If a Financial Institution Mishandles My Data, What Recourse Do I Have? 224
grahamsaa writes: My sister recently consolidated her student loans, and the bank e-mailed the paperwork, which included her name, address, date of birth, social security number, drivers license number and bank account information to the wrong e-mail address. The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details. My sister claims that she read her e-mail address to the bank representative over the phone twice, but that it was transcribed incorrectly.
The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?
The real issue is that the bank was willing to use unencrypted e-mail at all to send sensitive information, and I told my sister that at a minimum the bank should cover electronic credit monitoring for her for a minimum of a year, but I feel like that alone probably isn't enough. While my sister should have insisted that they use a more secure means of sending this information, I think it should be the bank's responsibility to ensure that this kind of thing doesn't happen. What kind of recourse does a person in my sister's position have? Did the bank violate any laws (she lives in Connecticut in the United States)? Is there a standard penalty for this kind of thing? I'm not a lawyer, but I know some of you are. What are her options in this case?
Not a laywer. (Score:5, Informative)
You know a lawyer could lose their license if they gave advice to you in this situation (they'd be representing you).
Your options are: find a lawyer.
Re: (Score:2)
Or live with amateur advice from people who can't be lawyers by definition.
Re: Not a laywer. (Score:4, Funny)
CFPB has regulations against sending such info in plain emails. Bank can get seriously fined.
Nah, in practice the CFPB is like the BBB (Score:2)
Well, I get an email response back re: second application and I'm denied because my credit scores are atrocious. This is surprising, so I immediately ask if they can give me more info, and they say no they are legally only allowed to tell me the credit scor
Re: Not a laywer. (Score:5, Insightful)
HOW DOES SENDING EMAIL OVER ENCRYPTED CHANNELS "PREVENT" EMAIL ADDRESS TYPOS?
It does insofar as the public keys of the intended receiver and the actual receiver don't match, and thus the actual receiver gets nothing but encrypted gibberish, thus no data is leaked.
Re: (Score:3)
Public keys ? There is no established infrastructure for public key encryption of e-mail.
Re: (Score:3)
That's funny, because the submitter claimed the bank had her "name, address, date of birth, social security number, drivers license number and bank account information." It's almost as though they might have met her (in some form), got a lot of information from her (you can ask for all that stuff but not a fingerprint?) and authenticated her. Typos aside, you have to authenticate anyway, otherwise I could take out a loan in the submitter's sister's name, and give them my email address which they correctly
Re: (Score:2)
Better yet, why bother with email?
I mean, I have a super brilliant idea. The bank creates a website, and you can enter some previously-agreed to credentials, perhaps obtained while you were at the branch setting up your account. For simplicity, I'll call it an "customer ID" and a "password" for lack of a better term.
The customer uses the web site, and logs into the bank and all dealings with the bank are through that website. Perhaps the bank can add features that shows them all their accounts with the bank
Re: (Score:2)
Re: (Score:2)
xclip messed it up, my fault. You should be able to verify this one:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yes, there is. Grab my pubkey from Slashdot or a keyserver and you can verify this comment.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlTQ3RYACgkQnludVzJNqF1L3gCgwc4fQUhaG6UGESV+zCtHdp7U
9SEAoIuyI48gCaPmXy2aXJdCHa5VKKF7
=mq0h
-----END PGP SIGNATURE-----
Encryption the easy way (Score:4, Interesting)
They know most folks are incapable of implementing or even understanding encryption, thus the simplified method above.
Banks ( and any institution that handles SPI data ) will get their ass handed to them for exposing that data. ( and they know it ) SPI data is the primary reason all laptops for my company are full disk encryption. Losing a laptop isn't news. Losing one with 100k Social Security numbers, bank accounts, or Customer names, passwords, addresses DOES make the news.
They're paranoid about it ( and rightfully so ) and will fire you on the spot if your actions expose SPI data of any kind.
