A Human Resources Challenge – The Insider Threat To Data Assets
By: Lewis Brisbois' Labor & Employment Team
On April 23, 2019, a privacy notification by the FBI stated that U.S. businesses are reporting a significantly increased amount of data loss as a result of insider threat actors. Companies should not assume that this warning falls squarely within the domain of their Information Technology or Chief Information Security Departments. The vast majority of data-loss incidents have a human component. Data security is as much a function of managing people properly as it is controlling a company’s physical and technical environments. Below is a list of representative factual scenarios taken from real incidents:
- An employee receives a seemingly legitimate email that asks for all employees’ W-2s and sends the information in a phishing attack.
- A nurse with access to the personal information of elderly patients misuses that information to contact the elderly patients for ‘personal loans’ that are granted and never repaid.
- An employee loses or has a laptop (external hard-drive, memory stick, etc.) stolen.
- After his resignation, an employee accesses proprietary customer lists and pricing information.
These scenarios are becoming more common in the 21st century, so what can HR departments contribute to minimize the “Insider Threat”?
First, HR professionals should collaborate with their company’s Chief Information Security and Chief Information Officers, then memorialize and implement key company policies such as the following:
- Employment contracts with robust confidentiality clauses or stand-alone Non-Disclosure Agreements.
- Policies and procedures that delineate appropriate and prohibited access to establish a basis for potential disciplinary actions; security expectations; and a mandate that all employees return all data assets (both digital and paper) and any other corporate property at the time of discharge.
- Trainings – employees require extensive and meaningful training on protecting data assets, which should include sector-specific training about access, use, transfer, and maintenance of data. Training efforts should also be documented.
- Access Controls – carefully designate the level of access a new hire must have in order to perform the functions of their job, but not more; revisit any necessary changes to access control throughout the employee’s tenure and document them; periodically audit access controls for employees; terminate all access to digital/other assets at the time of termination including BYOD devices.
- Fully Investigate any data privacy/security incident, as with all other employee issues, either internally or by use of an external investigator; delayed discovery of data incidents is an issue that can be mitigated by clear policies that incentivize early reporting; involve experienced outside attorneys well-versed in data privacy to counsel you during the investigation under attorney-client privilege; consider engaging forensics experts early to verify and document data access and protect the chain of custody for supporting evidence.
Protecting the data assets of a business is no small matter. It takes an inter-disciplinary approach to tackle prevalent insider threats. HR is a trusted partner in conducting employee investigations especially during the employee’s tenure. HR is well-versed in disciplinary actions, training, involvement of law enforcement or termination. Even before an incident, the HR team plays a vital part in protecting against the misuse and unauthorized access of valuable data assets by controlling, as much as possible, the human factor in security incidents. Overall, HR departments can be strong allies against insider threats and should play an integral part in devising strategies to secure data assets.