Canadian attorney David Fraser of The Canadian Privacy Law Blog has this post about a bank employee, with no prior criminal record, who accessed customers' personal information and used it to harass them, primarily women.
The man, 39-year-old Marco Antonio Munoz, is no longer working for the institution but his alleged trail of identity theft could span the Midwest and hundreds, if not thousands, of bank customers.
“We don't know what we have here yet,” said Det. Sgt. Jeff Herweyer, who handled the case on behalf of the Michigan State Police Cadillac Post.
What police do have is 73 pages of names that Munoz accessed over the last four years, with the most activity in the last two.
Munoz passed the bank's screening process. Had he had a criminal background in the past, he would not have been hired, Janei said.
Many of the comments of the bank's spokesperson are obviously designed to defend the bank by pointing out that the bank has policies and procedures to prevent this type of abuse from occurring, but that this is something that is not run-of-the-mill. I think that the comments of the FBI agent and bankers in the article quoted in David's post would indicate that this is not the type of information theft that a bank would expect to occur. Stealing data to steal money is something that a bank might expect. Stealing to harass women is out of the ordinary.
From personal experience as in-house and outside counsel to financial institutions, I think that the most difficult type of employee-criminal to detect is the bad apple who doesn't appear to be one and who has no "track record" that would give management a clue that he or she might be one. Embezzlement and theft by trusted employees often goes undetected for long periods of time. As the bank pointed out, if the gentlemen in question had had a criminal record, that fact would have been detected during routine pre-employment background checks that banks usually (and always should) obtain in screening job applicants. He didn't have a record.
This "hole" in the pre-employment screening process is one reason that many businesses are also turning to the use of personality testing services (such as IntegriView and others) in an attempt to detect issues with an applicant's integrity. As we pointed out last September, the U.S. Seventh Circuit held that the use of "personality tests" to identify such personality traits as "honesty, preferences and habits" does not violate the Americans With Disabilities Act (but that the use of "medical examinations" designed to weed out psychological disorders is prohibited by the ADA). Obviously, no such test is going to be fool-proof; however, the use of such "personality tests" will, if nothing else, aid a bank/employer's argument that its hiring of someone, who later turns out to be a criminal, was not negligent.
As David's article also notes, banks should have in place internal controls that raise "red flags" if an employee without the need for access to sensitive information, accesses such information, particularly on more than one occasion. There was no indication in the article whether the individual in this case had a need for such access, or whether such a pattern was detected and the individual apprehended because of those controls. If the controls were in place, and if the suspect was not authorized to access the information, the system certainly did not work as efficiently as it might have been expected to work. Seventy-three pages worth of names, purloined over four years, is quite a haul.
Comments