*SPI = Sensitive Personal Information
Re: (Score:3)
Encrypted e-mail is to this day not straightforward, if possible at all. I just checked my e-mail client, Claws Mail. It doesn't have an option to encrypt e-mail. Maybe in an extension; it's not in the client itself. Using encryption securely is hard, really hard. So many ways it can go wrong, so easy to make a mistake and compromise your key making the whole thing moot.
Furthermore, I don't know of any current standard for e-mail encryption that is widely supported. No idea on how to create a key - let alon
Re: Not a laywer. (Score:5, Informative)
I just checked my e-mail client, Claws Mail. It doesn't have an option to encrypt e-mail. Maybe in an extension; it's not in the client itself.
Claws Mail supports both GnuPG and S/MIME encryption by default. The reason you don't have an option is that you haven't configured/setup claws-mail to do so.
Furthermore, I don't know of any current standard for e-mail encryption that is widely supported.
Any good e-mail client supports BOTH GnuPG and S/MIME.
No idea on how to create a key
Applications>Accessories>Passwords & Keys. File>New>PGP Key
let alone how to securely and easily exchange keys with random recipients (like a client who calls me asking me to send them some information by e-mail).
You can use out-of-band methods, or just use keyservers.
The obvious way to send an encrypted mail to someone would be to pull their public key from some kind of repository (which as yet doesn't exist
They do exist, they're called keyservers.
Re: (Score:2)
They do exist, they're called keyservers.
Of course, if you enter the wrong e-mail address, you'll encrypt it with the wrong public key.
Re: (Score:2)
Re: (Score:2)
Furthermore, I don't know of any current standard for e-mail encryption that is widely supported. No idea on how to create a key - let alone how to securely and easily exchange keys with random recipients (like a client who calls me asking me to send them some information by e-mail).
The beauty of Public Key Encryption is the public key tells the encryption software how to encrypt the measage in a way that only the owner of the public key can decrypt. To decrypt you need the private key which you should keep as a private personal secret. You can publish the public key anywhere, and exchange it any way you see fit. Slashdot either does or did at one time, an area where users can publish their public keys.
Sounds to me like your getting PKE, Public Key Encryption, confused with Kerberos [wikipedia.org] a
Re: (Score:2)
You can publish the public key anywhere, and exchange it any way you see fit. Slashdot either does or did at one time, an area where users can publish their public keys.
Still does, for older UID"s. It is at http://slashdot.org/~username/... [slashdot.org] "You Must Be New Here" types are out of luck because they took out the entry form for it section where you can add your sig, bio, ICQ, etc etc.
Re: (Score:2)
Re: (Score:3)
OpenPGP. Signed and encrypted; eliminates unintended recipients from reading the contents; guarantees the sender.
Re: (Score:3)
OpenPGP would happily decrypt for the correct (but incorrectly typed-in) address. It would not prevent a typo.
My bank sends statements via email, but they are a password protected PDF that itself downloads a PDF. I have no idea why this is superior to sending a web link, but this is what they do.
Re: (Score:2)
OpenPGP would happily decrypt for the correct (but incorrectly typed-in) address. It would not prevent a typo.
yes, it would. Because you have to choose a public key to encrypt to. No public key for an address, it'll throw up a warning, preventing you from encrypting or sending.
And even if it did get sent to the wrong address, but encrypted to the right key, the wrong recipient couldn't do a damn thing with it. They don't have the key...or the password for said key.
Re: (Score:2)
How would you tell the bank what public key to use ?
Re: Not a laywer. (Score:4, Interesting)
Re: (Score:2)
Theoretically, you'd provide it when you open the account.
Re: (Score:2)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Supply my key in person when I open the account? Or I can just say, "Grab my key from a keyserver, the KEY ID is: 324DA85D" I could also hand them the Fingerprint of the key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlTQ4ZMACgkQnludVzJNqF1ShwCfXw6mnE38KG5v+d8ymYNZAuvt
2ygAmQE3bLKuhhSYCCDCGum8oH2y6Ooi
=TuLn
-----END PGP SIGNATURE-----
Re: (Score:2)
How do you tell the bank your nameand DOB, and prove that the government has certified that someone whose face looks like yours, happens to be associated with that name and DOB?
