making
headlines
Missing Bank Files Cause Customer Angst
CT Law TribuneChristian Nolan
June 06, 2008
Here's a recipe for sleepless nights: Computer files containing your personal information and banking data are lost. The information could potentially be a gold mine for identity thieves, who could run up debts in your name, destroy your credit rating and ruin your good reputation.
Even worse: There's no quick resolution. These thieves are known to be patient and may wait years before striking. And so potential victims have two options.
Toss and turn. Or sue.
There's been a wave of class action lawsuits for "companies failing to protect people's data," said Scott Kamber, of KamberEdelson's New York office, a go-to firm in a practice area dubbed "consumer protection for the digital age."
Wading into such a fray is attorney Michael A. Stratton, of New Haven's Stratton Faxon, who is involved with two class-action seeking lawsuits filed in New Haven against banks that have allegedly mishandled customers' personal and banking information.
The most recent case involves the Bank of New York Mellon, which lost data tapes containing account information for about 4.5 million people, including 500,000 customers of the Bridgeport-based People's United Bank of Bridgeport.
Customers weren't notified until three months after the data was lost. Even then, Bank of New York Mellon officials offered few other details.
"The bank didn't notify any banking commissioner or any of its customers. I guess [officials were waiting] to see if they could find it," Stratton said.
Some frustrated People's customers contacted Stratton, who filed a lawsuit accusing banks of negligence, invasion of privacy, and a violation of the state's Unfair Trade Practices Act.
Since then, Stratton said he's been bombarded with phone calls and e-mails from more bank customers at his office and home. "People are really panicked," said Stratton.
He said that every piece of information that an identity thief would need is on the bank's missing files, including addresses, bank account numbers and social security numbers. "All the critical, critical data," Stratton said.
Transportation Issue
The link between the New York and Bridgeport banks is that People's hired Bank of New York Mellon Shareholder Services last year to handle some matters as People's switched from a mutual bank, which is owned by depositors, to one that is publicly traded.
BNY Mellon told Connecticut officials thata box with back-up bank tapes was lost in February from a truckthat transports tapes to a storage facility. Connecticut law requires banks to immediately notifycustomers when such information is lost.
Connecticut Gov. M. JodiRell said Bank of New York Mellon did not quickly notify People's of the security breach. Attorney General Richard Blumenthal said he had to put the pressure on the banks just to offer the short-term credit monitoring.
"We have demanded Bank of New York Mellon give a complete, comprehensive account of this data breach. The bank must explain to consumers how it lost their information, why it took so long to inform them and law enforcement and how it will prevent future data breaches," said Blumenthal.
William J. Wenzell, of Pullman & Comley's Bridgeport office, is representing People's United Bank. He blamed the problems on BNY Mellon.
"The data in question, when turned over to BNY Mellon, was provided in an encrypted format by People's Bank and the loss of data, as we understand it, occurred by BNY Mellon when it was archiving its records, not while in the process of using its data for People's United Bank," Wenzell told the Law Tribune.
BNY Mellon has not commented on the suit, other than to say there is no evidence that the data has fallen into the wrong hands or has been used to harm customers.
Stratton is seeking seven years of credit monitoring, credit insurance and other damages for his clients. He also wants an injunction that would require the banks to use encryption techniques that would prevent hackers or identity thieves from accessing computer files that might be misplaced in the future. Stratton maintains the lost information was not encrypted, nor even protected by a password.
Stratton had already filed a similar lawsuit solely against People's Bank for dumping bank files with customer information in open garbage Dumpsters. He filed the suit after one customer found files near 40 different bank branches.
"There's no protocol for redacting documents before throwing them out," said Stratton, who in that suit is seeking credit monitoring and shredders at all branch offices.
Wenzell, of Pullman & Comley, is representing People's in the paper files case, too. "There's no information to show any of that data was misused or any customers were harmed in any way," he said.
'Mind-Boggling'
New York's Scott Kamber is not surprised by the events in either lawsuit. He's seen both situations before, plus others dealing with mishandled data.
In 1998, Kamber sued Geocities, a web-hosting service, for selling customer's personal identifying information in breach of its customer policy.
More recently he led the class action suit against TD Ameritrade Holding Corp. after one of the company's databases was hacked into and the contact information for roughly 6.3 million customers was revealed. The suit was filed last fall and Kamber said a settlement is pending before a judge.
Kamber called the accusations involving the New York and Bridgeport banks "mind-boggling." Speaking metaphorically about electronic data security, he said: "Companies are paying a lot of money in order to lock the front door, but in so doing they left all the windows in the first floor open and in some instances left the keys in the door."
"It's a very fast developing area of the law," said Kamber, adding that such cases are difficult for plaintiffs' attorneys to bring "because they require certain technical expertise about how [the data loss] happened." He said the lawyers also need enough expertise to know what remedies to request for their clients.
Kamber has had his hand in similar class action suits against Sears, Roebuck & Co., and AT&T. In the Sears case, anyone could type a person's name on the company's web site and access his or her purchase history. "With each settlement, we're able to define legal rights that pertain to the relations between corporations and individuals in the digital age," Kamber said.
Stratton, who is monitoring the TD Ameritrade settlement, is hopeful for quick settlements in his cases as well, so safeguards can be put in place. "A quick resolution will allow a lot of my clients to sleep better at night," said Stratton.
