Employee theft of customer data is always a concern and has become even more so as information can be condensed to digital assets, which are easily moved, copied, or downloaded. The issue can be especially troublesome for banks because of confidential customer data. The information is often easily identifiable to the customer and can include common data such as addresses, email addresses, and telephone numbers, but also often includes sensitive information such as social security numbers, bank account information, dates of birth, and credit card information.
Banks often provide commissions to loan officers to compensate for the closings of mortgage, business, or agricultural loans. Because of the compensation structure, commissioned sales officers may believe the customers and their sensitive information belong to them rather than the bank for which they work. Sales officers may even attempt to take customer information with them when they leave one bank and seek employment elsewhere.
Taking such information may lead to violations of non-compete or non-disclosure agreements. But the taking of such sensitive information may also cause violations of the Gramm-Leach-Bliley Act and even state data breach notification statutes that protect such personal information and may require customer notification. 1
Gramm-Leach-Bliley Act
The Gramm-Leach-Bliley Act (“GLBA”) protects information that a customer gives to a bank, or an employee of a bank, to obtain a product or service. The act defines sensitive information as follows:
Nonpublic personal information: “Nonpublic personal information” generally is any information that is not publicly available and that:
- A consumer provides to a financial institution to obtain a financial product or service from the institution;
- Results from a transaction between the consumer and the institution involving a financial product or service; or
- A financial institution otherwise obtains about a consumer in connection with providing a financial product or service. 2
However, this language is very broad and could apply to almost any information provided by a customer to a bank for a product or service.
The regulations, thankfully, are more specific:
[S]ensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name or password or password and account number. 3
In combination with account numbers, social security numbers, a driver’s license number, and other information commonly collected by banks, the demographic information is “sensitive customer information” under GLBA. This sensitive information is not uncommon on internal sales or customer lists.
Once that information is in possession of the bank, the bank has an affirmative obligation to:
- Ensure the security and confidentiality of customer information;
- Protect against any anticipated threats or hazards to the security or integrity of such information;
- Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and
- Ensure the proper disposal of customer information and consumer information. 4
And when the security or confidentiality of customer information is not protected:
When an incident of unauthorized access to sensitive customer information involves customer information systems maintained by an institution’s service provider, it is the Financial Institution’s responsibility to notify its customers and regulator. 5
And the regulations state:
Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution’s service providers, it is the financial institution’s responsibility to notify the institution’s customers and regulator.6
When an incident of unauthorized access to customer information is discovered — such as when an employee may download, save, print, email, or otherwise copy customer data to take with them to a new financial institution or to start a new business — the bank may have a duty to report this data breach to its regulator, law enforcement, and its customers. While no bank wishes to notify its customers of a breach, there may be options, such as using the threat of providing notification to regulators or law enforcement to elicit the former employee’s cooperation in an investigation to determine the risk of harm.
The regulations require an investigation to occur:
When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.7
The question then becomes, “What is a ‘reasonable investigation’ for the bank to determine the likelihood of harm?”
Reasonable Investigation
First, the bank must have a “Response Program” “appropriate to the size and complexity of the institution and the nature and scope of its activities, designed to address incidents of unauthorized access to customer information.”8 At a minimum, a response program should include:
- Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;
- Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined later in the final guidance;
- Immediately notifying law enforcement in situations involving federal criminal violations requiring immediate attention;
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, such as by monitoring, freezing, or closing affected accounts while preserving records and other evidence; and
- Notifying customers when warranted.9
The provisions concerning the response program appear to leave little room for ambivalence as to whether notification needs to be made to federal regulators or law enforcement but do allow a measure of judgment when deciding as to whether to notify customers “when warranted.”
Notification to federal regulators should occur when the institution initiates its investigation10 involving unauthorized access or use.
The reading of the comments in the Federal Register can provide some further guidance regarding the notification standard for federal regulators or law enforcement. Notification to federal regulators should occur when the institution initiates its investigation10 involving unauthorized access or use.