Re: (Score:2)
In the same way as the bank could provide you with its public key (or X.509 certificate) and sign all electronic communications to the account holder. If all financial institutions did this it would reduce phishing.
Re: (Score:2)
That's all fine and dandy, but I could phish with Adobe Acrobat, too.
Re: (Score:2)
I know about OpenPGP, but it's hardly an established infrastructure. I bet your grandma doesn't use it.
Re: (Score:2)
well the wrong receiver wouldn't be able to open it...
of course it's just another issue if it's plaintext while in transit(it might have not, you know).
maybe next time not request such info on email. though, did they check anything before sending it even? that's the real loophole, me thinks.
Re: (Score:2)
Sure. Banks incur fines all the time. The trick is that the amount of the fine is rarely more than a rounding error for them, so they don't give a shit and write it off as part of the cost of doing business.
Not over the phone (Score:4, Interesting)
I wouldn't give out my email address over the phone.
This is because it is fairly long and easy to miss-spell.
Instead, I send an email to the bank, using their email address, and of course my correct addy is then available as Sender.
This step ensures we both know we are talking to each other.
This can only help if you are talking to a financial institution.
Re: (Score:2)
HTTPS/SSL does no protect them from sending the information to an unintended recipient.
Re: (Score:2)
After you log into the HTTPS website with your username, password, and possibly a security token, we can assume you are the intended recipient. Pretty standard for internet banking.
Re: (Score:2)
This is very true. Them sending this information over email and unencrypted is a violation of at least one if not several federal financial privacy laws, at least from my understanding during my three year stint doing programming work for a bank.
They should send a link to activate an account. The should use various bits of personal information to verify the user (SSN, DOB...) and preferably a random confirmation code that the representative gave the customer over the phone during the original phone call.
Re: (Score:2)
Re: (Score:2)
Good idea. Now she only has to read her public key over the phone. I'm sure that'll work great.
Re: (Score:2)
Or fax it, or take it over, or just have them get it from a keyserver.
Re: (Score:2)
Who has a fax ? And grandma doesn't do keyservers.
Re: (Score:2)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Using a keyserver is point and click easy. The Windows version of Kleopatra (an easy to use GUI for gnupg) is installed by default with the windows version of gnupg. The keys.gnupg.net keyserver is used by default.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlTQ6SwACgkQnludVzJNqF3qYQCguZImj1JJkDD6Cj2MLZpQuS09
LT8Aniu/VvJJ0KJeuJQbPrQ8JgVypwux
=7ag6
-----END PGP SIGNATURE-----
Re: (Score:2)
Last I checked, PGP implementations tend to look at the recipient address for a key.
Which means either no key would have been used, or the wrong key. In both cases, the actual recipient who got it would have been able to read it.
Re: (Score:2)
Last I checked, PGP implementations tend to look at the recipient address for a key.
Yep:
or you can use names
Which means either no key would have been used,
If there
The switch could make things worst (Score:2)
The address (a gmail address) is associated with a real person (not her), so someone now has all of her personal details.
Since similar usernames can also mean similar full names, it could make identity theft that much easier for that other person bearing a similar name as your sister.
Anyway, I hope that's not the case, and I hope that other person is not a criminal.
Re: (Score:3)
Since similar usernames can also mean similar full names, it could make identity theft that much easier for that other person bearing a similar name as your sister.
On the other hand, the bank should know who they sent that information to. If I was by mistake given the keys to my neighbours home, and the person who gave me the keys knew who they gave them to, I would be an idiot to break into my neighbours house using these keys.
Re: (Score:2)
the bank should know who they sent that information to.
If the bank really knew to whom they sent the email, then sure, they'd have suspect number one if anyone looked cross at the victim's credit history. But they only know the email address they sent it too. Not quite the same as a person, and if the account is subsequently closed (and records of said account purged after X months) then the victim could have her identity sold after this date. The bank then calls up the email provider:
"Hey, we think one of your users is a hackety mchackerson. The email add
Re: (Score:2)
Of course. You'd just make a copy of the keys, give the originals back, wait a year ot so, then break in. Or sell the key to someone else.
