You did WHAT with my SSN?
Like many idiots, I bought my house at the peak of the real estate bubble, locking in a 30-year fixed rate mortgage at 6.375%. With escrow and taxes going up every year, and income going down (and no sign of a seller's market on the horizon), I decided recently that I HAD to refinance.
I looked at some online quotes and called my local credit union to see what kind of rates were being offered in general (nothing worth my time). Since I knew my combined credit and payment history put me in fairly good standing, I figured that my current mortgage holder, US Bank, would want a shot at keeping me as a customer. Besides, my local branch employees were known for their stellar service and since I already had a linked checking account set up with direct deposit and everything, staying with the same bank would save me the headache of rearranging everything with the HR department again.
I called the local branch and got the number for their mortgage rep, someone who had been highly recommended by an assistant manager. The mortgage rep, who I will call "Linda" for the sake of this story, spent two days a week at my branch and serviced other branches on other days.
I have to admit, when I first called Linda, I was impressed with her. She was efficient, calm, collected, and totally in control; she had the ultimate phone voice. She understood the bits and pieces of mortgages in a way that I will never hope to. She asked about my current rate, payments, goals, income; all of this was very standard, but her manner was so with-it that I felt like I was in good hands.
And then she asked me what my mortgage number was.
This was not an unreasonable question, and any person who is capable of reciting their own phone number without checking their address book would probably have had no problem providing this info. As for me, well, I can only remember the first three digits of my mortgage number on a good day. Scrambling, I tried to log into my online banking account to refer to the linked mortgage info, only to remember that I had managed to lock myself out of the online account the day before, entering the password incorrectly many times.
"I'm sorry, I don't have the number on me," I stammered.
"That's OK," said Linda, "I can look it up using your social security number. The bank database has all of your account info."
It should be noted that I have a very active imagination, so at this point, I'm picturing Linda sitting behind a large desk in her downtown office, wearing a headset, tapping my SSN into her sleek laptop, which is securely logged into the banking system via ultra-mega locked-down VPN. I also imagine that Linda is brunette. Please don't ask me why. These are details that I literally picture in my head, for no good reason at all.
I half-whispered my social security number over the phone line, always nervous that someone bad will overhear. Linda explained that she would have to send away for a bunch of data from headquarters, but that the mortgage application is usually returned within 24 hours, and that she would call me back early in the next week to schedule an appointment to go over the various mortgage options. I felt relieved. The burden of my mortgage has really been getting to me, and I'm looking forward to the possibility of any financial relief.
Early the next week, I found myself in the bank, making some deposits, and I noticed that Linda's usually-empty desk is occupied with someone who I assumed must be Linda herself. Having not heard back from her yet, I decided that, for once in my life, I was going to be proactive. I walked up to her desk, verified that her name tag read "Linda", and waited for her to finish doing whatever it was she was doing on her (sleekish) laptop. She tapped away, glancing at me as though my presence was not appreciated.
Linda is actually a bottle blond.
"Hi," I said, holding out my hand, "I'm Andrea Dickson, and we spoke on the phone last week about refinancing my mortgage. I was wondering if you had a chance to look at your schedule? Maybe we can set something up while I am here." I am amazed that I say the entire sentence without tripping over my words, as is my tendency.
"Oh," replied Linda, definitely looking less-than-thrilled, "I didn't get your mortgage number from you, so I was unable to retrieve your information. You said you were going to call back, but you never did."
I felt my head tilting to the side in the confused manner used by puppies who are encountering other animals for the first time. I reached into my purse, as though my mortgage number is simply floating around in there.
"No," I said, remembering our conversation, "I gave you my social security number, and you said that you were going to look up my mortgage info."
"Oh, I did say that, that's right." It was clear to me immediately that she hadn't even started the process. She reached into her bag, pulling out what, in my imagination, was surely going to be a leather-bound ledger book, with carefully written data about me and what I had told her thus far about my mortgage. Navy leather, is what I figured.
Not... a lined spiral-bound notebook with... were those doodles?
Linda turned to the back of the notebook, past pages and pages of notes written in large, blocky letters in purple ink, and there on the last page is "my" name, "ANDREA DIXON" along with my social security number, next to a drawing of what Linda apparently thinks a starfish looks like.
It didn't actually occur to me that Linda was going to be writing down my social security information to use at a later time. But something about seeing my personal data in a Gregg Rule Stenobook, alongside the personal information of other customers, seemed galling.
