Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Wells Fargo and its data privacy faux pas

Tom Fox | July 24, 2017

Wells Fargo continues to be in the news these days and not for the better in the way of its reputation.

Earlier this month, the bank engaged in yet another mistake for which they took a reputational hit and may well face regulatory scrutiny in the United States and across the globe. The New York Times reported this month that lawyers for the bank inadvertently produced 1.4 gigabytes of information containing “spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them.”

The number of customers whose information was inadvertently released was reportedly over 50,000. Making this all the more remarkable was that the documents were voluntarily released in civil litigation in which the bank is not a party, involving a defamation claim brought by a former Wells Fargo employee against a current Wells Fargo employee, in his individual capacity, not as an employee of the bank.  

To top it off, the bank’s lawyers did not ask for a protective order when producing the data so there is no legal prohibition from the lawyers or their client who received the data from releasing the treasure trove of information.

In addition to the public relations nightmare from its customers, the release of information constitutes a breach of data that potentially violates numerous state and federal consumer data privacy laws restricting the release of personally identifiable customer information to outside parties. Both federal and state regulations require the bank to notify customers of the breach. Furthermore, the existence of any foreign customers in the database could trigger violations of data privacy regulations overseas.

This data release was clearly a self-inflicted mistake, but that will not protect Wells Fargo from state, federal, and international regulatory scrutiny. This incident makes clear why companies must invest in a data privacy policy and data governance overseen by a chief information officer.

Pathetically, the bank’s law firm that released the data blamed a third-party vendor that was hired to inspect the data before it was released. Ultimately, it is the responsibility of the bank to control its own information, and in this situation Wells Fargo did not follow basic compliance controls.