Don’t be careless with customer data

As featured on the Central Penn Business Journal:

About three weeks ago, I started receiving bank letters at my home for someone named Tom. That seemed odd since nobody by that name lives at my address the last time I checked, and the last resident was not named Tom either. I figured that perhaps the first letter was just a fluke, but I tucked it away in a safe place anyway.

To my surprise, I received two new debit cards and the associated PIN numbers several days later. I was now a bit concerned that the real Tom might have had his identity stolen, so I decided to call his bank and report the situation.

When I called Tom’s bank, Bank of America, they did not seem too interested in the story and the representative that answered the fraud hotline just patched me to an automated message. The recorded message instructed me to cut the cards and mail them back to the bank. I guess what really annoyed me though was the fact that this behemoth bank (it reported nearly $15M in profits last year) expected me to pick up the tab to correct their mistake.

Fast forward three weeks and Bank of America has continued to send me a wealth of personal and incredibly sensitive information about this man. Figuring that this madness was not going to stop, I resolved to track down Tom and make him aware of the situation. Maybe he could straighten things out with his incompetent bank.

As I looked more closely at the letters, I began to realize just how much information this incredibly careless institution had unwittingly given to me. I knew that Tom had just opened two new accounts. I knew Tom’s full Social Security Number and the address of his primary residence in Oklahoma. The letters had his checking, savings and money market account numbers. Incredibly, I even had Tom’s full driver’s license number thanks to the misdirected mail. Why in the world would all of this information be needed in a confirmation letter in the first place? Moreover, why would any reputable financial institution be so careless with a customer’s data?

Through sheer circumstance, I had every piece of information I would ever need to steal Tom’s identity, and possibly even all of his money. Sadly, when I finally reached Tom this past Saturday, he was none the wiser because his bank had never notified him of the situation. It turns out that he lived at my address 13 years ago and apparently Bank of America thinks he still lives here.

Where am I going with all of this? If your organization records personally identifiable information, you have a duty to protect that data. If you compromise that information, either directly or otherwise, you have a responsibility to let your customers know and remedy the situation quickly and completely.

  • Take stock of the customer information your organization stores and how that information is transmitted or accessed.
  • Minimize liability by not requesting or storing personally identifiable information that is not absolutely necessary.
  • Regularly purge old information that is no longer used.
  • Insure that your organization has tools to proactively prevent and detect compromise, as well as a plan to minimize impact in case a compromise does happen.

At the end of day, put yourself in the shoes of those you serve. If you would not want your own information handled in the same way that of your clients is, you need to improve the situation before it is too late for both you and them.

Dennis Little is a technology adviser based in Richmond, Va. He counsels clients nationwide.

Leave a Reply

You must be logged in to post a comment.