We believe that the automatic email sent to online loan applicants should be sent through the bank’s secure, encrypted email system. In our view, the emails would contain enough information about the customer to justify the added protection; even the fact that someone applied for a loan for the bank would be considered “personally identifiable financial information” subject to protection as “nonpublic personal information” under Regulation P. 12 CFR 40.3(o)(2)(d).

For example, if such an email were to fall into the wrong hands, someone could use that information to impersonate the customer and induce bank employees to reveal further confidential information about the account (a process known as “pretext calling” or “social engineering”). See FFIEC IT Examination Handbook, Information Security, Security Controls Implementation, Authentication; OCC 2000-14, Infrastructure Threats — Intrusion Risks: Message to Bankers and Examiners (May 15, 2000).

Also, note that the Interagency Guidelines Establishing Information Security Standards recommend the “[e]ncryption of electronic customer information, including while in transit.” And, if the bank chooses to encrypt any electronic information, then it might be exempted from the data breach requirements of the Personal Information Protection Act. 815 ILCS 530/5.