I didn't know what to say. While I hovered, Linda assured me that the information she was sending away for would be back within 24 hours. I contemplated making a scene, but because I am a wuss, I left the bank after pointing out that she had misspelled my name. Linda gave me a look that indicated that she didn't care how I spelled my name. I could tell that this was the beginning of a wonderful business relationship.
Back at my desk, pondering the issue, I decided to call Linda and ask if I could have that piece of paper with my data on it.
I hate confronting people. I hate confronting people. This was my mantra as I waited for Linda to pick up her line.
Linda answered the phone and I explained to her that I felt a little weird about my data, especially my full social security number, being written out in a notebook like that. I told her that I felt that the information was unsecure, and that if I had known that she was going to be writing it down, rather than entering it into a encrypted computer database, I would have called her back with my mortgage number once I located it.
Linda's tone was distinctly irritated. Who was I to question her methods? "I can assure you that your information is safe with me. I never leave my notebook lying around. That's illegal."
"Well," I said, struggling to be polite, "That's good. But I'd still feel more comfortable if you could give me that sheet of paper so I could shred it."
"I have other customer data on the page besides yours," snapped Linda, "Customer information that is as valuable and as important as yours is." This is clearly meant to comfort me; that Linda is being as irresponsible with her other customers' data as she is with mine, that all of us are at risk.
"I honestly don't know what to tell you to make you feel better. I've always kept records like this and I've never lost anyone's information. My briefcase has a lock."
This is good news, because no one has EVER successfully stolen a locked briefcase. It's a well-known fact that all locked briefcases immediately detonate upon being fondled by sinister hands.
"I carry files all over the place that have more customer data than I have for you. I have mortgage application files on me at all times." This is where Linda wants me to know that my piddling little social security number is of no great importance compared to other customers, who have handed over addresses, phone number, spouse names.
"I'm really uncomfortable with this," I say.
"Well, I can't give you the piece of paper. I can't give you another customer's data. If it makes you so uncomfortable, I can always cross out your social security number with a black marker, so if I lose my notebook, no one can read it."
This is a time-tested method of securing data that has NEVER failed. Now I can rest easy, knowing that should Linda misplace the notebook, which will not happen because it hasn't happened yet, no one will EVER be able to flip the page over and read the imprint of my social security number on the backside of the page.
The thing is, I'm sure Linda is a trustworthy employee. I doubt she runs around scrawling my SSN and name on bathroom stalls, and she is doubtlessly fairly careful with her notebook. But Linda could be a trained CIA killer who would rather die than have her personal notebook stolen and still manage to have the darn thing stolen. A briefcase full of files? Easily stolen. A steno book? Much. More. Easily. Stolen.
Wondering if perhaps I was overreacting, I called another branch of US Bank and inquired if it was common practice to write down customer's data in a notebook. Startled, the manager told me that while it was part of a mortgage professional's job to carry files that contained data, such data was not often stored in a notebook. When confonted with this information, my own branch's assistant manager assured me that he uses a notepad to write down all kinds of data from customers, from account numbers to social security numbers, and that he is very careful with how that data is handled. He didn't tell me how these notebooks are disposed of.
This doesn't sit right with me, but I am uncertain as to what exactly it is about the situation that I find so upsetting. Is it that Linda is extremely unfriendly and I am overly sensitive? I'm not even sure if any laws are being broken by Linda as a bank employee. I imagine that if a bank teller at the same institution wrote down my social security number on a piece of paper for the purposes of helping me with something, and then took the paper home, they would be breaking more than one law.
Truth be told, I can't find any specific laws relating to the banking sector and personal security. HIPAA might protect our personal data as it relates to our health, but the only federal law that might pertain to such activities isn't even a law yet, but still a bill being reviewed in the Senate. So much modern legislation deals with protecting our identities and information from digital breach, but what can we do to prevent employees from writing our social security numbers in giant purple in a notebook while running errands? I doubt Linda has a separate book with back-up notes that she can use to notify me if she DOES lose the notebook and my personal data falls into someone's less-trustworthy hands.
Here's the thing: I don't really know the legal implications behind this. The way that Linda, and apparently the other employees at my bank, are treating customer data may be well within the legal confines of their profession. But it shouldn't be. So much of the laws that are passed in this country are reactive. They deal with how to let customers know once their data has been stolen, usually electronically. I'd like to know what my bank is doing to keep my data FROM being stolen, and "we've never had a problem so far" is not a good method for ensuring data security.
The lesson, of course, is to never give out your social security number unless you absolutely have to, and even then, see if you can push back a bit. Because you simply never know.
What would you do in my situation? Do you think the measures undertaken here are secure enough for YOUR data?