mortgage details, and I've tried calling them up to tell them about it. The idiots on the phone go into brain vapor lock when I tell them that I'm not their customer and I don't HAVE A FUCKING ACCOUNT NUMBER.
1. Consult an attorney in person, one with the initial interview free. Consult two more attorneys as a second opinion. If she is absolutely sure she gave the correct email to the bank then you can pursue legal action. Regardless, the bank should not have sent confidential information to an email address without some form of encryption. Most banks would send a secure message via their online website, an email just notifying you there is a secure message waiting for you, etc. I don't know of any laws that require this but it is standard financial business practice in todays world if you wish to keep your client data secure.
2. You don't need a credit monitoring service but they can be convenient. It is possible to contact all three credit bureaus and freeze your credit, there may be a small fee involved. You can then thaw your credit temporarily when necessary. This will prevent identity thieves opening new lines of credit in your name. Anyone trying to do so will be blocked by the credit bureaus themselves. This is basically what LifeLock does on your behalf. LifeLock does offer additional services that may be of value.
3. Make sure all your email and major online accounts have two factor authentication.
4. Do not reuse passwords with these important online accounts
If identity thieves breach your email account they can then reset the passwords on various online accounts as they will receive the email confirmations. Two factor authentication aims to help stop this by sending a text to your cell phone with a code. Also notifying you that someone is trying to access your account or has completed account access. At the least, you know someone did something you were not expecting.
In future do not perform major banking loan operations online. I recently opened a loan and had to physically go to the bank in person, providing certain confidential information such as pay stubs, drivers license, and to sign the documents closing a loan. They refused to do this online and had no process to do it securely. I guess, I will keep this bank! When I had to refinance a mortgage, the bank was remote but they contracted with a local lawyer so I was able to go to that nearby office and sign papers till my hand cramped, then sign some more. They used a secure courier to send the documents to the bank's main office to complete the loan.
I work for a financial company and they have systems in place to perform secure email. An email is sent with an encrypted attachment. The email connects back to the server. The user authenticates and the attachment is decrypted via public/private key pair on the web page. They cannot forward this email, it can only be opened by the original recipient. The encryption certificate expires and the data is wiped after 30 days. The recipient would have to print or save the content to keep it. If an employee tries to email confidential information it is forwarded through the secure email system that then encrypts the data and replies back to the employee informing them of the policy of never using email to send confidential information and that their email was sent securely on their behalf. The incident is logged and both IT security, Risk Management, Compliance and the employees manager is notified of the infraction. Remedial training would be implemented.Repeat infractions are investigated.
A financial reputation is critical in todays world. For a company to do business in an insecure manner is a major red flag. I would switch banks. Hope the loan wasn't completed...
I work in IT security for a bank. Your plan of attack depends on the state where you live, how your bank is chartered (state charter or federal charter) and how large your bank is with respect to the dollar amount of assets. If they are above ten billion in assets they are subject to more regulations.
The federal laws are incredibly weak on this matter because the banks contribute so much to lobbying. The only federal regulator that scares the banks is the Consumer Financial Protection Bureau, www.consumerfinance.gov. They have an online complaint form. The primary regulator for banks is the Office of the Comptroller of the Currency www.occ.gov, but they are seen as weak on data protection matters. Lately they have been making a lot of noise about cybersecurity being a high priority but only from the hacking aspect and not consumer data protection.
The CFPB and the state laws are your best legal avenue. A certified letter to them as well as to the OCC will get attention. ALWAYS send a letter by certified mail as well as using an online method. Certified mail gets a lot of attention because that is how legal matters arrive.
It is not up to you to make sure the bank is using the correct contact information; it's up to the bank to validate it somehow and to protect the information while it is in transit and at rest on your ISP's mail server (yes, and that means no sending of unencrypted confidential docs by email). For email it's a preceding exchange of emails to validate the email address and the use of encryption on the files. You also could contact your local newspaper (if you still have one) or the local TV investigative reporter. If the bank is doing something so incredibly stupid with email they probably are doing other stupid things and TV stations love that kind of dirt. I'd also complain to your state Attorney General office in writing. New York has an incredibly proactive AG office on these matters. I'd also use the bank's Investor Relations contact information to make a complaint. That method is far, far more effective than trying to guess the CEO's email address. Every company watches their Investor Relations email or contact page closely, not just banks.
Your bank "told" you that they do not have any type of secure document delivery service. They also told you that they do not have a properly configured, if indeed any, type of Data Loss Prevention application or program. What they did NOT tell you is whether they used encrypted email. There is a form of automatic email encryption called TLS that transparently encrypts email between servers. Gmail sends and receives TLS email by default. So it's entirely possible that they did use TLS email to encrypt it across the Internet. www.checktls.com can tell you whether your email provider and the bank can use TLS email.
Good luck.
