that kind of data around on the public Internet unencrypted in the
first place?
-- Lauren Weinstein
NNSquad Moderator
Lauren,
That was almost certainly a violation of the Graham-Leach-Bliley Act. As a former IT manager for a credit card company, I used to sit across the table from quite a few government auditors. The Act's language was vague in parts, but it is reasonable to interpret at least a minimum requirement for end to end encryption of customer data whenever it leaves your LAN. I would think that using a Gmail account may have additional issues, given that the provider's terms allow Google to present ads based on your message's content. The whole thing sounds fly by night to me.
Andy Richardson