If a Financial Institution Mishandles My Data, What Recourse Do I Have?

grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.

The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?

Not a laywer.

You know a lawyer could lose their license if they gave advice to you in this situation (they'd be representing you).

Your options are: find a lawyer.

Re: Not a laywer.

[Sique]

HOW DOES SENDING EMAIL OVER ENCRYPTED CHANNELS "PREVENT" EMAIL ADDRESS TYPOS?

It does insofar as the public keys of the intended receiver and the actual receiver don't match, and thus the actual receiver gets nothing but encrypted gibberish, thus no data is leaked.

Re: Not a laywer.

[CronoCloud]

I just checked my e-mail client, Claws Mail. It doesn't have an option to encrypt e-mail. Maybe in an extension; it's not in the client itself.

Claws Mail supports both GnuPG and S/MIME encryption by default. The reason you don't have an option is that you haven't configured/setup claws-mail to do so.

Furthermore, I don't know of any current standard for e-mail encryption that is widely supported.

Any good e-mail client supports BOTH GnuPG and S/MIME.

No idea on how to create a key

Applications>Accessories>Passwords & Keys. File>New>PGP Key

let alone how to securely and easily exchange keys with random recipients (like a client who calls me asking me to send them some information by e-mail).

You can use out-of-band methods, or just use keyservers.

The obvious way to send an encrypted mail to someone would be to pull their public key from some kind of repository (which as yet doesn't exist

They do exist, they're called keyservers.

[CronoCloud ~]$ keylookup --frontend=plain Rob Malda
gpg: searching for "Rob Malda" from hkp server subkeys.pgp.net
1024R/BA9146D5239BB413 2000-2-9
                          Rob Malda <malda@slashdot.org>
 
1024D/D86FEB1F6CE3D482857AEB2809C2DB458662850F 1999-7-7
                          Rob Malda <malda@slashdot.org>
 
Now run gpg --recv-keys <key ids>

Technophobic bureaucrats

[GenieGenieGenie]

One of the main problems here is that people are given these technologies without understanding them completely. When I was working in the US, I made a big fuss once at my workplace about sending sensitive documents in unencrypted emails and was treated like I was hysterical and unreasonable. I managed to coerce the morons in charge to do this, but the incident was turned into a laughing matter from that point on. It's hard to convince drawer-minded bureaucrats to change their behavior when there aren't any regulations, created by other drawer-minded bureaucrats, that specify how it is that they should actually behave. I mean, god forbid, they might need to resort to independent thinking and resolution.

Re:Technophobic bureaucrats

[Xest]

Yep, it's amazing how many just don't get it.

I used to work for an engineering firm doing development, but prior to that my experience was in network administration. The IT department was managed by an engineer who had zero IT experience but took the job when the firm split from it's other half years before and the other half took all the IT staff, and all his staff were just people who had moved sideways. The net result was an IT department run wholly by amateurs wanting to be professionals.

Because I had real actual IT experience of a 10,000 user network from my previous job I tended to help them a lot, and I really didn't mind that, and they appreciated it.

But there were some things they just wouldn't get, security was one. I told them time and time again about the complete and utter lack of security and security policy and explained the risks. I was frankly laughed at by everyone in IT and even the directors and CEO I mentioned it to. I was told I was paranoid and being silly, and why would they ever be a hacking target, because it's not like they were drilling in the arctic or suing people for copyright infringement. All this was true despite the fact I'd set up a firewall around my net facing dev servers even if they weren't going to properly defend the rest of the company and I provided them IDS logs showing many probes from countries such as China and a number of South American countries like Colombia and Argentina, where they were also active and had an office.

It's a shame because they actually had a proper R&D department and had some genuinely unique data, designs and techniques for the field in question, I left there about 7 years ago, and in the time since I'm aware that they repeatedly became loss making, in part because of the recession, but primarily because it turns out a company in China started doing everything they could do cheaper and had to have had all their data. This didn't particularly surprise me because they had on a number of occasions had problems with Chinese sales staff probing for more information than necessary when visiting the UK offices - it seemed pretty clear someone in China was interested in entering that industry, and probes on my dev servers from China were more prolific than anything I'd seen before and since. They have now been consumed by a German company and asset stripped for the remaining useful bits of IP, but are gone as an individual company - a good hundred or so jobs were lost.

This is the greatest example I've witnessed personally where IT security and ignoring the risks due to naivety led to tragic consequences. It's possible they wouldn't have survived the prolonged downturn regardless, but it's pretty clear that espionage accelerated their end.

But what do you do? If they don't listen to the warnings and advice I don't see how you can help them. There was an attempt to shift the responsibility onto me ("You write the security document and implement the procedures if you think we need them"), of writing the security policy, implementing all the measures, but I wasn't there for that, I'd moved into development precisely because I wanted to get out of that and whilst I said I'd be happy to train and review I wasn't willing to let it become my full time job - I didn't see why I should be forced into a job I hated because IT didn't want to do the job they were supposed to be doing, hence why I left.

It's a shame that so many places learn the lesson too late, or not at all in some cases (e.g. Sony).

Re:You are probably SOL...

[fuzzyfuzzyfungus]

As best I can tell, "identity theft" is a brilliant invention on the part of institutions that are too lazy to authenticate people: as if by magic, this construction transforms fraud perpetrated against them into your problem. "Ooh, your identity got stolen, that sucks. Have fun fighting with the credit reporting agencies forever." rather than "Oh, another instance of fraud by impersonation against our pitifully weak systems. Maybe we have to do something about that..."

I have to admit, it's elegant enough that I'd be forced to shake the hand of the person responsible before punching him in the face, just as a gesture of respect for carrying off something that audacious successfully.

Re:IANAL but..

[Hognoxious]

Anyone claiming to be a lawyer on Slashdot, or indeed on the internet in general, is probably lying.

If they are a lawyer, they're definitely lying.

one and only piece of advice

[ihtoit]

Locate your State's Regulatory Data Commissioner. For CT, that would be the Ct. Banking Commissioner, via the Department of Banking, 260 Constitution Plaza, Hartford 06103-1800, and report as a protected data breach giving full details. They will carry it to closure. Contact there is the office of Bruce Adams, on (860) 240-8100.

HTH.