After reviewing Illinois and federal privacy law, it looks like the bank’s disclosure of the customer’s personal financial information could fall into an exception for disclosing such information to protect against fraud, and it also may fall into an exception for disclosing information in connection with processing a customer’s transactions.
Both federal and Illinois privacy laws include several exceptions to the general requirement to obtain a consumer’s consent before disclosing the consumer’s personal financial information. Under federal law, Regulation P includes an exception for disclosing information “to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability.” 12 CFR 1016.15(a)(2)(ii). Similarly, the Illinois Banking Act includes an exception for disclosing information “as necessary to protect against actual or potential fraud, unauthorized transactions, claims, or other liability” (this is almost identical to the exception under federal law). 205 ILCS 5/48.1(b)(18). It could be argued that the bank’s actions were necessary to avoid the potential perpetration of a fraud on the customer’s employer (and, potentially, resulting liability on the part of the financial institution), in that the customer appeared to the bank to have been misrepresenting the amount of the late fee that the employer had agreed to pay.
In addition, another exception from federal law may apply if the disclosure of the information was necessary to “effect, administer, or enforce a transaction.” 12 CFR 1016.14(b). This exception includes situations in which a financial institution must disclose information to “provide a confirmation, statement, or other record of the transaction . . . to the consumer or the consumer’s agent or broker.” If the consumer initially requested that the employer refund a late fee, the employer could be deemed to be the consumer’s agent for purposes of confirming the amount of the late fee.
Also, it is possible that the bank’s ACH agreement with the customer authorizes the bank to disclose the customer’s information situations similar to this, and you should check for that.