Banks sometimes overlook simple, often obvious steps that can be taken to help protect customer information and prevent the escalating crime of identity theft.
The threat of identity theft and the risks to customer information security must be addressed on many levels. Certainly, computer systems and the internet are key issues. Filters, passwords, firewalls, encryption, screen savers, authentication software--all great tools, and very essential to a bank's information security program. But, what about the "low-tech" side? Is anyone watching the trash cans, photocopiers, and employee desks?
Open spaces, open secrets
Bank lobbies and public areas tend to be smaller and more compact these days. Banking offices in grocery stores and other retail locations, especially, offer little elbow-room between employees and between customers. In many cases the layout of the space is open with bankers' desks and workstations placed closely with thin partitions or no dividing walls at all.
Such configurations often impact customer information. Consider: If customers must line up at a customer service desk in the lobby to handle banking transactions or get information, are customers in line close enough to overhear sensitive information?
Are bankers' desks so close that it is difficult to have a private conversation without being overheard by another customer or even someone just walking by?
Are mirrors or other reflective surfaces on the walls positioned in such a way as to enable someone to view documents or computer screens without detection? With a little practice its not so hard to read mirror-images of words or upside down letters across a desk. Try it.
The location of the customer waiting area is another consideration. The position of waiting-area chairs near or facing bankers' desks might provide a clear view of computer screens or easy access to conversations that can pose a risk to information security. Persons who appear to be "hanging out" for extended periods of time should be a red flag to bank personnel.
Some institutions use privacy screens or security screens on computers that are located in or near public access areas. The screens prevent someone who isn't sitting directly in front of the computer from reading the information on the computer. At the ABA National Compliance Conference in New Orleans in June, Chuck Lewis, senior vice-president, UMB Bancorp, even suggested taking a walk around the perimeter of a bank building to see if a passerby could see computer screens and papers on desks revealing sensitive information.
Lobby kiosks containing computer terminals for customers to use to access accounts and information have grown popular. But consider how these machines are positioned and segregated in terms of optimum customer privacy. Would you want someone else looking over your shoulder waiting for the chance to use the computer while you view details about your account?
Employees working in public areas should be cautioned not to keep papers and files on their desks and counters.
Documents should be placed into a drawer or cabinet when not in use. Even the precaution of turning papers face down when visitors show up is a good low-tech preventive measure.
Fax machine faux pas
If the bank places fax machines and photocopiers in lobby or public areas, precautions should be taken to protect documents that contain customer information. Machines should not be left unattended during faxing and photocopying. After faxing and photocopying all documents should be removed immediately. If a full-page cover sheet--as opposed to those little stick-on, "to/from" labels--is not used to send a fax, the receipt or confirmation page the fax machine prints out after successful transmission will contain the first page of the faxed document, which could contain confidential information. …