When a lawyer for Gary Sinderbrand, a former Wells Fargo employee, subpoenaed the bank as part of a defamation lawsuit against a bank employee, he and Sinderbrand expected to receive a selection of emails and documents related to the case.
But what landed in Sinderbrand’s hands on July 8 went far beyond what his lawyer had asked for: Wells Fargo had turned over – by accident, according to the bank’s lawyer – a vast trove of confidential information about tens of thousands of the bank’s wealthiest clients.
The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors.
By Sinderbrand’s estimate, he has financial information for at least 50,000 individual customers. In all, Sinderbrand said, these clients have tens of billions of dollars invested through Wells Fargo, all laid out in vivid detail for him as part of the discovery process in his lawsuit.
The files were handed over to Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo’s. While the documents were not filed in court, it would be perfectly legal for Sinderbrand and his lawyer to release most of the material or include it in their legal filings, which would then become part of the public record.
The documents were sent by Angela A. Turiano, a lawyer with Bressler, Amery & Ross, an outside law firm in Florham Park, New Jersey, hired by Wells Fargo, which is not a party to the suit. Sinderbrand and one of his lawyers, Aaron Zeisler, notified Turiano on Thursday morning about the sensitive documents now in their hands.
In an email response, Turiano described the disclosure as “inadvertent,” and wrote, “Obviously this was done in error and we would request that you return the CD asap so that it can be properly redacted.”
Zeisler said his client intended to keep the CD secure and confidential. “We are continuing to evaluate his legal rights and responsibilities,” Zeisler said. “Wells Fargo has not identified what specific documents it asserts were inadvertently exposed.”
The disclosure is a data breach that potentially violates a bevy of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties.
State and federal regulations also require companies to notify customers when their information has been improperly released, as Wells Fargo may now do. And some of the accounts in Sinderbrand’s database are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes.
“There are thousands of documents in here that the public should never see,” Sinderbrand said, noting that a less scrupulous recipient of such data could have easily posted it online.
Reached Friday, a day after Turiano was made aware of the issue, a spokeswoman for Wells Fargo Advisors, Emily Acquisto, released the following statement: “Wells Fargo takes the security and privacy of our customers’ information seriously. We are investigating this matter and will take the proper steps based on the outcome of our investigation.”
Turiano and a spokeswoman for her firm did not respond to requests for comment.
The New York Times was shown large portions of the data and confirmed that it included what appeared to be clients’ names, unredacted Taxpayer Identification Numbers, assets under management, portfolio performance, mortgage information and details on 529 education savings plans.
One file, for example, contained details on the holdings of a well-known hedge fund billionaire who had at least $23 million invested through Wells Fargo Advisors.
The files also include extensive information on Wells Fargo’s financial advisers employed by the bank, their performance, their compensation and their client lists. One typical record showed the full roster of one adviser’s client book and his commissions for the past year, totaling $1.5 million.
Based on the fairly narrow subpoena that his lawyer submitted – it sought communications about Sinderbrand’s employment and compensation – there was no reason for the bank to turn over such information, especially without any redactions, Sinderbrand said.
“This is a public policy issue,” he said. “They have to find out what happened and how it happened. Did it happen before, and could it happen again?”
Sinderbrand, 61, has an acrimonious history with Wells Fargo. He worked at the bank as a financial adviser until 2013, when he said he resigned to work for a health technology startup. In 2016, he reached a settlement with the bank to resolve lingering financial issues related to his compensation. He later sued the bank, saying it violated a confidentiality clause in that agreement. That case is pending in New York State Supreme Court in Manhattan.
The documents that Wells Fargo gave to Sinderbrand’s lawyer were sent in response to a subpoena in a separate defamation lawsuit proceeding in New Jersey against one of his brothers, who works at the bank.
The disclosure of so much sensitive material comes amid heightened concern about the ease with which personal information can be hacked, leaked or accidentally divulged. Banks are supposed to have extensive internal controls to protect clients’ data.
Wells Fargo’s internal controls are under particular scrutiny after a false-accounts scandal came to light last year. The company disclosed that its employees, trying to meet aggressive sales goals, opened as many as 3.5 million unwanted bank and credit card accounts for customers without their knowledge, and agreed this month to pay $142 million to settle a related class-action suit.
In terms of information security, litigation poses a special risk because confidential material often must change hands. The legal industry’s best practices for handling digital documents in discovery – “e-discovery,” as lawyers call it – include careful reviews to exclude or redact personally identifiable information, encryption and other safeguards as data is transferred.
Confidential information is also often covered by a protective order, which must be granted by a judge, to prevent the data’s recipients from sharing it more widely. None of that seemed to have happened here, reflecting a breakdown in vetting at multiple levels.
In Turiano’s email to Sinderbrand’s lawyer, she wrote: “We went through a long process of a very large email review with an outside vendor with instructions on exclusion which was spot checked. Clearly there was some type of vendor error – which I am confirming now.”