Wells Fargo headquarters in San Francisco. (Photo: AP)

Legal analysts, consultants and others are reacting to the news that an attorney working with Wells Fargo shared private information tied to more than 50,000 clients and advisors with a former Wells Fargo advisor.

Though the bank insists the leak of information was “inadvertent” and was caused by human error, not by a systemwide data breach, outsiders say the matter is extremely serious and requires significant changes in how the bank conducts business.

“Wells Fargo has made a monumental error,” said William H. Byrnes, an attorney who teaches at the Texas A&M School of Law, in an interview. “We’re now at the point where regulators have become involved over federal and state privacy concerns.”

There are cybersecurity concerns as well, says Byrnes, a regular ThinkAdvisor contributor.

“This raises red flags to me,” he said. “Was [the data] sent securely to or by the attorney? We are talking about Wells Fargo’s confidential information being sent [between different parties]. How did they do this via a third party? Was it sent securely to [their own outside] attorney” before it was shared it with the other side’s lawyer?”

The data was seen earlier in July by Gary Sinderbrand, a former managing director at Wells Fargo Advisors, who is involved in two lawsuits against his older brother Steven Sinderbrand, a managing director employed at Wells Fargo.

When data is passed on and shared with individuals like Gary Sinderbrand, for instance, it has not been properly secured, Byrnes points out, and “it seems like negligence.”

“This guy has a hammer … and can get [Wells Fargo] to the table” with it, Byrnes explained. “Who knows where [the private information] got siphoned off in the chain.”

Other observers agree.

“This feels sloppy at two levels,” explained Chip Roame, head of Tiburon Strategic Advisors, in an interview.

First, “I find it surprising how much apparently unrelated information was given to Wells’ own law firm,” Roame said. Then that firm passed it on to the plaintiff’s law firm.

“Such broad sharing seems like it will always lead to issues,” the consultant explained.

For its part, Wells Fargo says it is “taking swift legal action to ensure client data, which was inadvertently released to a lawyer as the result of a subpoena, is returned immediately.” In addition, the bank is “seeking to prohibit the data from being disseminated,” it says, as it takes the security and privacy of client information “very seriously.”

Corporate Matters

The fact that the data leak comes less than a year after Wells Fargo agreed to pay fines of about $185 million over up to 2 million fake accounts, also concerns Byrnes and Roame.

“We know that when a female bank manager said something was going on at the branch,” she was fired, Brynes said. “And she was not saying anything about what was going on at other parts of the bank,” even though the fake-accounts issue was widespread.

On Friday, however, the Labor Department ordered her to be rehired and required Wells Fargo to give her back pay of some $570,000.

“If a problem occurs once, I have to think it can be systematic,” Byrnes said. “I have to image that Wells Fargo is sending out [more data] without a protocol for this information being in place or it would have been secured” or locked.

The latest news, he adds, “does not make you feel comfortable with Wells Fargo,” he added.

Roame concurs.

“This feels extremely sloppy,” the consultant said. “I know Wells has made some recent moves to simplify its businesses and maybe that is an acknowledgement of its unwieldiness.”

For Byrnes, there are serious issues left to confront at the institution. “No one expect banks to unilaterally be sending out your information. You expect they are being probed [by hackers] and are doing their best to defend your data,” he explained.

For both the clients and their advisors, “This is not what they signed up for,” the attorney said.

He fears the information that has already been divulged could be leaked further. 

“Wells Fargo has not learned [from its issues] and does not seem to have protocols in place. This is systemic,” Byrnes explained. “They are not getting their compliance in order.”

Beyond its systems, the corporate culture also must change, he says, so that the company allows for feedback that can then be used to fix problems.

“No one who brings attention to problems should be afraid” of retaliation, Byrnes explained. “This will likely play itself out in other ways … and then they will finally get it.”

— Related on ThinkAdvisor: