I work for an organisation that manages investments on behalf of our clients. We currently email statements, in the form of PDFs, to a significant percentage of our clients each month. The rest receive their statements via snail mail. These statements contain information about income and expenditure against their account over the prior month.
Always looking for ways to enhance the customer experience (!) there’s a move afoot internally to present a summary of the contents of each statement as a “dashboard” section in the email that we send out with the statement.
My view is that if we do that, we’re effectively sending unprotected financial information in a form that is readily visible/accessible to anyone who cares to look. And surely this is going to fall afoul of some law somewhere, in addition to pissing off clients who feel strongly about this kind of thing.
The countervailing argument being run internally seems to be that (a) there’s no information that constitutes a security risk to the recipient (ie no account details, PINs or passwords), and (b) the information in the dashboard is already available in the attached unprotected PDF file for anyone to access, so what’s the difference in having it in the email body.
What if an email is rerouted by mistake? An incorrect address?
Just because you are not transmitting PINs or passwords does not mean you are not transmitting PII - personally identifiable information. Identity theft is on the rise so transmitting PII may cause a client to have their identity stolen, along with their money.
Do you have a secure area on your company’s web site where your clients can access the information, at the time of their own choosing? An email to clients informing them the latest statement is available is much more secure than transmitting that data in an email.
Duckster gives good advice. Most financial services companies send a notice e-mail that a statement is ready for download. Click the link, and you are taken to the sign-in page. You are still responsible for entering your userid and password. Thus, if you are accessing the website in an unsecure manner, that is not the company’s fault.
Of course, fraudsters can always spam people with false statement alerts linking to a false website, so no system is perfect.
We already offer the functionality for clients to log in and view statements and the like. The dashboard in the email is seen by proponents in the business as a step forward, making accessing those details more easy. When drawing their attention to the fact that other financial institutions require passwords, proponents of the dashboard idea call it a limitation rather than a good thing.
We’re a small company out of the mainstream of big corporate thinking. We also don’t have an appetite to seek “expensive” legal opinion unless completely necessary. The research that was done to see whether this was an acceptable idea was to ask an employees with a reputation for being persnickety. She had no objections, so it was given a tentative green light. I see it as a train crash waiting to happen, and wonder at moral and legaL considerations that have not been adequately considered.
For what it’s worth, Duckster’s response is right on the money for the industry standard.
It may be somewhat alarmist to say that identity theft is a possibility if the statements really do contain no PII other than the account balance (though I’m betting that their name or something is on there). But you can bet that at least some people will be unhappy with the possibility of someone seeing their account balance anyway. People are very (rightly) sensitive about that sort of thing.
On the other hand, they’re right about the information being no more secure in an unencrypted pdf that’s attached to the email. Your current process is a bad idea too.
I would also hope that sending those statements by e-mail is something the customer has to explicitly ask for, not something that happens by default! Even if they are asked for I would still say it is horribly bad practise, but in that case at least the customer is asking that something risky be done. Be careful what you wish for and all that.
Does your company have a privacy policy? Since clients can log into your website to view statements, you are collecting personally identifiable information and are subject to state and federal online privacy laws. Assuming that you have a privacy policy, it should say that you’ll do your darnedest to protect their information, which you’re clearly not doing. If you don’t have a privacy policy, you need one yesterday. You may even have to hire some of those expensive lawyers.
I did get a laugh out of the concept that your company uses the “Mikey Hates Everything” approach to market research.