Skip to content
 

Information Protection: Everybody's Job

"How Did They Find Out? I'm Going To Sue!"
"What Can I Tell?And To Whom?"
by Jim Incaprera

Every person in every financial institution must protect confidential or sensitive information from disclosure to unauthorized persons. It's everybody's job.

Who's looking for information?

  1. The Competition
    First, in today's highly competitive environment, financial institutions are very interested in the internal and external activities of their competitors. As a result, there are corporate spies whose goal is to obtain information about your institution's plans. For example - have you ever gone to great expense putting together a marketing campaign, only to be beaten to the punch by one of your competitors?

    Did they know about your plans? How did they find out? There are many possibilities. A secretary may have typed drafts of the marketing plan for management's review and then mentioned the plan to a friend - who is employed by the competitor. An executive may have discarded a draft of the plan in the office trash. Once this document enters the regular waste stream, many people (including your competition) may have access.

  2. Law Enforcement
    Second, law enforcement officers may be interested in obtaining information. They sometimes need access to our information to assist them in investigating a variety of crimes. Security officers may be sympathetic to their information needs but must still use caution. If law enforcement officers obtain this information improperly, their cases can be thrown out of court or the evidence may be ruled inadmissible. In addition, the customer whose information was improperly disclosed may also sue the financial institution for civil damages for a violation of privacy rights.

  3. Crooks, Thieves, Con Artists
    A third type of individual who wants to obtain our customers' information is the professional "dumpster diver". These con artists who discovered they can make split deposits using counterfeit or otherwise worthless checks if they can get a real customer's name and account number. In addition to performing fraudulent split-deposit transactions, these individuals can use this information to create fictitious accounts or to apply for loans.

    All three of the above are interested in locating a financial institution that does not follow effective information protection practices. If information gets out, the financial institution is the loser. The loss can measured in both tangible and intangible ways, including the judgments assessed against us, missed client development opportunities, and fraud.

Create an Information Protection Program
You can proactively minimize the possibility of becoming a victim by implementing an information protection program. It's not only easy to implement and, in most cases, free, but also many plans actually result in cost savings.

All you need is to develop a confidential document waste stream and make employees understand that most documents we produce are confidential and must be protected.

The document waste stream is your first point of attack. This control can be as simple as having a particular waste container in the building designated as the confidential trash can. Another approach is to maintain a more user friendly program of having a special waste container at each person's work space. No matter how you choose to implement your program, your objective is to get all waste paper to a particular site where it can be properly disposed.

Several different levels of security should be considered for the disposal process. They can range from a high security level of information that requires that all paper must be shredded, or you can have the documents picked up by a local paper recycler in covered containers destined for the nearest pulp mill. Although the method you select should be based on the level of confidentiality of the document, the key is to remember that anything is better than putting your office's waste paper in plastic bags on a public curb.

The "Right To Financial Privacy" Act (RFPA)
All employees should understand the meaning and the purpose of the RFPA This act was created to protect our client and customer information from indiscriminate examination by law enforcement. It applies only to individuals -corporations and partnerships are excluded from privacy provisions.

In order to obtain records of our customer's business with us, the government must provide a subpoena. We must retain records of all items disclosed, and we could be liable to a client for damages if information is disclosed improperly.

The RFPA affects only information requested by government and law enforcement agencies. It is not the same thing as customer confidentiality. And it does not apply to records covered by an SAR. What is Confidential Information?

There are two types of confidential information. One is customer-related information and the other is sensitive internal information.

Customer-related information is anything your customer would not want an unauthorized person to see. Examples include general, customer data, account statements, loan applications, and financial statements.

Sensitive internal information includes anything you would not want your competitor to see. This would include items such as any proprietary documents, planning documents, marketing plans, summary reports, personnel information, prospect lists, and financial reports.

The obvious places/formats to find confidential information include paper copies, magnetic media, visual displays, electronic media, and microfilm. Other formats that are less obvious include indiscreet oral conversations and cellular phone signals.

Although control over all of these different types of information is difficult, we must take proactive steps to protect such information. Education of all employees is the key to that protection. Embarrassment, Lawsuits, etc.

Financial institutions face several risks if information is not properly protected. One risk, embarrassment to the institution, may occur if customer-related information is, for example, found on a document that has blown off a trash truck. Our customers think of us as being as safe repositories of information.

Another risk that we face for improperly disclosing information is a lawsuit. If a teller does a favor for a detective and discloses information improperly, the customer can sue the institution. A much larger risk is evident when a prospective loan customer's business plan is accidentally disclosed to their competitor. The affected party can sue the institution for loss of income.

A third risk is becoming a victim of fraud. In the case of kites or loans, this could even lead to regulatory criticism for violation of laws or regulations.

Finally, improper disclosure of information can threaten the continued operation of the institution if critical information is lost.

How do you go about accomplishing all this? I'll explain a step-by-step procedure in the next HOTLINE, including how to convince your audit department to back you up!

Jim Incaprera is Corporate Security Officer and trainer at First Commerce Corporation in New Orleans. He is a frequent speaker and instructor at the ABA Security School and is also a consultant and lecturer on security for the Louisiana Bankers Association.

Copyright © 1996 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 6, No. 12, 11/96

First published on 11/01/1996

Filed under: 
Operations
Filed under operations as: 
Delinquent Accounts/loans
Financial Privacy
SAR
Security
Security Officer

Report a problem with this page

Search Topics