Skip to content
BOL Conferences
Thread Options
#1027470 - 08/25/08 07:16 PM Board packages mailed to director homes
Starter Offline
Platinum Poster
Starter
Joined: Aug 2004
Posts: 513
NJ
Is it a violation of privacy regs for a Board package to be mailed UPS to a Director's home and left without a signature required?

Return to Top
Audit
#1027768 - 08/26/08 01:56 AM Re: Board packages mailed to director homes Starter
Dazed and Confused Offline
Gold Star
Dazed and Confused
Joined: Feb 2006
Posts: 250
Big XII South
Does the package contain confidential customer information (i.e. account numbers, names and addresses)? If so, then will someone else besides the director pick-up the package from the front door-step and review the contents? Albeit not likely, you do run that risk. I don't know if it's a privacy reg violation, but your scenario does not sound like a safe practice. I'm sure you have pursued other options, but could you scan the packet and send it via a password-protected/encrypted email? Or could you require the director(s) to get a post office box?

Return to Top
#1029127 - 08/27/08 04:28 PM Re: Board packages mailed to director homes Starter
Tesla Offline
Power Poster
Joined: Nov 2003
Posts: 3,726
Starter - we do this and just assumed the risk. Our Board does not like computers, so we can't scan the information or give them discs or anything. It is all paper, FedEx'd overnight to the Director twice a month. We have just assumed the risk of a package being mishandled. We just had a S&S exam and this didn't come up, but, to be kind, our examiners were not the most ambitious bunch of people.
_________________________
It's not that I take life for granted. It's only that the good won't make it. Innocence dies, while Villany Thrives.

Return to Top
#1029175 - 08/27/08 05:13 PM Re: Board packages mailed to director homes Tesla
Andy_Z Offline
10K Club
Andy_Z
Joined: Oct 2000
Posts: 27,748
On the Net
It scares me. I've had a number of deliveries dropped off to my house number, 3 blocks away. More than once when the tracking report showed delivered, I walked up the street to recover Christmas gifts. I've also had cell phones and expensive camera gear dropped off at the door. The doorbell wasn't rung. I know as I was home at the time.

Borrowers names for loans and problem loans/accounts may be on those reports as well as a ton of corporate "secrets" you wouldn't want out there.

This is one of those where you might today say you'll accept the risk, but tomorrow you'll say "what were we thinking" as you react to the press.

We tried digital board reporting once. Younger directors loved it, older ones hated it. In the end, you can pick up a packet early or you can see it at the meeting. That worked in our small bank. If you have directors conferencing in, it doesn't. Perhaps deliveries can be limited to real people, and those people will know the sensitivity concerns. Again, this may be the director's traditional office where his/her secretary signs and places it on their desk. But a drop off at the front door is an accident waiting to happen, IMHO.
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell

Return to Top
#1035967 - 09/05/08 08:06 PM Re: Board packages mailed to director homes Andy_Z
Risk Officer Offline
100 Club
Joined: Apr 2001
Posts: 205
Dallas
Not necessarily a technical violation, thought could be cited as a weak practice pursuant to GLBA, and perhaps other standards.

I'd certainly lean toward delivery to the director's place of business. At one bank I worked at, the directors were local so we had staff take the packets to their houses and hand deliver them to the director, their family, or other designee.

Way too easy for a package to be left at the wrong house or for it to be picked up by a stranger.
_________________________
My opinions are just that...my opinions.

Return to Top
#1036283 - 09/06/08 09:12 PM Re: Board packages mailed to director homes Starter
Russ Horn Offline
100 Club
Russ Horn
Joined: May 2008
Posts: 139
If you mean they are leaving the packages (with customer confidential information) outside of the residence (on the front porch), then you might argue this is a violation of the Interagency Guidelines Establishing Information Security Standards.
In addition, how are these documents destroyed once they are no longer needed? Are they brought back to the bank and shred? Do the Board members have shredders at their homes?
_________________________
Russ Horn, CISA, CISSP, CRISC
CoNetrix
rhorn@conetrix.com

Return to Top
#1038016 - 09/09/08 07:13 PM Re: Board packages mailed to director homes Russ Horn
DerrickAuditor Offline
Member
Joined: Mar 2008
Posts: 91
USA
I consider myself to be darn conservative with privacy and GLBA issues, but I think this should be the least of your worries related to GLBA. Don't we mail statements and audit confirmations to customers all the time and trust they will arrive - even to those without a PO Box? I mail Audit Committee reports via USPS to directors and external auditors and have not had any issues whatsoever.