Maybe you should move to an area where not everyone is such a douche?
Re: (Score:2)
Since my gmail is just my last name (I got in early). This has been a terrible curse - I get the email of every idiot who shares my last name. I've gotten all manner of things, from filled out job applications to spam. This has to be a common problem.
Re: (Score:2)
decades ago we had the domain poiuyt.com, I was always amazed at how many people would register at different websites as poiuyt@poiuyt.com and have a password of qwerty! We should have kept the domain just for the pre-paid porn.
Re: (Score:2)
Yes, unfortunately one of my email doppelgangers falls for all the "get rich quick" crap and fills out forms on spammy websites. I'd suspect one of my friends screwing around with me, except that I've looked up the woman and found her... she's unfortunately very real.
Re: (Score:2)
Don't worry, anytime Gmail sees Bank of America it sent straight to the spam bin! But seriously, my wife has never and will never conduct a credit card transaction over the phone or internet, yet her cards have been fraudulently used 3 times. She also has another woman who lives near by with the same first and last name and same middle initial, her driver's licience and Social Security numbers are only one digit different, we found that out while trying to clear a miss-applied tax lien on our property, I su
Technophobic bureaucrats (Score:5, Interesting)
Re:Technophobic bureaucrats (Score:4, Insightful)
Depending on the situation, not caring can easily be a greater obstacle than not understanding. This is the major reason why the existence of regulations carries weight. Regulations aren't very educational; but it is very, very, easy to understand 'doing X violates The Rules', while the logic behind The Rules can be of any level of complexity, or nonexistent. On the minus side, this means that arbitrarily stupid practices can be incorporated into The Rules without challenge. On the plus side, this means that brutally complex; but necessary, procedures can be laid out without the need to explain them to everyone from first principles.
Re:Technophobic bureaucrats (Score:5, Interesting)
Yep, it's amazing how many just don't get it.
I used to work for an engineering firm doing development, but prior to that my experience was in network administration. The IT department was managed by an engineer who had zero IT experience but took the job when the firm split from it's other half years before and the other half took all the IT staff, and all his staff were just people who had moved sideways. The net result was an IT department run wholly by amateurs wanting to be professionals.
Because I had real actual IT experience of a 10,000 user network from my previous job I tended to help them a lot, and I really didn't mind that, and they appreciated it.
But there were some things they just wouldn't get, security was one. I told them time and time again about the complete and utter lack of security and security policy and explained the risks. I was frankly laughed at by everyone in IT and even the directors and CEO I mentioned it to. I was told I was paranoid and being silly, and why would they ever be a hacking target, because it's not like they were drilling in the arctic or suing people for copyright infringement. All this was true despite the fact I'd set up a firewall around my net facing dev servers even if they weren't going to properly defend the rest of the company and I provided them IDS logs showing many probes from countries such as China and a number of South American countries like Colombia and Argentina, where they were also active and had an office.
It's a shame because they actually had a proper R&D department and had some genuinely unique data, designs and techniques for the field in question, I left there about 7 years ago, and in the time since I'm aware that they repeatedly became loss making, in part because of the recession, but primarily because it turns out a company in China started doing everything they could do cheaper and had to have had all their data. This didn't particularly surprise me because they had on a number of occasions had problems with Chinese sales staff probing for more information than necessary when visiting the UK offices - it seemed pretty clear someone in China was interested in entering that industry, and probes on my dev servers from China were more prolific than anything I'd seen before and since. They have now been consumed by a German company and asset stripped for the remaining useful bits of IP, but are gone as an individual company - a good hundred or so jobs were lost.
This is the greatest example I've witnessed personally where IT security and ignoring the risks due to naivety led to tragic consequences. It's possible they wouldn't have survived the prolonged downturn regardless, but it's pretty clear that espionage accelerated their end.
