March 11, 2005

Mike FrattoLast August, I received an e-mail message from Bank of America reminding me that my credit-card payment was due in a week or so. I had a strong feeling this was legitimate and not a phishing scam, because it contained the last four digits of my credit-card number, my balance and the minimum payment in clear text. So I fired up my browser and typed in the URL from memory (never, ever click a link in an e-mail message purporting to be from your bank, even if you're sure you won't get phished).

I wanted to verify that I had not signed up for e-mail notification. I make it a point not to, but I might have missed something. I cruised through the preferences and couldn't find an e-mail option, so I called customer service and complained. The rep told me the bank had just enabled the service but hadn't updated the site. He went on to say that he would disable notification for me, though it might take two months. Why two months was beyond me, but I bit my lip and thanked him.

To the bank's credit, my name was removed immediately. Or so I thought.

In January, I received another e-mail notification with my account information. I clicked over to the customer service section of the site and typed an e-mail message, explaining how I had verified that I had not opted in to the notification service, yet I received a notification.

I understand that mistakes are sometimes made, and BofA was responsive when I complained the first time. But the problem recurred five months later. This is a serious business issue for BofA because it may have violated the customer-privacy provisions of the Gramm-Leach-Bliley Act and the Federal Financial Privacy Law, and BofA certainly violated its own privacy policy and service agreement by sending information about my credit-card account without my authorization. A survey of 1,000 customers last spring by the Gallup Organization and American Banker magazine indicated that 60 percent of consumers are concerned that their primary financial institution might release their personal information without their consent.

If your organization offers services over the Web, protecting your customers' privacy is paramount. Your organization has a legal and ethical responsibility to ensure that inadvertent leakages, however minor, don't occur. That means controls must be in place to ensure compliance with state, federal and company regulations and policies. BofA dropped the ball. Don't let your company do the same.

Mike Fratto, Editor

Mike is Editor of Network Computing and is track chair for Interop's Data Center and Storage tracks. He has been with TechWeb for over 11 years and has extensive experience evaluating ...