Bank of America settles Countrywide data theft suits

Settling the biggest reported case of data theft by a financial insider, Bank of America Corp. will provide free credit monitoring, identity theft insurance and reimbursement for losses to as many as 17 million consumers who dealt with its Countrywide Financial mortgage unit.

The agreement was approved Monday by a federal judge in Kentucky. Bank of America, which acquired Countrywide in 2008, denied all allegations of wrongdoing, saying it had settled only to “avoid the additional expense and uncertainty of further litigation.”

The accord settles more than 30 lawsuits, including nationwide class actions, filed after the August 2008 arrest of Rene L. Rebollo Jr. of Pasadena, who worked for Countrywide’s subprime division, Full Spectrum Lending. Federal authorities said at the time that he downloaded customer files, including Social Security numbers, from the company’s computers onto thumb drives and sold the information to employees of other mortgage lenders for use as sales leads.

Rebollo has pleaded not guilty to charges of fraud, unauthorized access to the computer of a financial institution, illegal use of confidential information, and disclosing Social Security numbers. His trial is scheduled to begin Oct. 19 before U.S. District Judge Christina A. Snyder in Los Angeles. He is free on bond.

In the aftermath of Rebollo’s arrest, Bank of America offered free credit monitoring to 2.5 million customers of Countrywide, bank spokeswoman Shirley Norton said.

Under the terms of the settlement, those customers and roughly 15 million additional Countrywide borrowers and mortgage applicants will be offered credit monitoring, identity theft insurance and reimbursement for losses of up to $50,000.

Norton said she didn’t know how many people had reported actual financial breaches stemming from the data theft or how much the settlement would cost the bank. The company already is reviewing some claims, she said, adding that there was “no real way to tell until we have the final tally.”

Claims may be made by anyone who provided private information to Countrywide before July 1, 2008, or who had a mortgage that was serviced by Countrywide before that date.

Details are available at or by calling (866) 940-3612. The earliest date that claims can be filed is Sept. 7.

The Countrywide incident is one of 34 publicly reported data breaches since 2005 involving insiders at financial institutions, according to the Privacy Rights Clearinghouse in San Diego.

The largest previously reported case, involving information about 8.5 million customers of a Fidelity National Information Services subsidiary, occurred in July 2007.

“This blows that one completely out of the water,” said Rainey Reitman, a spokeswoman for the nonprofit group. All the other cases combined of data breaches by financial insiders involved information on about 11 million people, she said.

Joanne McNabb, chief of the California Office of Privacy Protection, said anyone notified about the data breach should take it seriously. A primer on what to do is available at the state agency’s website, Click on “Identity Theft” and then on the red-letter “Security Breach First Steps.”

The Countrywide case is disconcerting because it wasn’t the result of accident or oversight, McNabb said.

“It’s not like things leaked out,” she said. “They were snatched.”