making
headlines

Lawsuit, Unions Press Bank Over Data Breach

Wayne Camarro of Rocky Hill worries that the Bank of New York Mellon data breach that came to light last month will affect his credit.

”It's driving me crazy,” he said. “I go to great lengths to keep this data safe by shredding my mail and not giving out my Social Security number, and they put it on a tape without even encrypting it.”

Camarro, a depositor and investor with Bridgeport-based People's United Bank, is among an estimated 556,000 people statewide and 4.5 million nationwide to be affected by the data breach, which occurred in February when an unattended truck apparently was broken into, and a tape went missing. Just last week, a Pittsburgh newspaper reported that a second BNY Mellon breach had affected 47 businesses and an untold number of individuals.

This week, a 500,000-member, New York-based labor union called UNITE HERE emerged to push the bank to develop a secure system of dealing with confidential data as well as a transparent way to get assistance related to the breach. The organization, which has been supporting members on strike at a Bank of New York cafeteria managed by Aramark Corp., has developed a new Web site, lostbankofnewyork.net, for consumers to find information and monitor the bank's response to the data breach.

Among the links provided on the Web site is one that details a class-action suit filed by the Connecticut law firm Stratton Faxon against BNY Mellon and People's Bank, alleging negligence and invasion of privacy, among other charges. People's Bank has numerous branches across eastern Connecticut.

David Barley, chief technology officer at Casdex, a data-security firm based in Los Angeles, said financial institutions like BNY Mellon need to take a look at what data they keep and decide whether and how to save it.

”Tape encryption is important,” Barley said. “Just because you were doing it this way (without encryption) 10 years ago doesn't mean you don't have to think about it any more.”

Barley also suggested that putting the information on an encrypted digital archive platform would be preferable to storing data on tapes. But in his experience, information technology departments are often hesitant about change, continuing to back up information that should have been deleted ages ago.

”The IT folks are nervous,” he said. “They don't want to be the guy who lost the data.” And banks don't want to lose data, either, especially now that they are required to file notification with state authorities after a breach that may lead to identity theft.

”As sad as this may sound, what motivates companies is not the data loss but the publicity that surrounds it,” Barley said.

State Attorney General Richard Blumenthal has called for an investigation of the incident and has criticized BNY Mellon for not providing information quickly enough to consumers. The breach occurred in late February, but most People's Bank customers didn't start getting notifications until last week, though others received notice as early as March. Blumenthal pushed for - and BNY Mellon eventually agreed to supply - two years of free credit monitoring, including $25,000 in identity theft insurance, as well as free credit freezes to help consumers deal with the breach.

”Thankfully,” Blumenthal reported, “there are no reports of identity theft, but the risk may last months or years.”