News

posted on 02 June 2008 07:23

The oddly-named Bank of New York Mellon has had to put expensive procedures in place to help potential victims of identity theft as well as spending money on encrypting backup tapes and uprating networking links to avoid physically transporting backup tapes where practicable.

The irony is that BoNYM is well-known as a custodian of share certificates and the like, a safety vault for critical customer information. It knows what it's doing with paper records but dropped the ball with digital ones.

What happened was this:

1. On February 27th a box of backup tapes en route from BoNYM's Shareowner Services' facility in Jersey City, NY, was mislaid by a third-party courier firm and 4,270,000 customers and 696 institutions put at risk.  The data on the tapes included individuals' name, mailing address, Social Security number, and transaction activity. The company's slow response to this incident was criticized by Connecticut Attorney General Richard Blumenthal, who described it as inadequate.

2. On April 29th another backup tape en route from BoNYM's Working Capital Solutions operation in Pittsburgh to Philadelphia was mislaid by a courier company. and at least 47 customers' details were exposed, very possibly more. The data involved images of scanned checks and other documents relating to payments made to BoNYM's institutional clients. This was relatively trivial but in the context of the first incident demonstrated an inability to learn from a mistake and react promptly.

Todd Gibbons, BNYM's Chief Risk Officer, exposed the bank's inadequacies by beginning a statement with the well-worn phrase: “Protecting the confidentiality of our clients’ information has long been a top priority at The Bank of New York Mellon."

Obviously not; if it had been then the mistakes would not have happened.

He went on to say: "We deeply regret that this occurred and sincerely apologize to all of those impacted. Although there is no indication that the data on these tapes has been misused, we are working with our clients to notify individuals who may be affected and offering these individuals two years of comprehensive fraud protection. ... And, we are working diligently to ensure we have industry-leading security measures in place across all of our businesses to protect the information with which we are entrusted.”

BoNYM will provide two year's worth of free credit monitoring plus identity-theft insurance worth as much as $25,000 to people affected by both incidents. Initially it offered one year of credit monitoring and $10,000 of insurance.

It is now apparent that physically transporting unencrypted tapes holding information useful to identity thieves is simply wrong. The movement of such information should be carried out over a network link and, if that is unaffordable, then by encrypted tape. If that is unaffordable then the information should not be moved or a way found to make it affordable.

^{[Paul Roberts, news editor,]}