File a complaint with them at: http://www.consumerfinance.gov.... Then the bank will need to respond. But this sort of the situation is why they were created.
You have the same recourse you would have if someone typed in your street address incorrectly and your private information went to someone else. Mail sent through the post is almost always unencrypted and plain text.
Seriously, let's say the bank sent a credit card and its activation letter to the wrong address because of a typo, the recipient activates it and starts charging under your name. What will your bank do in that situation?
I don't know the answer, but I guarantee this has happened. It's why places carry errors and omissions insurance, which I'm sure your bank has, or whatever the bank equivalent is. Just because the internet and computers are involved doesn't magically make this different from every other time this has happened in the last 100 years.
Comment removed based on user account deletion
Simply call all 4 credit bureaus and lock your account. Do NOT use life-lock (pure crap).
By locking up your data, the bureaus do not even get to sell your data. And if you are not using life-lock, nor can they.
I prefer the "u" in honour as it seems to be missing these days.
I live in the UK. My bank wants me to sign up for internet banking, but they will not use email to request an appointment. Apparently the internet is safe enough for _my_ money, but not _their_ letters.
The only industry that has more power over the government than the banking/financial industry is the insurance industry - and the two are in cahoots. You won't get anywhere against them legally. Your sister should probably go request a new social security number immediately and cancel all her credit cards, then get ready to watch for activity. They banks aren't obligated to do much of anything, and they will dig in their heels to do as little of that as possible.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Disclaimer: I work for a small community bank. In the US, all banks are required to adhere to the Gramm-Leach-Bliley Act (GLBA). See: http://en.wikipedia.org/wiki/G...
As such, banks are required by both their state and federal regulators to follow a series of basic security protocols as laid out in the FFIEC IT Examination Handbook. Google this document for further details.
I'm not sure what recourse she would have, specifically, under GLBA, but if she is truly interested in following up on this mistake by the bank, the place to begin would be consulting an attorney and contacting either the FDIC or the state's Department of Financial Institutions to make a formal complaint. Banks are usually required to have a formal complaint resolution process in place, and they are required to respond to both FDIC and state regulatory complaints as well.
The have more money and more lawyers, so you're fucked.
I recently filed a complaint with the CFPB for a situation wherein a major bank processed my mortgage application manual entirely via email. They did this because they managed to waste weeks of my time and then lose my first web form based application.
Well, I get an email response back re: second application and I'm denied because my credit scores are atrocious. This is surprising, so I immediately ask if they can give me more info, and they say no they are legally only allowed to tell me the credit scores. Huh. Ok. So I get my credit reports and for various reasons involving general credit bureau assholishness this takes several more weeks and by this point THE HOUSE WE'RE TRYING TO BUY HAS BEEN SOLD TO SOMEONE ELSE... and there are no inquiries on my reports. Did some more digging and all three FICOs are great.
They sent me someone else's credit scores. Never pulled my credit at all. And the CFPB really could not give fuck about any of it. By all means file the complaint--it may get someone at the bank to pay attention and issue a response so as not to look like a douche--but the CFPB complaint process appears to exist only so they can gauge big picture tends, not to get involve in individual cases.
In my case, the bank refused to respond to me at all until after I'd submitted the CFPB complaint. The official response: "Hey, you're right! Our bad. Feel free to submit a third application if you want! "
Despite losing the god damned house (and there isn't anything remotely equivalent on the market right now) and having written documentation for everything, the lawyer I've been in contact with still isn't sure we have a case; he wants to check some more case law first.
I think I may look into getting a shack in Montana next...
Sorry to say it, but name the financial institution and what they did on social media. It'll get picked up really quick. Hopefully then when it has enough attention, they come up with a better system to ensure secure communication.
A Bank should never send sensitive information in an email, particularly SS# and Account numbers. The OCC will have a field day with this and likely raise a trouble status on their next audit.
I'm surprised the Bank doesn't have a DLP system to catch this.
In my experience, If you hire an attorney to send them letter pointing out their error and demand some resolution, you will get a useful reply.
I'd send an email to that wrong address, explaining my concerns and asking them in the most friendly way not to abuse the information they unintentionally received and to please delete the banks' email. If they answer, I'd take it from there (at least I would have some info about that person). Stay polite and don't make threats because they could cause a lot of damage in return.
If they don't answer, then I would talk to a lawyer.
In the mean time I would monitor my bank account(s) closely.
This is not the sig you're looking for.
Locate your State's Regulatory Data Commissioner. For CT, that would be the Ct. Banking Commissioner, via the Department of Banking, 260 Constitution Plaza, Hartford 06103-1800, and report as a protected data breach giving full details. They will carry it to closure. Contact there is the office of Bruce Adams, on (860) 240-8100.
