NEBANKERS.ORG 14 COUNSELOR’S CORNER Employee Data Theft in the Age of FDIC Compliant Investigations EMPLOYEE THEFT OF CUSTOMER DATA IS ALWAYS A CONCERN and has become even more so as information can be condensed to digital assets, which are easily moved, copied, or downloaded. The issue can be especially troublesome for banks because of confidential customer data. The information is often easily identifiable to the customer and can include common data such as addresses, email addresses, and telephone numbers, but also often includes sensitive information such as social security numbers, bank account information, dates of birth, and credit card information. Banks often provide commissions to loan officers to compensate for the closings of mortgage, business, or agricultural loans. Because of the compensation structure, commissioned sales officers may believe the customers and their sensitive information belong to them rather than the bank for which they work. Sales officers may even attempt to take customer information with them when they leave one bank and seek employment elsewhere. Taking such information may lead to violations of noncompete or non-disclosure agreements. But the taking of such sensitive information may also cause violations of the Gramm-Leach-Bliley Act and even state data breach notification statutes that protect such personal information and may require customer notification. 1 Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act (“GLBA”) protects information that a customer gives to a bank, or an employee of a bank, to obtain a product or service. The act defines sensitive information as follows: Nonpublic personal information: “Nonpublic personal information” generally is any information that is not publicly available and that: • A consumer provides to a financial institution to obtain a financial product or service from the institution; • Results from a transaction between the consumer and the institution involving a financial product or service; or • A financial institution otherwise obtains about a consumer in connection with providing a financial product or service. 2 However, this language is very broad and could apply to almost any information provided by a customer to a bank for a product or service. The regulations, thankfully, are more specific: [S]ensitive customer information means a customer’s name, address, or telephone number, in conjunction with Robert Kardell, Baird Holm, LLP
RkJQdWJsaXNoZXIy MTIyNDg2OA==