A certain branch president working at a not-so-small Kansas community bank (both intentionally unnamed here), recently sought to use some of his executive stock to fund a retirement account. The request spurred some internal discussion about policies and procedures, along with a pricing decision for the shares, both of which warranted input from the bank’s CPA partners and its external legal team.
The conversation volleyed between the relevant parties for a few days with a weekend stuck in the middle, and remained mundane until one of the bankers decided that “Jackie in the Trust Department” needed to be looped in. That’s when the whole conversation landed in my inbox.
I’m Jackie, too — not “Trust Department Jackie” though, but “former editor, member of the media” Jackie, retired. So there I sat in my home office, poring over the back-and-forth between bankers and CPAs, reading confidential data about the number of shares in question (48.59999), the presumed price per share ($645.69) and the end goal of the branch president (funding two $7,500 Roth IRAs). Yawn-inducing, all of it, except for the obvious internal slip-up.
Okay, everyone makes mistakes. And email auto-fill is such a time saver! Type just the first few letters of a name and auto-fill does the rest. Who doesn’t love saving keystrokes when you’re in a hurry? Sure, auto-fill might give you some options from which you must select the intended choice, but you’re paying attention, right?
Except … even after I was looped into the Kansas bank discussion over one man’s stock conversion, the conversation continued. I kept getting more input from the CPA and the CFO, who also serves as CIO. This told me nobody was even looking at the list of recipients that had been cc-ed along the way. Not the bankers. Not the CPAs. Nobody.
Security experts have been telling bankers for years that the weakest link in their cybersecurity defense is their own people. I have to agree, mostly because this has happened to me before.
A few years back, a Minnesota banker unintentionally looped me into an internal email that included a spreadsheet attachment containing customer data for its current CD holders. There it all was: Customers’ names and addresses, CD amounts, maturity dates. What a blunder!
I quickly called the bank’s chair, who was stunned into silence when I told him what had landed in my inbox because someone at the bank presumably used auto-fill when internally circulating this data to a colleague also named Jackie.
I promised to delete the file and he thanked me for alerting him and for not telling our readers what they’d done. They say kindness is its own reward, but I kind of thought he might offer to buy me a cup of coffee out of gratitude. I had exercised tremendous restraint.
Bill de Blasio, the former mayor of New York City, once unintentionally included a New York Times reporter on a missive on the tardiness of the city’s subway system. That blunder resulted in a not-so-flattering article on why de Blasio was perpetually late to things.
Reporters!
Back to examining the Kansas bank’s string of messages, I spied the boilerplate language it includes at the bottom addressing confidentiality. It read: “If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note such actions are prohibited.” Hmmm. The disclosure didn’t lay out what prohibited an “unintended recipient” from engaging in such action, or what the penalty might be for non-compliance. In truth, I find it troubling to put the onus of restraint on the unintended recipient. Shouldn’t it be incumbent on the bank to act responsibly by not sending confidential information to people who have no business seeing it in the first place?
I didn’t extend the bank in Kansas the courtesy of alerting them to their error, but I truly hope “Trust Department Jackie” got the information she needed to do her job, and that the rest of you might take these examples as a reminder to slow down and check your work. Alternatively, don’t hire anyone named Jackie.