Wells Fargo accidentally releases private data
When a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Sinderbrand expected to receive a selection of emails and documents related to the case.
But what landed in Sinderbrand’s hands on July 8 went far beyond what his lawyer had asked for: Wells Fargo had turned over — by accident, according to the bank’s lawyer — a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients.
The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them.
Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-networth investors.
By Sinderbrand’s estimate, he has financial information for at least 50,000 individual customers. In all, Sinderbrand said, these clients have tens of billions of dollars invested through Wells Fargo, all laid out in vivid detail for him as part of the discovery process in his lawsuit.
The files were handed over to Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo’s.
While the documents were not filed in court, it would be perfectly legal for Sinderbrand and his lawyer to release most of the material or include it in their legal filings, which would then become part of the public record.
The documents were sent by Angela A. Turiano, a lawyer with Bressler, Amery & Ross, an outside law firm in Florham Park, N.J., hired by Wells Fargo, which is not a party to the suit.
Sinderbrand and one of his lawyers, Aaron Zeisler, notified Turiano on Thursday morning about the sensitive documents now in their hands.
In an email response, Turiano described the disclosure as “inadvertent,” and wrote, “Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted.”
Zeisler said his client intended to keep the CD secure and confidential. “We are continuing to evaluate his legal rights and responsibilities,” Zeisler said. “Wells Fargo has not identified what specific documents it asserts were inadvertently exposed.”
The disclosure is a data breach that potentially violates a bevy of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.
State and federal regulations also require companies to notify customers when their information has been improperly released, as Wells Fargo may now do. And some of the accounts in Sinderbrand’s database are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes. “There are thousands of documents in here that the public should never see,” Sinderbrand said, noting that an unscrupulous recipient could have posted it online.