This is rather unusual. I need some help understanding the inplication of this matter. Our employee transaction account is restricted to keep salaries confidential. We have an employee who is pulling up the employee CIF to obtain social security numbers and then calling our 800 number on payday to see the amount of deposit to the employees account. I know this is a privacy violation, but I don't know what to quote when I bring it to managements attention. I think they are already aware of the situation but have done nothing to correct it. Would someone comment on this and advise how I can go about getting this resolved. I would appreciate your help.

Check your employee handbook also to see if something like this would be in there. I know discussing salaries has been strictly taboo from my previous employers and current employer.

It should be in violation of Privacy laws related to your Ethics/Code of Conduct and computer use policy.

From FRB-SR 97-28, you may also have a SAR reportable offense. Guidance Concerning the Reporting of Computer-Related Crimes by Financial Institutions
18 U.S.C. §1030. Section 1030(a)(2) specifically prohibits intentionally accessing a protected computer to obtain certain kinds of information without authority or in excess of authority. Not only does it generally prohibit improperly obtaining information from any “protected” computer, but it specifically prohibits improperly obtaining information contained in a “financial record” of a financial institution.

Another provision applicable to financial institutions is the prohibition on using a “protected” computer without authorization or in excess of authorization to commit fraud. The provisions of 18 U.S.C. §1030(a)(4) criminalize the knowing use of a protected computer without authorization or in excess or authorization with intent to defraud, and by means of such conduct furthering the intended fraud and obtaining anything of value.

If this is happening with employee accounts, what may be happening with customer accounts?

This could be a jealous, nosy employee, but it is serious and will lead to nothing good. It should be stopped.

In addition to the law that Andy references, your employement agreement most likely states emphatically that bank information is only to be used for bank purposes.

I would also suggest talking to your operations people ASAP to get better controls in place on the 800 number, too.

What does your bank confidentiality policy say. Our policy says that you only need information to complete a transaction, if you don't need it for business purposes you don't need to go there. If you are looking at dismissal for this employee, I would check with your attorney to make sure you have all your documentation in order.

Opinions are mine and mine alone.

IMHO - You have a SAR situation on your hands. By using the Social Security Number of someone else to access your system, your employee is committing identity fraud.

This is a serious situation and, depending on the circumstances, may warrant termination.

I agree with Bonnie. This is a form of identity theft/fraud and the suspect should be suspended pending an investigation and terminated if your can prove your case. In other words - set a good hard/fast example here.

I am gathering from the previous posts that this employee has no legitimate business reason to be doing what he/she is doing.

I agree with Bonnie that this is identity fraud, however I don't think I'd look at the circumstances, I recommend immediate dismissal and would also turn over the information to local officials for possible cirminal charges (I'd also inform the employee that the bank was doing this).

This employee has enough information on your other employees, and in all probabilty your customers, to cause a lot of "indentity theft" problems. I definitely would take steps to show due diligence on the bank's part to put an end to the current situation and to prevent future violations.

In this situation this employee is willfully "stealing" information. I for one would not give him/her the benefit of the doubt.

This does point out some possible security issues in your telephone banking system, though. If all someone needs to get into the system is the SSN, that is fairly easily obtained even without the ability to pull up CIF records. Someone outside of your bank could also be perpetrating all kinds of fraud using your telephone banking system to support their efforts. You might want to consider some additional password controls.

This employee has no legitimate business reason to do this. She wants to know what the other employees are making compared to her. I have notified management, but this may be difficult to prove. The employees who informed me of this have since decided they do not want to be involved. So, if I can't prove she is doing this, what are my other alternatives?

I would sit her down and give her a summary of all the federal laws (and possibly state laws depending on your state), that she is violating. Check with your HR policy or attorney about giving her a warning that if she is caught doing this, she will be terminated.

See if the system will log when calls are made to accounts. On the accounts you know she has checked, verify with the account holders when they have accessed the system.

At the very least, you should file a SAR on this employee. I would also recommend that someone at the bank keeps a close eye on her. Anyone who would do this is probably not above "helping themselves" in other areas where they shouldn't!

Also, ask this question on the Security Forum and/or HR Forum (indicate you know you are duplicate posting) and see what Dana Turner and Gayla Sherry have to say. This employee has basically given you notice that she cannot be trusted. She probably does not belong working in a bank.

Bonnie and I are basically saying the same thing, she just said it better than I did and beat me to the post.

First, I’d follow the suggestions of beefing up your security on the telephone banking inquiries. Second I’d check with your IT personnel to see if they maintain logs of PC activity by user to see if you have something there. Also, does your telephone banking keeps logs of date and access times that you may use in building your case. If not, then I would approach personnel and try to call this employee into a “conference” and inform her that it has been rumored that she has been obtaining salary information of other employees by falsifying information and, that if this is true (give her the impression you are giving her the benefit of the doubt), the seriousness of the situation and the possible ramifications if the rumors prove to be true.

First, does your bank's computer system have an audit report that generates each day? If so you should be able to trace every time someone looks at an account, what terminal it came from, and the individual who performed the inquiry. I believe that most core processing software have this sort of report available. With Jack Henry it is called the Online Log. It traces every single type of transaction performed during the day. This would be a start to proving that the employee was looking up the accounts. Subsequently, you could go to your Telephone banking program and have the administrator pull a report to show which accounts had what type of activity (i.e. balance inquiry, account to account transfers, etc) and if you can tell that your employee looked up Suzie Smiths personal account on monday on your system and then monday night (or right after payday) there was a balance inquiry on the Telephone banking system, you might be able to put a case together. Its all in being able to trace electronic activity and there is always a trail, you just have to know where to find it. Good luck!

These are my opinions and not those of my employer.