NEBANKERS.ORG 16 Notification to federal regulators should occur when the institution initiates its investigation10 involving unauthorized access or use. standard for federal regulators or law enforcement. Notification to federal regulators should occur when the institution initiates its investigation10 involving unauthorized access or use. But is the “unauthorized access or use” defined by law or an employment contract? “Unauthorized access or use” is discussed extensively under the customer notice requirements. The guidance states: Under the Security Guidelines, the proposed Guidance explained that an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information. This type of information is most likely to be misused, as in the commission of identity theft.11 The guidance then suggests that the definition of “unauthorized access or use” is related to the commission of crimes such as identity theft. Unauthorized access or use then is not defined by the employment contract. Furthermore, a properly conducted, well-planned investigation may allow the bank to determine whether there was an intent for an illegal purpose or if taking the data is a contractual issue that does not warrant notification to the federal regulators, law enforcement, or customers. Conducting the Investigation Conducting a well-planned investigation while leveraging the notification requirements under GLBA or state statutes to regulators, law enforcement, or customers may yield the answers as to the purpose for “unauthorized access or use.” Leveraging the threat of notification can be used to force cooperation from an ex-employee and cooperation from their new employer to investigate the incident fully. Suggested Counselor's Corner — continued from page 15 steps for the investigation with full cooperation from the exemployee and the new employer may look something like this: Former employee: • Interviewing the former employee to determine where the data was downloaded, emailed, saved, printed, etc., to determine what possible accesses others may have had to the data or whether there is a threat to the data. • If the ex-employee admits to downloading the data: ❒ Ask the employee for access to the devices; ❒ Hire a computer forensics expert to review any devices of the former employee on which the data had resided to determine the security of the data; and ❒ Hire a computer forensics expert to ensure the data is securely wiped from the devices on which the information had been located. • Ask the former employee to sign an affidavit attesting to the fact that the information was downloaded, the locations of the download, anyone who had access download location (e.g., if downloaded to a phone, who else has access to the phone), and that all other copies of the data have been destroyed. New Employer: • Consider interviewing representatives of the new employer to determine whether the data was transferred to or saved on the new employer’s network. • If the data is not on the network, consider asking for an affidavit or a letter from the organization stating so. • If the new employer has the data on their network,
RkJQdWJsaXNoZXIy MTIyNDg2OA==