We have an employee that sent a list of 20 customer names and account numbers to one of our customers inadvertently.
He called the customer and explained the error and asked them to delete the email.

Do we need to call our regulator and also notify each of these customers? Our procedures dont' address when it is our error versus a data breach.

I am going to add my circumstance here since it seems appropriate. I received an email from a very large institution that does business with a large % of banks in our nation. In the email was a spreadsheet that listed a small number of our accounts that were affected by an error from their system. As I was manipulating the spreadsheet I discovered there were over 35,000 different customers and account numbers listed from all sorts of banks in this sheet. What should I do?



P.S. I love it that BOL has now added spell check to this program!

In my recent request list for an upcoming FRB exam, there were about a half dozen names for loan files for people that don't even exist on our system. AFter reporting to my EIC, I received a new list.

My locality has strict laws about data breaches and loss of personally identifiable information. This would probably fall under the category of something that is reportable under those statutes. The risk of not reporting the loss is that if it is found out that this loss occurred, you may have to answer for not reporting it. YMMV in your locality.

Unencrypted email (including attached files) is about as secure as putting the account numbers on a post card and hoping no one reads them in transit. Every server that email touched between your system and the recipient's as it hopped across the internet is potentially a point of compromise.

Thanks MtnHiker. As I was looking as this more I realized I forgot to mention that the spreadsheet was password protected but I still don't feel comfortable. We only have about 10 accounts listed but as I mentioned I now have account information on @ 35,000 other individuals who bank around the country at many many banks.

I don't like the idea that there might be others like me who have this data and might choose to do something shady with it.