Prevention is always cheaper than damage control. But some companies never learn.
By shipping an unencrypted backup computer tape full of sensitive personal data, the Bank of New York Mellon was violating its fiduciary responsibilities to everyone on the tape.
After that tape disappeared on Feb. 27 and news of that disappearance leaked out, the bank has had to deal with the wrath of 4.5 million people, including roughly 500,000 Connecticut residents, who are angry that their data wasn’t safeguarded properly. Unfortunately, the bank has followed up its initial blunder with a surprisingly sluggish and unimpressive damage control effort. This is Katrina-level mismanagement.
BNY Mellon has made three fundamental errors:
• It handed over extraordinarily sensitive computer tapes to a third party without encrypting the data, even though appropriate encryption techniques have been available for at least four decades, are now relatively cheap and are in common use.
• It decided not to notify immediately the victims of the incident. The tape disappeared Feb. 27. However, BNY Mellon didn’t notify People’s United Bank in Bridgeport that the records of hundreds of thousands of its depositors had been lost until May 13, more than 10 weeks later. The bank’s choice to remain mum prevented the PUB depositors from taking personal steps to minimize the identity-theft dangers to which BNY Mellon had exposed them. Because the bank customers weren’t notified, they didn’t know that they needed to begin actively monitoring their credit reports and purchase identity theft insurance.
• The bank has repeatedly understated the risk to its victims and offered unimpressive compensation. “We have no reason to believe your information has been or will be accessed or misused,” BNY Mellon said in a woefully tardy May 21 letter to one Connecticut victim.
Of course, bank officials have no idea where the tape is. Nor can they explain why other tapes in the same fated shipment by Archive America made it safely to their destination. If the tape was lost and destroyed, no harm. If it was stolen and fenced to identity thieves, then millions of people may face years of headaches. The bank’s ignorance of the facts should not be the basis for an assurance that’s all’s well.
Connecticut Attorney General Richard Blumenthal and New York State Consumer Protection Commissioner Jerry Farrell Jr. deserve kudos for pushing the bank to get on the ball. Under pressure from them, the bank has finally begun to notify the victims and take tentative steps toward neutralizing the potential damage.
Pushed by Blumenthal, BNY Mellon has raised its initial offer to provide free credit monitoring for a year. Now it offers two years. Blumenthal also wants the bank to provide $25,000 in identity theft insurance. That should be considered a minimum response.
Meanwhile, plaintiffs in a civil suit filed in Bridgeport, who seek class action status, charge BNY Mellon and People’s United Bank with negligence, invasion of privacy and breach of fiduciary duty. The plaintiffs, a group of PUB customers, allege that PUB “fees were improperly charged” because the bank failed to honor its privacy obligations. They seek unspecified compensatory and punitive damages.
The courts can weigh the merits of those claims.
But one thing should already be clear to every bank that employs a security guard or owns a vault or a paper shredder: Encrypt all sensitive data — particularly when you entrust that data to a third party.
Those who fail to encrypt in 2008 are operating in the wrong century. They’ve failed to notice that dumpster divers and phishers are much more of a threat than Bonnie & Clyde.
