When Customer Data Is Lost: Responding to the Breach

May 22, 2006
Law allows delay in notifying customers of security breach

May 21--It looked like any other piece of junk mail.

The letter, addressed to Wells Fargo Home Mortgage customers, arrived this month. It informed them that, "regretfully, we have learned that a computer, which contained information about you including your name, address, Social Security Number and your Wells Fargo Home Mortgage loan account number, is missing and may have been stolen."

That's unsettling enough. But the letter also contained a line stating that law enforcement investigators "directed us to delay notifying all affected customers because they were concerned it would jeopardize their investigation."

Both federal and Texas law make clear that companies like Wells Fargo Home Mortgage are required to quickly release information to customers about any possible security breach. However, as Texas law, similar to federal law, states: A delay is allowed "at the request of a law enforcement agency that determines that the notification will impede a criminal investigation."

The Texas law, which took effect last year, adds: "The notification shall be made as soon as the law enforcement agency determines that it will not compromise the investigation."

There's no way to know how many people's data were potentially placed at risk -- Wells Fargo won't say. The Watchdog learned of the breach, and the delay, because one of the letters went to Star-Telegram senior writer Pete Alfano.

"I feel the obligation is to immediately notify the customers," Alfano says. "I don't know how it could compromise the government's pursuit when customers take steps to make sure their identity is not stolen. I just don't understand that."

It's a good question -- one I put to Wells Fargo Home Mortgage spokesman Kevin Waetke.

Because no one has tried to use the stolen information, he said, law enforcement authorities have concluded that the thief probably stole the computer for the hardware and not for the information stored on it.

As soon as Wells Fargo was allowed to release the information to customers, the company did, Waetke said.

Yet for a company that has suffered several high-profile security breaches involving stolen equipment and information containing details about its customers, Wells Fargo is not particularly forthcoming.

The spokesman will not say where the theft occurred, when it occurred or even which law enforcement agency is investigating. He won't divulge how many customers are affected, saying only that it's "a relatively small percentage" of 5.7 million home mortgage customers.

The company will only disclose that a computer being shipped from one Wells Fargo facility to another by "a global express shipping company" never reached its final destination. However, last week, The Times, a Trenton, N.J., newspaper, reported that the theft occurred in Oklahoma City and that the Secret Service is investigating.

Mark Lowery, head of the Dallas office of the Secret Service, declined comment on the Wells Fargo case but did explain, in general terms, why law enforcement likes to keep initial reports of security breaches quiet while an investigation gets under way.

"Generally that may mean we have a suspect, and by releasing that information, it would tip the suspect or the people actually hacking into this information that law enforcement is working on it or may have leads on it."

Or as Robert Webster, chief of the criminal division of the U.S. attorney's office in the Northern District of Texas, told me: "If those particular files are [used], you know it's going to be used by a bad guy instead of a legitimate customer."

Tom "Smitty" Smith, director of the Texas office of Public Citizen, said withholding such information from customers puts them at a disadvantage in protecting their personal information.

"This is like being shot, and the law enforcement people saying you can't get sewn up," Smith said. "Without the knowledge that your identity and financial information have been stolen, you can't stop the bleeding."

In this case, the Wells Fargo spokesman said that because the identity information on the stolen computer has apparently not been compromised, law enforcement no longer sees it as a threat.

Wells Fargo says the computer's information is protected by "two layers of security, making it difficult to access the information."

Wells Fargo is offering customers who received the letter a free one-year subscription to a credit protection service -- now an industry standard that companies hurt by security breaches offer their customers.

The Watchdog checked the public record and found that this is at least the seventh potential breach of security involving Wells Fargo Bank or its affiliated companies. Here are some others that we know about:

In November 2003, a laptop stolen from a consultant contained confidential information about 201,000 Wells Fargo customers.

In February 2004, a computer theft from a rental car driven by two bank employees involved data of nearly 38,000 customers.

In March 2004, a computer theft from a bank office involved data for 35,000 Wells Fargo customers.

In October 2004, four computers stolen from the office of a bank affiliate involved personal data for 460,000 Wells Fargo customers.

In November 2004, Wells Fargo told customers that three computers with personal loan and mortgage information had been stolen from an Atlanta office.

In April 2005, Wells Fargo notified customers that personal account information might have been sent to other customers by mistake.

Two Wells Fargo customers in Minnesota filed a class-action lawsuit on behalf of Wells Fargo customers in federal court.

The customers' lawsuit claimed that Wells Fargo ought to be liable for emotional distress because customers worried that their identities would be stolen. They claimed that the company should pay them damages because they had to spend extra time monitoring their credit reports.

In March, a U.S. district judge ruled that Wells Fargo was not negligent because the information was never used by thieves to harm anyone.

Alfano, holding up the letter he received from his mortgage lender, says he understands the anxieties felt by customers.

"Today's realities, you know?"