But is the “unauthorized access or use” defined by law or an employment contract?
“Unauthorized access or use” is discussed extensively under the customer notice requirements. The guidance states:
Under the Security Guidelines, the proposed Guidance explained that an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information. This type of information is most likely to be misused, as in the commission of identity theft.11
The guidance then suggests that the definition of “unauthorized access or use” is related to the commission of crimes such as identity theft. Unauthorized access or use then is not defined by the employment contract. Furthermore, a properly conducted, well-planned investigation may allow the bank to determine whether there was an intent for an illegal purpose or if taking the data is a contractual issue that does not warrant notification to the federal regulators, law enforcement, or customers.
Conducting the Investigation
Conducting a well-planned investigation while leveraging the notification requirements under GLBA or state statutes to regulators, law enforcement, or customers may yield the answers as to the purpose for “unauthorized access or use.” Leveraging the threat of notification can be used to force cooperation from an ex-employee and cooperation from their new employer to investigate the incident fully. Suggested steps for the investigation with full cooperation from the ex-employee and the new employer may look something like this:
Former employee:
- Interviewing the former employee to determine where the data was downloaded, emailed, saved, printed, etc., to determine what possible accesses others may have had to the data or whether there is a threat to the data.
- If the ex-employee admits to downloading the data:
- Ask the employee for access to the devices;
- Hire a computer forensics expert to review any devices of the former employee on which the data had resided to determine the security of the data; and
- Hire a computer forensics expert to ensure the data is securely wiped from the devices on which the information had been located.
- If the ex-employee admits to downloading the data:
- Ask the former employee to sign an affidavit attesting to the fact that the information was downloaded, the locations of the download, anyone who had access download location (e.g., if downloaded to a phone, who else has access to the phone), and that all other copies of the data have been destroyed.
New Employer:
- Consider interviewing representatives of the new employer to determine whether the data was transferred to or saved on the new employer’s network.
- If the data is not on the network, consider asking for an affidavit or a letter from the organization stating so.
- If the new employer has the data on their network,
- Consider asking for a computer forensics expert to wipe the data; or
- Consider asking for an affidavit that the data has been securely wiped from the network device.
The above steps, if well documented, may allow a bank to reasonably conclude that the information has been secured and was not accessed or used for any illegal purpose, such as for opening credit cards or obtaining a new line of credit and meet the requirements of an investigation under the FDIC guidance.
Conclusion
Financial institutions are in a unique position to possess sensitive and personal information of customers. That information must be protected from hackers and employees seeking to email, download, copy, or otherwise remove the information from the bank’s possession.
The regulations and notification requirements allow a bank to investigate whether the access and use will require notification. The threat of notification of regulators and law enforcement may provide leverage for the cooperation and interview of former employees. The interviews, the investigation, and the resulting affidavits and reports may provide the evidence necessary for a bank to conclude the actions of the employee; while a violation of an employee agreement is not grounds for data breach notification required under GLBA.
1 Although state data breach notification laws may apply, this article will limit the discussion to the applicability of GLBA, the definition of sensitive data under GLBA, and the investigation standards under GLBA. This article will also not address the notification requirements under GLBA or applicable state statute.
2 15 USC § 6809(4)
3 2 CFR Appendix B to Part 364
4 12 CFR Appendix B to Part 364 – Interagency Guidelines Establishing Information Security Standards
5 Financial Institution Letter, FIL-27-2005, April 1, 2005, https://www.fdic.gov/news/financial-institution-letters/2005/fil2705.html
6 Supplement A to Appendix B to Part 364 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
7 Supplement A to Appendix B to Part 364 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.
8 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15739.
9 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15741.
10 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15741.
11 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15744 (emphasis added).
For more information, please contact Robert (Bob) Kardell, at 402.636.8313, bkardell@bairdholm.com, or visit bairdholm.com.
