Sleeping on the job

For all the warnings banks give customers about protecting account numbers, PINs and passwords, one might assume that they are doing a fine job of protecting private information.

One might be wrong.

Take the case of a Bank of America branch near Spokane that kept some of its documents in a garbage bin. A thief apparently broke the padlock and found a wealth of private information.

Customer Donald Campbell sued the bank this summer, claiming that he was a victim of fraud because of the theft. Bank of America does not answer questions about the case but acknowledged in a court filing that it had kept some documents in a "secured Dumpster."

If Campbell is right about the source of the fraud, it would be one of the smaller data losses or thefts at a bank in 2005. They and credit-card companies account for about 15 percent of the incidents reported this year — and roughly 90 percent of the lost and stolen information — according to the Privacy Rights Clearinghouse.

The biggest by far was the exposure of 40 million credit-card files earlier this year at the processing company CardSystems. Several incidents involved Bank of America, the country's largest retail bank.

Even the Federal Deposit Insurance Corp. learned this year that it lost data: information for some employees that was stolen a couple years ago had been used fraudulently to take out loans in their names.

Although banks frequently tout improvements to Internet banking security, many breaches have nothing to do with online banking. In fact, banks seem to fall short in protecting hard copies of information — paper documents, laptops and computer tapes — more often than they do with online data.

Much of the new legislation meant to combat identity theft requires companies to disclose data breaches. That helps some customers protect themselves before the information is used fraudulently, but some think banks should face greater penalties for the breaches or be required to check more rigorously for identity fraud before issuing new credit.

"The bottom line is that each individual bank is not losing that much money," said Avivah Litan, a Gartner research analyst. "The only thing they're worried about is consumer confidence."

That's despite the fact that it costs about $90 to clean up a breached account, compared with $6 to $16 to protect the information in the first place, Litan said.

Of the nearly 10 million people victimized by identity theft in the past year, about 46 percent don't know how the thief got their information, according to Javelin Strategy & Research in Pleasanton, Calif. Among those who know, the most frequently reported source is lost or stolen wallets, checkbooks or credit cards.

"ID fraud generally comes as a result of low-tech access," said Javelin founder James Van Dyke.

That's true for individuals and companies, experts say.

"We tend to focus on electronic data security, but a lot of banks are lacking when it comes to care of paper documents," said Jack Vonder Heide, a Chicago-area consultant to U.S. Trust and other companies.

Some cleaning crews present a problem, he said.

"Many times they're not employees, they're subcontractors, and even though [companies] try to do a good job background checking, they don't always catch everything," Vonder Heide said.

Not all banks require trash to be locked up or shredded.

Sometimes bank garbage is ransacked to get account information, Spokane fraud unit Detective Stacey Carr said.

"For a while, we had suspects walking by the teller's desk and taking the plastic bag out of the trash can," Carr said.

She has found garbage bags full of bank documents when searching a suspect's possessions. And then there was the case of theft from the Bank of America garbage bin, where the branch had stored some documents.

Backup tapes also present a problem.

In February, Bank of America said it had lost computer tapes with financial data on 1.2 million federal employees, including some U.S. senators.

The company is moving toward electronic vaulting of information, spokeswoman Betty Riess said. It spends about $250 million a year to secure information.

On the electronic side, Vonder Heide said, banks should encrypt data on laptop computers and be more cautious about how employees access the bank's main system remotely to protect against spyware — software that can track such things as keystrokes — on home and hotel computers.

The breach of a bank's primary system could do far more damage than the hacking of thousands of online consumer accounts.

It is difficult to steal money from a retail customer's Internet account without alerting the bank's fraud department. When criminals send e-mails to customers posing as a bank — a practice called "phishing" — they typically are looking for debit or credit-card numbers rather than passwords.

Banks also do a good job protecting their servers, said Litan, the Gartner researcher. But they need to work on preventing employee theft.

"Everyone says to screen employees better, but that doesn't always cut it," Litan said.

New technology would alert banks when employees are doing something suspicious online, but banks are not using that technology yet.

To curb data breaches at banks, some experts say, they should be heavily fined.

"Anything that happens to make a lack of data security more painful would certainly help," Vonder Heide said.

Others, including Litan, want more regulation. She said there should be a government mandate requiring lenders to check for identity fraud before issuing loans.

To Michael Kinkley, who is representing the Bank of America customer in Spokane, protecting data is a matter of common sense.

"A really simple step they can do is to shred private financial information before it leaves their office," Kinkley said.

Melissa Allison: 206-464-3312 or mallison@seattletimes.com