But what do you do? If they don't listen to the warnings and advice I don't see how you can help them. There was an attempt to shift the responsibility onto me ("You write the security document and implement the procedures if you think we need them"), of writing the security policy, implementing all the measures, but I wasn't there for that, I'd moved into development precisely because I wanted to get out of that and whilst I said I'd be happy to train and review I wasn't willing to let it become my full time job - I didn't see why I should be forced into a job I hated because IT didn't want to do the job they were supposed to be doing, hence why I left.
It's a shame that so many places learn the lesson too late, or not at all in some cases (e.g. Sony).
Is she sure she told them the correct address? (Score:5, Interesting)
I have a firstnamelastname@gmail email address (you can see it above this post), and I get a *lot* of correspondence for other me's out there - bank details, divorce proceedings, legal proceedings, a long running internal discussion surrounding someones cock up in the Republican Party in the US, internal memos for several political parties around the globe.
I've enjoyed free Netflix subscriptions (thanks!), invites to various exclusive clubs (not so great, most of them are in the US) and family meet ups. I know the progress of several children's schooling in Canada and the US, including an incident where the child was suspended for 3 days for kicking the teacher. I've had the ability to cancel several ISP connections, including business ones. Details of medical appointments and procedures, insurance documents etc etc.
I've also been threatened with legal action for simply owning the email address and not handing it over - twice now. Yes, apparently there are other me's out there that think they have a right to this email address.
So in short, without a recording of the telephone conversation, I wouldn't be so sure that it wasn't your sister that got the address wrong.
Re: (Score:3)
Comment removed (Score:5, Funny)
Re: (Score:2)
I share a name with the son of a billionaire.
I have given feedback on his condo housecleaning and politely declined his best friend's bachelor party blowout at some swanky ski resort. Was fun. :D Haven't received any more emails since then.
Re: (Score:3)
I have a firstnamelastname@gmail email address (you can see it above this post), and I get a *lot* of correspondence for other me's out there - bank details, divorce proceedings, legal proceedings, a long running internal discussion surrounding someones cock up in the Republican Party in the US, internal memos for several political parties around the globe.
Same here. I usually reply with a "wrong person, please verify the email address" and get a thanks in reply. No legal threats, which would get a nice FU response from my lawyer, but I did have some idiot IT admin insist, repeatedly, the address was correct and that they would continue to send me the emails. He did't seem to understand that ignoring periods in email addresses complied with the RFC no matter what he thought. I said OK, but be advised that I make no assurance as to the privacy of the informati
Re: (Score:2)
Please change your name at once or face prosecution.
Sincerely,
Richard
Re:Is she sure she told them the correct address? (Score:4, Funny)
I too have this gmail phenomenon. There are some instances where I have received e-mails from multiple sources, all to the same 'other me' (A little more ambiguous in my case as it's first initial then surname).
Some people just assume they have this e-mail.
And in true spirit of 'there's an XKCD of this', this one was always pretty relevant for me lol... http://xkcd.com/1279/ [xkcd.com]
Re: (Score:2)
Just fyi, and you may be aware of this as you are getting mails both with & without the period. Gmail essentially ignores them so you can send a mail to yourname@gmail.com, your.name@gmail.com or y.ourna.m....e@gmail.com and they will all work just fine :)
Re: (Score:2)
Just fyi, and you may be aware of this as you are getting mails both with & without the period. Gmail essentially ignores them so you can send a mail to yourname@gmail.com, your.name@gmail.com or y.ourna.m....e@gmail.com and they will all work just fine :)
Yep. OTOH, I also have a common firstnamelastname@gmail address, and I've replied to emails to the other me with a similar polite explanation, and get angry responses back that no, firstname.lastname is different.
Okay, sure it is... But then, how did I manage to reply to your email?
Re: (Score:2)
Thats how I identify most of my email - I dont use periods in my address, every bit of the stuff I dont classify as spam but do classify as mis-addressed email (eg, the stuff mentioned in my first post) has a period in it.
