WWYD: The Privacy Breach

In this installment of “WWYD,” dealing with an accidental leak of private information:

My husband and I recently purchased a house. We had a miserable experience with our bank but, by anyone’s account, getting a mortgage is a totally miserable experience so we consider ourselves lucky to finally be on the other side and surrounded by our boxes. Yesterday, though, my husband received an email from our mortgage broker which included the entire mortgage application of a stranger. It included private financial and personal information. Needless to say this information could cause considerable damage in the wrong hands. (I believe there’s a film.) The broker immediately sent a follow-up email with the title “RECALL” but, obviously, the damage has been done. We feel that it’s our responsibility to report this error to her managers. Do we owe it to the potential borrower to let them know that their privacy has been compromised? Should we report the breach in privacy to anyone else? — K.

Back in 2009, a bank in Wyoming accidentally sent some confidential information of more than 1,300 customers to a random Gmail address. The bank sent another email to the Gmail address asking the person to destroy the information, and when the person didn’t respond for whatever reason, the bank persuaded Google to shutdown the random person’s email account (Google later reactivated the account when the case was later dismissed).

So yes, I would destroy the email with the stranger’s mortgage application and notify the broker immediately that I had done so. According to privacyrights.org, a nonprofit consumer advocate, most states have laws that require companies and financial institutions to notify individuals about incidents of unauthorized access to their personal data (see here for your state laws). It’s not your duty to notify the borrower about the privacy breach—it’s the mortgage broker’s. Whether or not you trust the mortgage broker to do so is another matter.

Financial institutions should also have a response program on hand to address security breaches that involve their customers. In the email to the mortgage broker notifying her that the private information has been destroyed, I’d also write something about being concerned about how my own personal information is protected, and ask how they respond to breaches. I’d ask if customers are notified when their personal data is accidentally leaked or compromised, and if supervisors are also notified about the breach. I’d write that I’d feel a lot better if a supervisor contacted me to let me know that that situation is being handled, and that steps are being taken to make sure that customers are being protected from any harm that could result from the breach. The onus should be on the mortgage broker to notify her managers and the customer affected. If you’re not given a satisfying response, you can also try complaining here.


Email me your WWYD experiences to me with “WWYD” in the subject line. See previous installments.



4 Comments / Post A Comment

NeenerNeener (#156)

I’d delete the email and then do nothing, unless I had it in for the broker, I guess. This sounds like an innocent mistake, and since I would know that the breach was to me, and therefore nothing would happen as a result, I wouldn’t be so intent on seeing someone punished.

sony_b (#225)

When we were buying our house last summer Bank of America required all offers go through their pre-approval process (legal? sorta, but still shady) and at the end they sent us the approval letter of somebody else who had made an offer, with many of their personal details. Their offer was lower than ours so we reported it to the manager of the person doing the approvals. I feel lucky that we didn’t have to deal with the ethics question of making a better offer based on knowing what the competition offered. I’ll assume that they didn’t send ours to them, because we did get the house.

In a totally random twist of fate, FHA appraised the house at a value less than either of our offers, and we were already in contract so we got it for 310 instead of 335. Real estate and banks are so screwed up in this country. Stuff we learned – the FHA appraisal is good for six months, and once it is written, it applies to any new buyers applying for an FHA loan within that six month period. You cannot get a loan for more than that amount in the FHA program. Our house was a foreclosure that had been on the market for 9 months before we made the offer – since there were no cash deals on the table it was easier to go with us and give us the FHA price than it would be to put it back on the market since that price was locked in for 90% of the possible future buyers.

MalPal (#1,200)

Their “supervisor” is just going to give them a warning not to do it again. It’s not worth the hassle.

Comments are closed!