Disclosing Customer Information

Answer by Ken Golliher: I assume you mean a bank employee repeated something in the community he had no right to repeat. It was something the employee's responsibilities entitled him to know, but he simply had no right to repeat it. The disclosure may have even been prohibited by bank policy.

There is no federal law which would automatically make the bank liable.

The federal Right to Financial Privacy Act controls financial disclosures made to the federal government. It does not govern employees making disclosures to private individuals.

Regulation P, and its parallel regulations (which implement GLBA's privacy provisions) are not a source of authority for prohibiting a disclosure other than an account number. All the regulation requires is that financial institutions give consumers written disclosures regarding their practices and, if they make disclosures other than those "allowed by law" they must give the consumer a chance to opt out. This is simply not a disclosure the consumer has a right to opt out of -- it was made by the employee, not the bank. Moreover, Regulation P does not provide for a "private right of action" -- e.g., a customer cannot sue a bank for violating regulation P.

The information security standards, which also came out of GLBA, require the bank to provide protections for customer information, but those protections are physical in nature. A bank could be in full compliance with all the concepts those standards address, but an employee could still make an impermissible disclosure.

In short, if an employee makes an impermissible disclosure and the customer threatens a suit, it will be under state law, not federal. Unless there is a state statute prohibiting such a disclosure, the customer may allege breach of contract, invasion of privacy or any number of theories. In addition, unless there is a statute or judicial precedent regarding punitive damages, the customer will have to prove actual damages in order to collect anything.