Insider Fraud Suit: Example for Others?Insider Accused of Stealing Details on Thousands of Accounts
Legal action sought by a Massachusetts-based investor-services firm against one of its former employees could set an example for future insider fraud cases.
Computershare, which provides investment services to more than 2,700 corporate clients and 15 million shareholders in the United States, has filed a civil suit against Kathyann Pace, a former internal risk management auditor.
Pace has been accused of illegally copying to USB drives proprietary company documents that included shareholder names, account numbers and financial holdings. The suit alleges Pace copied the information from her corporate laptop and transferred it to a personal laptop, violating the Computer Fraud and Abuse Act.
Though the incident allegedly occurred in September 2010, Computershare sought legal action against Pace after she refused to produce the Computershare laptop, which she took with her when she resigned from the company, as well as USB devices allegedly used to copy the data.
A forensics examination revealed information that resided on Pace's laptop and other devices in Pace's possession did not include confidential shareholder data, "though it did include confidential company information," says Jeff Stein, a Computershare spokesman. "All Computershare information was purged from the devices turned over by the employee during litigation."
Computershare seeks recovery of legal fees and has included a non-disclosure agreement in its case against Pace to prevent her from using any information she may still possess. The case is now expected to go to trial.
Insider Fraud Mind Shift
Mike Braatz, senior vice president and general manager of bank fraud for Memento, a fraud-management software services provider, says the Computershare case represents a shift in corporate thinking about internal fraud.
"This is one case, but companies are getting more aggressive about seeking legal action against employees who compromise data," Braatz says. "I think we will see more lawsuits, because firms realize that a lone, rogue employee can do a lot of damage."
Companies no longer view malicious internal compromises as mere human-resources issues. "When the exposure involves customer information, firms are taking that very seriously," Braatz says.
But Julie McNelley, a fraud analyst with Aite, says corporations' approaches to insider-fraud threats will continue to vary.
"I think it really depends on the culture of the organization and the size and scope of the fraud," she says. "I've spoken with a number of institutions that have quite disparate approaches. Some believe that prosecution is a great deterrent, and so prosecute 100 percent of their internal fraud cases, regardless of size. Others remain wary of the reputation risk, and so only prosecute those that represent substantial exposure."
The size of the organization also plays a role, because smaller organizations have fewer insider breaches and, as a result, often have less tolerance for internal fraud.
Regardless of the organization's size, internal breaches of corporate and client information always lead to financial losses.
"Firms are more educated about the risks of data breaches," Braatz says. "Traditionally, it's been hard to quantify the risk or loss tied to a data breach, since no funds were lost initially."
Today, companies have more directly connected the lines between data breaches and future financial losses and reputational damage. "A handful of high-profile internal data breaches and fraud cases have shown the need to be more proactive and aggressive when it comes to monitoring internal behavior and pursuing action against offenders," Braatz says.
Some recent high-profile insider cases:
- The $2 billion loss suffered by Switzerland-based UBS after when a rogue trader approved fraudulent deals that flew under the bank's radar for months. [See UBS Blames Internal Gaps for Fraud .]
- The $22 million embezzlement scheme, which lingered for nearly eight years, that Citibank revealed in June. [See Citi Case Exposes Insider Risks.]
- The insider breach at Bank of America, revealed in May, that resulted in a $10 million loss after an employee with access to customer files sold personally identifiable information about 300 BofA customers in California and other Western states to international crime rings.
Employee Monitoring and Screening
Internal controls are helping some organizations get a better grasp on internal vulnerabilities and risks. And monitoring has picked up on fraud that otherwise may have gone unnoticed.
Take this month's legal announcement from Wells Fargo. The bank thwarted an insider fraud scheme after an internal investigation revealed unauthorized transactions totaling $574,314.69 approved by a former financial specialist who worked at Wachovia, now part of Wells Fargo. [See Bank Catches Alleged Fraudster.]
Barbara Nate, a spokesperson for Wells Fargo & Company [$1.4 trillion in assets], which completed its merger with Wachovia Corp. in January 2009, says the fraud was discovered internally and reported to authorities. "We uncovered the unauthorized transactions through our own internal investigation and brought it to the attention of law enforcement in 2009," she says. "Any customers that were affected have already been made whole."
Braatz says companies are often being held legally liable for internal breaches and losses resulting from fraud committed by their employees. The stakes are higher, and more firms are taking an approach of "the best defense is a good offense."
That means more investments in technology and limiting employee access. "We've come to a point with technology that you don't have to give people unlimited access anymore," says Brian Anderson, an internal fraud expert and executive at BeyondTrust, which provides internal-fraud management and compliance services to financial institutions and healthcare providers. "In the old days, you had to give administrator full access to the root system. Today, you don't have to do that anymore."
More organizations are taking steps to upgrade monitoring systems to pick up on suspicious activity before big financial losses result.
"Trust alone is not a security program," Anderson says. "Just because you have a policy does not mean you are secure and compliant. At any time, your competition could bribe an employee to steal. ... Good people can do bad things, that's why having technology is so important."