The US bank is taking legal action to recover information, some of which is about wealthy clients, sent in error to a lawyer and client.

Wells Fargo says it is taking legal action to take back data mistakenly given to a lawyer, responding to a story saying information from thousands of clients, some of them wealthy, had been disseminated.

A lawyer for Gary Sinderbrand, a former Wells Fargo employee, had subpoenaed the California-headquartered bank as part of a defamation lawsuit against the employee, the New York Times reported. Sinderbrand had expected to receive emails and documents connected to the case.

However, on July 8 information sent to Sinderbrand went far beyond such items, to include what the publication called a “vast trove of confidential information about tens of thousands of the bank’s wealthiest clients”.

One of the divisions of Wells Fargo is Abbot Downing, which caters to ultra-high net worth individuals. The story did not specify if this part of the Wells Fargo business had been affected.

The NYT said the 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them. Most are customers of Wells Fargo Advisors, the arm of the bank that caters to high-net-worth investors. Sinderbrand says he has financial data for at least 50,000 clients. The publication went on to say that “the files were handed over to Mr. Sinderbrand with no protective orders and no written confidentiality agreement in place between his lawyers and Wells Fargo’s. While the documents were not filed in court, it would be perfectly legal for Mr. Sinderbrand and his lawyer to release most of the material or include it in their legal filings, which would then become part of the public record”.

However, the bank yesterday emailed Family Wealth Report, following a request for comment, to state that it is determined to get the data back as soon as possible. The bank told FWR: “Wells Fargo is currently taking swift legal action to ensure client data, which was inadvertently released to a lawyer as the result of a subpoena, is returned immediately. Additionally, Wells Fargo is seeking to prohibit the data from being disseminated. We take the security and privacy of our customers’ information very seriously. We are continuing to thoroughly investigate this matter and will take all appropriate steps based upon the outcome of our investigation.”

It is understood that the bank’s actions will go through state courts of New York and New Jersey. The matter is, FWR understands, being treated not as a data breach but an inadvertent production in a court case.

While it is being treated as a mistaken transmission of data rather than a loss caused by cyber-criminals, the affair again underscores concerns about security of information in banks and other financial services firms around the world. Jurisdictions such as the European Union are rolling out new data protection rules to curb abuses, while protection against cyber-thieves/hackers is a top priority issue in many firms (see a forthcoming Family Wealth Report event in New York City here).

The NYT item also said: “The disclosure is a data breach that potentially violates a bevy of state and federal consumer data privacy laws that limit the release of personally identifiable customer information to outside parties. State and federal regulations also require companies to notify customers when their information has been improperly released, as Wells Fargo may now do. And some of the accounts in Mr. Sinderbrand’s database are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes.”