When Customer Data Is Lost: Responding to the Breach

Law allows delay in notifying customers of security breach


May 21--It looked like any other piece of junk mail.

The letter, addressed to Wells Fargo Home Mortgage customers, arrived this month. It informed them that, "regretfully, we have learned that a computer, which contained information about you including your name, address, Social Security Number and your Wells Fargo Home Mortgage loan account number, is missing and may have been stolen."

That's unsettling enough. But the letter also contained a line stating that law enforcement investigators "directed us to delay notifying all affected customers because they were concerned it would jeopardize their investigation."

Both federal and Texas law make clear that companies like Wells Fargo Home Mortgage are required to quickly release information to customers about any possible security breach. However, as Texas law, similar to federal law, states: A delay is allowed "at the request of a law enforcement agency that determines that the notification will impede a criminal investigation."

The Texas law, which took effect last year, adds: "The notification shall be made as soon as the law enforcement agency determines that it will not compromise the investigation."

There's no way to know how many people's data were potentially placed at risk -- Wells Fargo won't say. The Watchdog learned of the breach, and the delay, because one of the letters went to Star-Telegram senior writer Pete Alfano.

"I feel the obligation is to immediately notify the customers," Alfano says. "I don't know how it could compromise the government's pursuit when customers take steps to make sure their identity is not stolen. I just don't understand that."

It's a good question -- one I put to Wells Fargo Home Mortgage spokesman Kevin Waetke.

Because no one has tried to use the stolen information, he said, law enforcement authorities have concluded that the thief probably stole the computer for the hardware and not for the information stored on it.

As soon as Wells Fargo was allowed to release the information to customers, the company did, Waetke said.

Yet for a company that has suffered several high-profile security breaches involving stolen equipment and information containing details about its customers, Wells Fargo is not particularly forthcoming.

The spokesman will not say where the theft occurred, when it occurred or even which law enforcement agency is investigating. He won't divulge how many customers are affected, saying only that it's "a relatively small percentage" of 5.7 million home mortgage customers.

The company will only disclose that a computer being shipped from one Wells Fargo facility to another by "a global express shipping company" never reached its final destination. However, last week, The Times, a Trenton, N.J., newspaper, reported that the theft occurred in Oklahoma City and that the Secret Service is investigating.

Mark Lowery, head of the Dallas office of the Secret Service, declined comment on the Wells Fargo case but did explain, in general terms, why law enforcement likes to keep initial reports of security breaches quiet while an investigation gets under way.

"Generally that may mean we have a suspect, and by releasing that information, it would tip the suspect or the people actually hacking into this information that law enforcement is working on it or may have leads on it."

This content continues onto the next page...