Last August, I received an e-mail message from Bank of America reminding me that my credit-card payment was due in a week or so. I had a strong feeling this was legitimate and not a phishing scam, because it contained the last four digits of my credit-card number, my balance and the minimum payment in clear text. So I fired up my browser and typed in the URL from memory (never, ever click a link in an e-mail message purporting to be from your bank, even if you're sure you won't get phished).
I wanted to verify that I had not signed up for e-mail notification. I make it a point not to, but I might have missed something. I cruised through the preferences and couldn't find an e-mail option, so I called customer service and complained. The rep told me the bank had just enabled the service but hadn't updated the site. He went on to say that he would disable notification for me, though it might take two months. Why two months was beyond me, but I bit my lip and thanked him.
To the bank's credit, my name was removed immediately. Or so I thought.
In January, I received another e-mail notification with my account information. I clicked over to the customer service section of the site and typed an e-mail message, explaining how I had verified that I had not opted in to the notification service, yet I received a notification.
If your organization offers services over the Web, protecting your customers' privacy is paramount. Your organization has a legal and ethical responsibility to ensure that inadvertent leakages, however minor, don't occur. That means controls must be in place to ensure compliance with state, federal and company regulations and policies. BofA dropped the ball. Don't let your company do the same.
Mike Fratto, Editor firstname.lastname@example.org