We’ve all heard stories about criminals gaining access to company databases and stealing thousands of sensitive customer records, but we rarely think about the inside threat: company employees.
Take the case at WE Energies, Wisconsin’s largest utility company, where employees freely admitted to accessing client information for inappropriate reasons such as checking in on an ex-boyfriend or a local celebrity. The abuses came to light when the late-bill-paying habits of a mayoral candidate were leaked during a tight election and the candidate lost.
WE Energies, like all companies with large amounts of sensitive client information, is now faced with the challenge of keeping customer information safe from abuse by its own employees. One of the first and most important steps is to put clear policies and procedures into place. Employees should be made aware of what constitutes appropriate and inappropriate access. They should also be well aware of the repercussions of accessing sensitive information for personal reasons. While it is not illegal to access information unless it is used for illegal purposes, companies can enforce their own penalties for data abuse.
Companies should also do their part to carefully consider who should have access to what information. There is no reason why salespeople should have access to billing records, for example. Segregating your data on a need-to-know basis can reduce potential abuse.
Once policies are in place and data is organized, companies can go further by using software to track employee access to customer records. Today’s tracking software can monitor data access by individual employees and provide time stamps. While it may be difficult to ascertain whether an employee is accessing a client’s contact information for professional or personal reasons, for example, the software allows employers to see patterns in the data.
If an employee continues to access one client’s account, flags may be raised. Excessive employee access to records of families and friends can also be noted. While the software allows you to monitor access, it’s important to have a human in charge of looking for patterns or anomalies. These so-called data custodians serve as security monitors. They probably won’t catch all abuse, but they can prevent a widespread problem.
If you are worried about access by remote or traveling employees, data custodians can also be charged with monitoring data that is taken out of the workplace. Employees who want to take work home with them should have to “check out” the data by having the custodian record what information is checked out, by whom, and when. Any data taken out of the workplace should be transported on encrypted storage or media devices and not on laptops. This way if the data is misplaced, it will be unreadable. This system may not stop remote employees from looking at records, but if they try to use the information in an inappropriate way, there will at least be a log of their access to it.
When clients turn over their personal information to a company they are relying on the company and its employees to keep it safe from external and internal threats. It’s important for companies to realize that it’s not just their client data that is at risk if they don’t take steps to protect it; the company’s own reputation is also at stake.