The audit committee chair keeps copies of all reports in a binder at his home. Everyone else leaves their reports at the meeting and I shred them.

I am much more concerned with weak 3rd party vendors, couriers leaving their doors unlocked, etc.

Return to Top
#1038745 - 09/10/08 04:07 PM Re: Board packages mailed to director homes DerrickAuditor
P*Q Offline

Power Poster
P*Q
Joined: May 2001
Posts: 8,458
Somewhere
Originally Posted By: DerrickAuditor
I consider myself to be darn conservative with privacy and GLBA issues, but I think this should be the least of your worries related to GLBA. Don't we mail statements and audit confirmations to customers all the time and trust they will arrive - even to those without a PO Box? I mail Audit Committee reports via USPS to directors and external auditors and have not had any issues whatsoever.

The audit committee chair keeps copies of all reports in a binder at his home. Everyone else leaves their reports at the meeting and I shred them.

I am much more concerned with weak 3rd party vendors, couriers leaving their doors unlocked, etc.


I kind of agree here. We do reference this actual risk in our GLBA risk assessment. We do put confidentiality notices on the top of all board packages. Our board refuses to go electronic (our packages are so big) so it's a risk we assume and notate our mitigating factors in our assessment. Examiners have been fine with this so far.

Return to Top
#1041370 - 09/12/08 07:30 PM Re: Board packages mailed to director homes P*Q
Starter Offline
Platinum Poster
Starter
Joined: Aug 2004
Posts: 513
NJ
wow - what great feedback - subsequent to my initial post, we have talked about at Audit Committee - to my surprise they were willing to take the risk based on the area of residence - one director switched shipping to his business address - someone in my institution told me that they are talking about issuing some regulatory guidance on this issue in the near future, but I can't seem to find in print.

Return to Top
#1041816 - 09/14/08 09:17 PM Re: Board packages mailed to director homes Starter
John Burnett Offline
10K Club
John Burnett
Joined: Oct 2000
Posts: 40,086
Cape Cod
If regulatory guidance is ever issued, you can be assured you'll read about it here on Bankers' Threads or in BOL's Compliance Briefing or Top Stories.
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8

Return to Top
#1041817 - 09/14/08 09:22 PM Re: Board packages mailed to director homes John Burnett
John Burnett Offline
10K Club
John Burnett
Joined: Oct 2000
Posts: 40,086
Cape Cod
We had one director from Illinois (we were on the east coast) and he got his material first by overnight delivery, then by VPN access to board documents. Our chairman lived about a mile from me, so I often hand-delivered his stack of paper. Virtually every one of our directors still actively working received material at their business addresses rather than at home.
_________________________
John S. Burnett
BankersOnline.com
Fighting for Compliance since 1976
Bankers' Threads User #8

Return to Top
#1042463 - 09/15/08 07:34 PM Re: Board packages mailed to director homes John Burnett
Starter Offline
Platinum Poster
Starter
Joined: Aug 2004
Posts: 513
NJ
I would agree with sending to the business address. We actually have a director that does not have a business address and lives part time in one state and part time in another state - so this one is hard to make sure it gets to him.

Return to Top
#1081710 - 11/13/08 10:42 PM Re: Board packages mailed to director homes Starter
dgau Offline
New Poster
Joined: Apr 2008
Posts: 11
In the military, information classified 'CONFIDENTIAL' can be sent via USPS first class Registered mail. A signature is required at delivery and an audit trail is provided courtesy of the USPS. I'm thinking that if it's good enough for Uncle Sam in uniform, it should be good enough for Uncle Sam the regulator.

Return to Top

Moderator:  Andy_Z