E-mail snarls bank in privacy inquiry

[InfoSec News <isn () c4i org>]

Forwarded from: Marjorie Simmons <lawyer () carpereslegalis com>

http://www.miami.com/mld/miamiherald/8019815.htm

Mon, Feb. 23, 2004
Associated Press

ST. LOUIS - State investigators are trying to pinpoint whether
Southern Commercial Bank perhaps compromised the privacy of more than
40,000 customers by e-mailing unsecured personal data to an
independent computer programmer.

The information included bank account, Social Security numbers and
addresses of customers who have loans and demand deposits, including
checking, savings and money market accounts, the St.  Louis
Post-Dispatch reported Monday.

Regulators are concerned because such information could be used to
commit identity theft, either by the person who receives it or by
someone who accesses the computer or the transmission.

St. Louis-based Southern Commercial said it did not violate its own
policies or federal regulations designed to protect customer
information.

"There is a statement of policy, not laws, involving the transmission
of data over the Internet," said Eric McClure, commissioner of the
investigating Missouri Division of Finance, which regulates
state-chartered banks including Southern Commercial. "Generally,
unencrypted information is not recommended."

St. Louis Federal Reserve Bank officials said the matter would be
reviewed during the bank's next examination.

McClure said anyone who knowingly or intentionally shared the data
could face federal criminal charges, punishable by up to five years in
prison.

"We've got zero tolerance for this information being out there,"  
said Joe Elstner, a spokesman for St. Louis' Federal Reserve Bank.

Rick Henderson, a Kirkwood computer programmer, said Tom Green - vice
president of one of Southern Commercial's 10 branches - sent an e-mail
in October that included the questioned information in an attachment.

At the time, the subcontracting Henderson was trying to finish work on
a computer program that was to help the bank improve customer service.
When he got e-mailed to him personal information on more than 40,000
of the bank's customers, "I just about fell out of my chair when I
opened it, and it was the real thing."

He said he contacted state regulators and the Post-Dispatch after he
was not fully paid for his subcontracting work.

Henderson said he did not illegally use the customers' information and
does not intend to do so. He said he no longer has the information,
and the e-mail with the attachment was deleted when he rebuilt his
computer.

Dick Illyes, president of the bank's contractor, Micr Automation Inc.,
said Green "made a mistake" when he sent the e-mail with attached
records and simply assumed Henderson "was trustworthy."

The bank's attorney, Jeff Demerath of St. Louis, sent a letter last
month to Henderson demanding that he return the information or provide
proof he destroyed it or face prosecution.

Henderson said he did not respond, though Demerath said Southern
Commercial said it is satisfied the information was not and will not
be disseminated.

Since the incident, Demerath said, the bank has revised its practices
regarding the sharing of customer information with vendors.

Joe Elstner, a spokesman for the Federal Reserve Bank of St. Louis,
said that while banks may share sensitive customer information with
vendors under contract, banks may not share such information with
outsiders.

Illyes said Micr - a longtime check-processing consultant to the bank
- treated Henderson as its employee, though it has no written contract
with him.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.