Re: (Score:2)
I've had the following emailed to me inadvertently over the years:
-Sperm/fertility analysis results from the NHS
-Paypal payments
-photos of people's family
-personal emails
That's nothing. I don't even have a common gmail address but I get: :(
-Advertisements for pharmaceuticals that claim to fix my virility problems (clearly based on mixed up lab results from someone else)
-Opportunities to collect millions through Paypal, money orders, and cashiers checks (from Nigerian royalty, even!)
-Photos of people making a family
But sadly I can't remember the last time someone sent me a personal email
You are probably SOL... (Score:2)
You might get somewhere if the ban
Re: (Score:2)
Agree, but I'd actually go a step further and ask why things like "identity theft" even exist. Of course this was a violation of privacy, but why should somebody having all your financial details actually cause harm?
RSA was invented 35 years ago, and we're still authenticating people based on shared secrets that they basically have to share with everybody.
Just give everybody an ID with a smartcard in it already, and use that for authentication. Yes, it means that the government and large businesses which
Re:You are probably SOL... (Score:5, Insightful)
I have to admit, it's elegant enough that I'd be forced to shake the hand of the person responsible before punching him in the face, just as a gesture of respect for carrying off something that audacious successfully.
Re: (Score:2)
"Ooh, your identity got stolen, that sucks. Have fun fighting with the credit reporting agencies forever."
Particularly galling considering that these are the guys who basically run the credit reporting agencies.
Re:You are probably SOL... (Score:5, Insightful)
In a sane and just world, a credit reporting agency giving out incorrect information would be considered libel.
Re: (Score:2)
As someone whose identity was stolen, this is spot on. My name, address, SSN, and DOB somehow ended up in someone's hands (never did find out how) and they opened up a credit card in my name. Mother's maiden name was wrong on the web form but that didn't matter to the credit card company (*cough* Capital One *cough*). By sheer luck, the thieves paid for rush delivery of the card BEFORE changing the address so the card wound up at my house. Still, the wrong mother's maiden name, immediate address change,
IANAL but.. (Score:2)
Pro tip: Anyone claiming to be a lawyer on Slashdot, or indeed on the internet in general, is probably lying. Especially if it is while they are providing you with what appears to be legal advice.
Re:IANAL but.. (Score:5, Funny)
If they are a lawyer, they're definitely lying.
Re: (Score:2)
A real lawyer could give useful information, for example, I'm not giving you legal advice, but when you hire your own lawyer, here are a few questions to start with...
From a security perspective... (Score:5, Interesting)
Frankly, the risk of somebody doing something nefarious with the information they got it pretty low. Even on the internet the wast majority of people are nice and behave like decent human beings. Most people don't even know how they could use that information for financial gain. So if you go to a court you will have a hard time proving actually damage for what is obvious a mistake, which means any recuperation is either going to be based on good will or specific laws covering data breaches.
In a larger perspective, you are right now encountering (and worrying about) a fundamental flaw in the way many American business work. There is a big confusion between identity, authentication and authorization. Identity (name, address, date of birth, social security number, bank account etc,) is not the same as authentication (I am the Identity) nor authorization (I am allowed to act as the Identity). None of the information the bank leaked really should be secret, and in Europe you could probably find most of it (except for bank account numbers) in public databases.
Re: (Score:2)
> the risk of somebody doing something nefarious with the information they got it pretty low.
On a case by case baseis, yes. On a wholesale basis, the risk gets quite large, and they _script_ their attacks.
Comment removed (Score:5, Insightful)
Vaseline (Score:2)
Bank Security? (Score:3)
I use a specific email address for any org that I deal with, something like @my.address.net So I can see who I get spam/malware from and I can block specific senders.
I used a specific_bank@my.address.net for a loan application once and I got malware from that bank a year or so late. I certainly did not use the email for anything else. The BANK had a virus somewhere that harvested my email and God knows what. I transferred the loan to another institute.
This is in Germany where there are actual laws about this.
What to do... (Score:2)
1. Consult an attorney in person, one with the initial interview free. Consult two more attorneys as a second opinion. If she is absolutely sure she gave the correct email to the bank then you can pursue legal action. Regardless, the bank should not have sent confidential information to an email address without some form of encryption. Most banks would send a secure message via their online website, an email just notifying you there is a secure message waiting for you, etc. I don't know of any laws that
Re: (Score:2)
Oh yeah, have fun watching your credit reports like a hawk for the rest of eternity. If you do encounter any identity theft, it is practically a full time job to keep on top of it and fight back. You will need to keep all correspondence forever and you will be using a lot of registered mail. Get everything in writing. Read up on the laws that protect you from debt collectors who are not allowed to harass you. Be prepared to fight the credit bureaus to remove fraudulent items off your credit report, etc
Use your state laws, the CFPB and Investor Relat. (Score:4, Informative)
I work in IT security for a bank. Your plan of attack depends on the state where you live, how your bank is chartered (state charter or federal charter) and how large your bank is with respect to the dollar amount of assets. If they are above ten billion in assets they are subject to more regulations.
The federal laws are incredibly weak on this matter because the banks contribute so much to lobbying. The only federal regulator that scares the banks is the Consumer Financial Protection Bureau, www.consumerfinance.gov. They have an online complaint form. The primary regulator for banks is the Office of the Comptroller of the Currency www.occ.gov, but they are seen as weak on data protection matters. Lately they have been making a lot of noise about cybersecurity being a high priority but only from the hacking aspect and not consumer data protection.
The CFPB and the state laws are your best legal avenue. A certified letter to them as well as to the OCC will get attention. ALWAYS send a letter by certified mail as well as using an online method. Certified mail gets a lot of attention because that is how legal matters arrive.
It is not up to you to make sure the bank is using the correct contact information; it's up to the bank to validate it somehow and to protect the information while it is in transit and at rest on your ISP's mail server (yes, and that means no sending of unencrypted confidential docs by email). For email it's a preceding exchange of emails to validate the email address and the use of encryption on the files. You also could contact your local newspaper (if you still have one) or the local TV investigative reporter. If the bank is doing something so incredibly stupid with email they probably are doing other stupid things and TV stations love that kind of dirt. I'd also complain to your state Attorney General office in writing. New York has an incredibly proactive AG office on these matters. I'd also use the bank's Investor Relations contact information to make a complaint. That method is far, far more effective than trying to guess the CEO's email address. Every company watches their Investor Relations email or contact page closely, not just banks.
Your bank "told" you that they do not have any type of secure document delivery service. They also told you that they do not have a properly configured, if indeed any, type of Data Loss Prevention application or program. What they did NOT tell you is whether they used encrypted email. There is a form of automatic email encryption called TLS that transparently encrypts email between servers. Gmail sends and receives TLS email by default. So it's entirely possible that they did use TLS email to encrypt it across the Internet. www.checktls.com can tell you whether your email provider and the bank can use TLS email.
Good luck.
Do NOT do credit monitoring (Score:2)
By locking up your data, the bureaus do not even get to sell your data. And if you are not using life-lock, nor can they.
Bank Security (Score:3, Interesting)
You want to fight the banks? Forget it. (Score:2)
GLBA (Score:3, Informative)
Disclaimer: I work for a small community bank. In the US, all banks are required to adhere to the Gramm-Leach-Bliley Act (GLBA). See: http://en.wikipedia.org/wiki/G... [wikipedia.org]
As such, banks are required by both their state and federal regulators to follow a series of basic security protocols as laid out in the FFIEC IT Examination Handbook. Google this document for further details.
I'm not sure what recourse she would have, specifically, under GLBA, but if she is truly interested in following up on this mistake by the bank, the place to begin would be consulting an attorney and contacting either the FDIC or the state's Department of Financial Institutions to make a formal complaint. Banks are usually required to have a formal complaint resolution process in place, and they are required to respond to both FDIC and state regulatory complaints as well.
Contact the other person (Score:2)
I'd send an email to that wrong address, explaining my concerns and asking them in the most friendly way not to abuse the information they unintentionally received and to please delete the banks' email. If they answer, I'd take it from there (at least I would have some info about that person). Stay polite and don't make threats because they could cause a lot of damage in return.
If they don't answer, then I would talk to a lawyer.
In the mean time I would monitor my bank account(s) closely.
one and only piece of advice (Score:5, Informative)
Locate your State's Regulatory Data Commissioner. For CT, that would be the Ct. Banking Commissioner, via the Department of Banking, 260 Constitution Plaza, Hartford 06103-1800, and report as a protected data breach giving full details. They will carry it to closure. Contact there is the office of Bruce Adams, on (860) 240-8100.
HTH.
I don't know how enforceable this is (Score:2)
"If you have received this communication in error please delete or destroy it and notify the sender immediately."
Does anyone know if these statements hold any water?
Why on earth by email? (Score:2)
Why on earth did she EVER agree to receive the information by email? When I refinanced I told them no when they asked about email. Either a secure document serving website where I could login and download the documents (which they had, surprise surprise) OR they go by fax. People don't generally know how to use email encryption properly, especially those that work in the mortgage area. I'd rather fax it 20 times than email it.
Call. A. Lawyer. (Score:2)
I have a friend. Back when he was building a house, he was fighting the bank for the mortgage. His mom was co-signing... and some moron at the bank (can't remember if it was Wells Fargo or BoA) emailed ALL THEIR DEPOSIT records, with account info, to them in an email.
They got a lawyer. The bank paid 100% to a) change all of their accounts, b) all costs incurred by them to make changes elsewhere.
Call a lawyer. I mean, do you actually *trust* banks (look up "Great Recession", 2008, subpriime lending....)
Well, I work at a bank (Score:2)
Fairly high up the food chain in IT, actually. And while it's too late in this case, I'd say that any bank telling you that they don't have a secure method for exchanging sensitive data is not a bank you ought to be doing business with.
There's a whole raft of regulatory compliance and audit requirements that US financial institutions are subject to, and the one in question here is GLBA (Graham-Leach-Bliley Act), which governs how sensitive information must be handled. I'd place a call to the FFIEC and eith
Wow if I did anything like that (Score:2)
Every customer I've ever had made it crystal clear what the PII requirements were, and they were no joke.
I guess it's different if you're not in software?
Re: (Score:2)
This is not a new phenomenon at all...
Re: (Score:2)
they don't have more money and more lawyers than the State regulator, maybe OP should give them a call. (860) 240-8100
Re: (Score:2)
best practices nothing, a breach of personally identifiable, compartmentable information is a breach of data protection Law, and that is something hte State regulator must deal with as an actionable incident. That's what he's there for.
Re: (Score:2)
"Did you know that assholes like you are why our doctors will not answer even the most trivial questions using e-mail?"
And they should not. Giving any sort of medical advice without talking to the person directly is very risky.
Re: (Score:2)
And they should not. Giving any sort of medical advice without talking to the person directly is very risky.
Bullshit. Follow-ups with existing patients, clarification of what was said during a visit, are perfectly appropriate for email.
Re: (Score:3)
Email? Not sure about. How do you verify who you are with many people having unsecured email accounts on home computers, cell phones, etc.
My doctor has a secure portal where I can ask questions, read replies, see what my recent prescriptions were for and dosage, find out results of lab work if the doctor has released them, etc. Quite handy. More inconvenient than just email, but a lot better than nothing.
Re: (Score:2)
They e-mailed her name, address, date of birth, social security number, drivers license number and bank account information to someone else. With the first four of those, you could easily open a credit card in the person's name. I know. I happened to me. I was lucky that the thieves paid for rush delivery of the card and THEN changed the address. The card arrived at my house. If they didn't do this, the first I'd have heard of it would have been when the collection agency banged on my door demanding t
Re: (Score:2)
Indeed. But the OP has not provided the name of the bank? Why not? Afraid of the unknown potential consequences of doing so, I'll guess. This is the problem a libertarian would address.