Friday, October 9, 2009

So Much for Red Flags?

A Maryland Bank Tosses Personal Records in the Trash.

I am shocked but frankly not surprised to see this story. Even though Banks were among the businesses that were supposed to be Red Flags compliant prior to Nov of 2008 I can guarantee that many are not. it is just as obvious that they do not take the intention of training seriously as is outlined in the FACT Act (where the Red Flags Rule comes from). FACTA supplemental material from the FTC makes training an important component of any data protection program. I don't think anyone who reads this column would have done something as irresponsible as to toss out personal records so haphazardly. The reason is that you are aware of the risks. Prepare the bank employees with the same sensitivity and this story would not have needed to be written. Its not as much about signing off on a compliance document as it is to understand why compliance needs to be done. Since it is the rank and file employee who handles personal information on the job it is not sufficient for banks and other businesses to orient only management staff. Security is only as good as the weakest link.

A number of customers in Rodgers Forge, Maryland were upset to learn that the institution which recently took over the local branch of the former Bradford Bank has been less than protective of their personal and banking information. Baltimore television station ABC2 reports that pages of documents were found discarded and unshredded in a trash bin outside the bank. Among them were bank statements and security-related information, days-old cancelled checks and photocopied driver's licenses. IAPP past president Chris Zoladz, CIPP, founder of the privacy consultancy Navigate LLC, comments on the breach Full Story

No comments: