WWYD: The Privacy Breach
In this installment of “WWYD,” dealing with an accidental leak of private information:
My husband and I recently purchased a house. We had a miserable experience with our bank but, by anyone’s account, getting a mortgage is a totally miserable experience so we consider ourselves lucky to finally be on the other side and surrounded by our boxes. Yesterday, though, my husband received an email from our mortgage broker which included the entire mortgage application of a stranger. It included private financial and personal information. Needless to say this information could cause considerable damage in the wrong hands. (I believe there’s a film.) The broker immediately sent a follow-up email with the title “RECALL” but, obviously, the damage has been done. We feel that it’s our responsibility to report this error to her managers. Do we owe it to the potential borrower to let them know that their privacy has been compromised? Should we report the breach in privacy to anyone else? — K.
Back in 2009, a bank in Wyoming accidentally sent some confidential information of more than 1,300 customers to a random Gmail address. The bank sent another email to the Gmail address asking the person to destroy the information, and when the person didn’t respond for whatever reason, the bank persuaded Google to shutdown the random person’s email account (Google later reactivated the account when the case was later dismissed).
So yes, I would destroy the email with the stranger’s mortgage application and notify the broker immediately that I had done so. According to privacyrights.org, a nonprofit consumer advocate, most states have laws that require companies and financial institutions to notify individuals about incidents of unauthorized access to their personal data (see here for your state laws). It’s not your duty to notify the borrower about the privacy breach — it’s the mortgage broker’s. Whether or not you trust the mortgage broker to do so is another matter.
Financial institutions should also have a response program on hand to address security breaches that involve their customers. In the email to the mortgage broker notifying her that the private information has been destroyed, I’d also write something about being concerned about how my own personal information is protected, and ask how they respond to breaches. I’d ask if customers are notified when their personal data is accidentally leaked or compromised, and if supervisors are also notified about the breach. I’d write that I’d feel a lot better if a supervisor contacted me to let me know that that situation is being handled, and that steps are being taken to make sure that customers are being protected from any harm that could result from the breach. The onus should be on the mortgage broker to notify her managers and the customer affected. If you’re not given a satisfying response, you can also try complaining here.