HTH.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
best practices nothing, a breach of personally identifiable, compartmentable information is a breach of data protection Law, and that is something hte State regulator must deal with as an actionable incident. That's what he's there for.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
"Did you know that assholes like you are why our doctors will not answer even the most trivial questions using e-mail?"
And they should not. Giving any sort of medical advice without talking to the person directly is very risky.
putting the 'B' in LGBTQ+
But many financial institutions throw this at the end of their emails (amongst a larger disclaimer):
"If you have received this communication in error please delete or destroy it and notify the sender immediately."
Does anyone know if these statements hold any water?
They e-mailed her name, address, date of birth, social security number, drivers license number and bank account information to someone else. With the first four of those, you could easily open a credit card in the person's name. I know. I happened to me. I was lucky that the thieves paid for rush delivery of the card and THEN changed the address. The card arrived at my house. If they didn't do this, the first I'd have heard of it would have been when the collection agency banged on my door demanding the $5,000+ that I owed them. (No, collection agencies don't care that you weren't the one who opened the account. Your name is on the list so you'd BETTER pay or they'll make your life a living hell.)
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
Why on earth did she EVER agree to receive the information by email? When I refinanced I told them no when they asked about email. Either a secure document serving website where I could login and download the documents (which they had, surprise surprise) OR they go by fax. People don't generally know how to use email encryption properly, especially those that work in the mortgage area. I'd rather fax it 20 times than email it.
And they should not. Giving any sort of medical advice without talking to the person directly is very risky.
Bullshit. Follow-ups with existing patients, clarification of what was said during a visit, are perfectly appropriate for email.
Email? Not sure about. How do you verify who you are with many people having unsecured email accounts on home computers, cell phones, etc.
My doctor has a secure portal where I can ask questions, read replies, see what my recent prescriptions were for and dosage, find out results of lab work if the doctor has released them, etc. Quite handy. More inconvenient than just email, but a lot better than nothing.
Many places that handle this type of data will encrypt it and direct you to a https link to download it. When you hit the site, you'll be asked for a password that was given to you by the folks on the phone. It will then decrypt the contents and allow you to download it right to your machine.
They know most folks are incapable of implementing or even understanding encryption, thus the simplified method above.
Banks ( and any institution that handles SPI data ) will get their ass handed to them for exposing that data. ( and they know it ) SPI data is the primary reason all laptops for my company are full disk encryption. Losing a laptop isn't news. Losing one with 100k Social Security numbers, bank accounts, or Customer names, passwords, addresses DOES make the news.
They're paranoid about it ( and rightfully so ) and will fire you on the spot if your actions expose SPI data of any kind.
*SPI = Sensitive Personal Information
I have a friend. Back when he was building a house, he was fighting the bank for the mortgage. His mom was co-signing... and some moron at the bank (can't remember if it was Wells Fargo or BoA) emailed ALL THEIR DEPOSIT records, with account info, to them in an email.
They got a lawyer. The bank paid 100% to a) change all of their accounts, b) all costs incurred by them to make changes elsewhere.
Call a lawyer. I mean, do you actually *trust* banks (look up "Great Recession", 2008, subpriime lending....)
mark
Fairly high up the food chain in IT, actually. And while it's too late in this case, I'd say that any bank telling you that they don't have a secure method for exchanging sensitive data is not a bank you ought to be doing business with.
There's a whole raft of regulatory compliance and audit requirements that US financial institutions are subject to, and the one in question here is GLBA (Graham-Leach-Bliley Act), which governs how sensitive information must be handled. I'd place a call to the FFIEC and either the FDIC (if it's a bank) or the NCUA (if it's a credit union) and file a complaint. Trust me, regulators don't mess around when applying the smackdown to a bank for something like this.
The CFPB doesn't really have much to do with a bank until it's bigger than $10 Billion in assets, and anybody that big isn't making these mistakes. This is bush-league stuff and the bank in question could use a wake-up call in the form of a fine of MOU so they don't screw other people.
Oh, now I'm a troll because I thought some personal responsibility ought to apply here.
Never mind, she should contact an contingent fee attorney. Maybe even file a class action suit on behalf of all who aren't paying attention to their personal data.
Jack
Indeed. But the OP has not provided the name of the bank? Why not? Afraid of the unknown potential consequences of doing so, I'll guess. This is the problem a libertarian would address.
Prove anything by multiplying Huge Number times Tiny Number
I don't want every single institution and business and person I communicate with to require me to log into their own fucking website to communicate with them. It doesn't scale. How many fucking passwords am I supposed to memorize al-fucking-ready?
I'd be drawn and quartered, end of contract. Especially for a financial institution.
Every customer I've ever had made it crystal clear what the PII requirements were, and they were no joke.
I guess it's different if you're not in software?
Air France 447 was a mistake. To pick one of MANY such mistakes that COST LIVES.
Mistakes are ALWAYS actionable.
Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel