Even Americans slow to learn about the perils of identify theft have long considered their financial information to be strictly between themselves and their chosen lenders and financial planners.
It can be embarrassing for any company to be caught by an auditor or inspector—or worse yet a local investigative reporter—with sensitive information in its trash Dumpster. But that embarrassment is especially acute for banking, finance and insurance firms, which have several laws and rules in place with which to comply.
| Cashing Out |
The banker for banks—the Federal Reserve Bank of the United States—has a unique document destruction responsibility: the destruction of U.S. currency considered past its usable prime. The Federal Reserve Bank of New York describes on its Web site what happens to the faded, frayed and wrinkled bills after they reach the Fed: "The authorization to destroy currency was given to the Federal Reserve Banks by the Treasury Department in 1966. At [the Fed Bank of New York’s East Rutherford, N.J., Operations Center, or EROC], unfit currency is directed automatically to one end of the high-speed currency processor, where stainless steel blades crosscut the notes into confetti-like shreds. In 2000, approximately 29 percent of all notes, or 3.7 million notes with a total dollar value of $77 million, were destroyed at EROC each day. More than 17 million pounds of paper currency are removed from circulation each year. "All shreds are sent by vacuum tube to a disposal area one floor below. The shreds from different machines, including the different denominations, are mixed and compressed into briquettes. Each briquette is made up of roughly 1,000 notes and weighs approximately 2.2 pounds. A private contractor picks up the briquettes and disposes of them at landfills. "Other Reserve Banks turn the shreds into stationery products under a contract with the private stationery company that makes the high-quality cotton bond paper on which currency is printed." |
Clearly, when an information destruction firm takes on banking, lending and other financial industry clients, it is being trusted as a close and thorough ally by those institutions.
CODES OF COMPLIANCE
The single greatest weapon in the criminal arsenal for the growing crime of identity theft is financial information that contains an individual’s name, address and bank or credit card account numbers. (A Social Security number can provide additional firepower.)
Without question, it is up to individual customers to guard such information regarding their own accounts, but a tremendous onus also lies on financial institutions that store, distribute and dispose of volumes of paper (and electronic storage media) that contain names and account numbers.
If one national estimate is right, and more than 20 million Americans have been victims of identity theft in some way, then the Gramm-Leach-Bliley Act of 1999 (GLBA) and its financial privacy provisions have become a measured government response to the problem.
GLBA covers a number of privacy issues, including setting guidelines as to what extent financial institutions can share contact and account information with other businesses that may wish to solicit these contacts for sales reasons.
But placing information destruction requirements on covered institutions is also part of GLBA. Section 501 of the act, as described by the law firm of Fried, Frank, Harris, Shiver and Jacobson, New York, on its Web site, requires lenders, "to ensure the security and confidentiality of customer records and information; to protect against any anticipated threats or hazards to the security or integrity of such records; and to protect against any unauthorized access to or use of such records or information that could result in substantial harm or inconvenience to any consumer."
As outlined in an edition of the Federal Register in August of 2001, GLBA’s Safeguards Rule includes guidelines for lenders and their suppliers to"develop, implement and maintain a comprehensive written information security program" that could mean they should "select and retain appropriate service providers."
Such guidelines handed down from the federal government provide nice selling points for information destruction firms proposing to do business with companies in the financial segment.
GLBA may have helped spur banks and other lenders from a compliance viewpoint, but liability from suits filed by identity theft victims also spurred banks into action.
One Seattle area identity theft victim ended up filing 16 civil suits against lenders and credit reporting agencies after she spent two months in mental health facilities because of the trauma she says she suffered trying to rebuild her life after becoming a victim of identity theft.
Such civil suits multiplied by the potential pool of victims helped provide a quick wake-up call to the importance of information management to most lenders. If that was not enough, "Dumpster diving" segments by local TV news investigative reporters a few years ago became another way of rousing lenders into action.
Mike Tingle, president of Tri-R Shredding, Denver, (See cover story, "Beyond Shredding," ) says such tactics helped his mobile shredding company land a key client in the financial sector.
"We pitched one large bank in the 1990s and had met with a senior VP who said that they didn’t see the need for document shredding," Tingle recalls. "Shortly after that, my business partner at the time and I drove a mobile shredding truck we had purchased back from Canada over the course of a weekend. When we got back, a phone message from the bank was waiting. They wanted our service right away. Why the change? Because a TV news reporter ‘Dumpster dived’ the bank and found statement and credit reports with home addresses, account numbers, and other information."
COVERING GROUND
Convincing banks that they need a shredding service is now much less of a challenge, says Tingle. "They now understand the regulations like GLBA and understand the need for the service."
The multi-branch nature of banks, however, can mean they merit special consideration when routing and possibly the purchase of additional equipment to serve them properly.
When a Midwest regional bank was looking for a shredding service provider who would need to operate in several states, Willie Geiser of Allshred Services, Toledo, Ohio, formulated a bid jointly with two other regional shredding companies to cover the geographic area necessary. As of last year, Geiser reported that the additional business helped prompt his company’s decision to invest in a larger facility and to acquire additional trucks and containers, as well as to add personnel.
Serving banks can require placing a variety of storage bins—from small collection bins near each teller station to large, metal outdoor containers that can be collected during off hours.
Once the routing and equipment logistics are worked out, though, Tingle says banks can be a pleasure to work with. "It’s easy to serve them on routes because they understand security and they understand confidentiality."
Banks generally also yield a good grade of recyclable paper, as what is placed into the locked bins consists almost exclusively of office-grade paper, much of it white. And, increasingly, they understand the critical importance of having an alliance with a secure destruction firm that can help them meet their regulatory mandates and protect them from potential lawsuits from identity theft victims.
The author is editor of Secure Destruction Business and can be reached via e-mail at btaylor@gie.net.
| Advice for Banks |
Identity theft victim Mari Frank of California says the ordeal she went through to set her life straight was more than a crime victim should have to bear. In an online interview, Frank says the most dismaying aspect was dealing with lenders and credit reporting agencies who somehow seemed to make the criminal act much easier than setting the record straight again. As a way of helping financial institutions better understand working with victims, Frank provides several recommendations for them. The situation for victims may have improved some with the late 2003 passage of a federal act that has permitted the Federal Trade Commission (FTC) to distribute a standardized affidavit that can be sent to all lenders and reporting agencies by identity theft victims attempting to set the record straight. (One list of steps to take is provided by Comparitech and can be found online here.)Some steps may be useful value-added services that secure destruction companies can offer to their financial segment customers: 1) "Shred all account and personal information that is to be discarded. Throwing out sensitive information in a bin (without labels) in the back of the bank to be picked up is dangerous! (In San Diego, a TV news crew went and picked up bundles of un-shredded trash from behind several banks. Then the news crew delivered these important documents to the bank account holders to see how they felt about the crew obtaining their financial information. You can imagine how shocked and furious the bank customers were. Humiliated, the banks subsequently changed policies by purchasing locked bins, or began in-house shredding. 2) Keep personal data locked up where temporary employees, etc., can’t get it. In other words, keep personal data secure. 3) Limit access to customers’ personal information and carefully scrutinize applicants for credit cards. 4) Confirm all changes of address by sending a confirmation letter to the old address and to the new address." |
Explore the May 2004 Issue
Check out more from this issue and find you next story to read.
Latest from Recycling Today
- Lawndale Recycling receives air quality permit
- US recovered paper exports decline again
- Ohio’s Polymer Industry Cluster to receive federal funds
- California legislator continues to push for textiles EPR law
- Victaulic invests to upgrade Pennsylvania foundry
- New York auto salvage yard settles environmental investigation
- Radius remains in the red in most recent quarter
- Ports of Indiana eyes Chicago import, export container market
