I saw this today in my email preview of mail to be delivered to our home address, and it also looked the same when delivered today. My sister-in-law [who had lived with us until recently and who still receives some mail at our address] received a 1099 which was placed in a window envelope, and I might add not placed very well. Her social security number was plainly visible. I assume that had the document been stuffed correctly, that might not have been the case [or at least it would have taken a bit more effort to see it through the envelope...] Is this not a violation of privacy laws and would it in fact be the basis for legal action? I would be livid if it were my document. Just wondering what the take on this from all of you who have much more expertise in privacy matters than I do. Thank you for your time and input.

Who is going to see it?

Well, anyone involved from the time that the envelope was stuffed until the time it was delivered...and who knows how many people outside of the originator of the information and the intended recipient have had opportunity to lay eyes on [and make note of] the information, all along the way of the delivery process? All it takes is being seen by 1 dishonest person along the way...granted, an envelope which does not have windows could be opened, but the way this was handled is like an open invitation...you might as well have it on a billboard.

If anyone in this day and age does not believe that their social security number is not already available on the dark web, they are living in a fantasy world. But, by all means hire a lawyer and sue them. I wish you all the best of luck. Sort of hard to get a settlement if you cannot prove actual damages. Settlements are not usually based on "what ifs".

A cheaper and more rational approach would be to contact the credit bureaus and put a fraud alert or credit freeze on the credit file if we are that concerned about a possible breach of personal information.

The Gramm Leach Bliley Act or "Privacy Act" regulates financial institutions sharing non-public personal information for marketing purposes which requires the bank to offer consumers the right to opt-out of such sharing. It has nothing to do with accidental disclosure of personal information.

From a safety and soundness perspective, banks generally must have an incident response plan to address data breaches. These will have response requirements based on the volume of data and the likelihood that data was used to commit identity theft. In this case, as Randy notes, the likelihood is low. A call to customer service may be appropriate to advise the bank of what happened in case there is an issue with either in-house preparation of these documents or a third party. Most institution use machines to automatically stuff envelopes, so it is also likely that a human never actually touched this document as it was prepared.

Finally, one of the most common website that I see used for fraudulent debit card transactions is peoplefinder dot com. The bad guys search publicly available sources to obtain all kinds of information to commit ID theft including social security numbers. I'd be more concerned about that than I would a random person glancing at an envelope in the mail.

While I did not intend to convey an "ambulance chasing" connotation in my statement "basis for legal action," after recently taking some compliance courses about the importance of safeguarding customer privacy, I did wonder about potential implications for the providers and conveyors of the information.

Perhaps Brian may have touched on what I was going to ask in a follow up response. If we change this scenario just a bit to say that this information was received [in the condition described] by a very good customer of the bank who comes into the branch manager's office very concerned about the potential for breach of privacy. How would the bank need to respond appropriately in this matter? I would think that the action stated in Brian's first paragraph, with the bank bearing any related costs for doing so, would be an appropriate precaution. Hopefully in the interim no harm to the customer would have been inflicted if the information was obtained and used by another party or parties as a result of the exposure of the information.

Going forward, I would hope that any future mailings would be handled in much more discrete manner [that is, not using window envelopes which could expose easily such information]...

While I acknowledge that there are other ways in which personal confidential information can be obtained [and in my time colleges used to post test grades on the door by student's social security number] nonetheless I would think that due care and due diligence should still be exercised in these matters. Why make it even any easier for someone to obtain such information? It just takes the chance of the information being obtained by one person who in turn can inflict a great deal of harm. Of course, if a perpetrator is determined to obtain the information and is persistent enough, there is a good chance he information will be obtained. But why make it any easier for them?

have your SIL contact whomever sent the 1099 to her if she has concerns to at least alert them of the window envelope and the SSN being visible.

and let's not id ourselves here, almost every company that sends any type of tax information has on the outside of the envelope "important tax documents do not throw away" trying to alert people that it is valid mail and not junk mail. anyone can take any of those envelopes at any point as well and have the same SSN information just by opening the envelope.

Under privacy laws, is this acceptable?

I haven't found any requirements for the messaging located on envelopes. Often mail is sent with the "tax documents inside" or "information regarding your credit card" language along with the name of the financial institution.

Is there any compliance concern with this language on the outside of envelopes? I believe this is fine, but I'm curious what others think.

Thank you.

See the last paragraph on Page 15. The statement is required for some information returns.

https://www.irs.gov/pub/irs-pdf/i1099gi.pdf