InfoSec Violations Result in Ban from Banking

InfoSec Violations Result in
Ban from Banking
by BOL Guru Mary Beth Guard

Loan officers sometimes begin to think that borrowers they have helped are "their" customers. When the loan officer moves to another financial institution, it's not at all uncommon for him or her to call on those customers and try to persuade them to move their business. In one recent case, however, the actions taken by a loan processor and loan officer crossed a line and resulted in civil money penalties and permanent removals from banking. The most interesting part of the story is why the Office of the Comptroller of the Currency took those extraordinary steps.

In most instances where loan officers attempt to "take customers with them", if any action is taken, it is generally by their former employer, who may assert violation of a non-compete clause in their contract, tortious interference with contracts with third parties, or, if information about the customers was taken, they may even try to claim theft of trade secrets.

In the case of Vicki Boutilier and James Earl Smith, the OCC stepped in because of the way the pair handled confidential customer information. According to the OCC, the two copied more than 2,200 customer loan files, then emailed them over an unsecure Internet connection to a third party, planning to use them in connection with future employment. By doing so, they misused the information, violated privacy regulations, engaged in unsafe or unsound banking practices, and placed the confidentiality of the customer files at risk.

The parties entered into Stipulations and Consent Orders under which Smith and Boutilier must pay civil money penalties and have consented to permanent removals from banking. There are numerous other stipulations. For example, before accepting a new position with any employer that would cause Smith or Boutilier to come in contact with "nonpublic personal information" that is transferred as part of the employer's business to a federally insured financial institution or regulatory agency, they must provide a copy of the Consent Order to the CEO of the entity offering them the position. If the position is still offered after that disclosure has been made (doubtful, don't you think?), the individual must then provide written notice of acceptance of the employment to the Director of the OCC's Enforcement and Compliance Division. There's more, but you can read it at your leisure in the links provided below.

This is, in our view, a groundbreaking action, because it illustrates that information security breaches which place customer information at risk can and will result in serious consequences. While this case dealt with employees attempting to use customer information for their own personal gain, it's clear the implications are not limited to that realm.
The Comptroller John D. Hawke, Jr. said "The OCC will respond aggressively if we find that bank employees are misusing that information, or placing it at risk of unauthorized disclosure." Read that last part again. If inadequate information security procedures (or even failure to adhere to adequate procedures) places customer information at risk, the OCC will respond aggressively.

Information security is serious business. If your institution -- and you personally -- are not doing all you should to safeguard customer information, you need to make adjustments immediately.

Related links:

• OCC NR 2003-27
  
• Stipulation and Consent Order - Vicki Boutilier
  
• Stipulation and Consent Order - James Earl Smith
  
• InfoSec Guidelines (aka "Interagency Guidelines Establishing Standards for Safeguarding Customer Information")
  

For comprehensive network security solutions at an affordable price, check out SecurePipe, Inc., sponsor of BOL's Security Section. SecurePipe provides process oriented security, utilizing cutting-edge technology and expert remote management, plus fully managed firewalls, active intrusion detection systems, virtual private networks and email virus scanning combined into a holistic solution. They also offer 24x7 monitoring, management, maintenance and incident response keeps your systems secure even when your IT staff is asleep.

Copyright, 2003, BankersOnline. First published on BankersOnline 4/7/03. All rights reserved.