Worker’s alleged theft and sale of sensitive client information should be a wake-up call about security
Your company needs to be able to trust its employees with sensitive information – but that trust alone won’t prevent a rogue worker from masterminding a security breach.
Last week, international health insurance giant Bupa confirmed an employee had stolen data relating to 547,000 clients, and was trying to sell it online.
The incident was far from isolated: breaches on a smaller scale are “very common”, and the healthcare sector faces a particularly high risk, warns data law expert Bradley Freedman, a partner at Borden Ladner Gervais.
Take, for example, the Ontario healthcare workers who stole thousands of new parents’ data and sold it to brokers of Registered Education Savings Plans over several years.
Freedman says it’s “a very difficult thing” to mitigate such security breaches, but companies can implement a range of technological and administrative measures to prevent incidents occurring and limit their fallout.
“This is an example of a business risk for all organizations, large or small, regardless of the industry, and there are lots of commonsense, low-cost, easy things that organizations can do to reduce the risk of this kind of an incident," he says.
And all levels of an organization, including HR, have a role to play.
Mitigation measures start with due diligence, including checks on employees and others who will be accessing your organization’s systems – such as contractors, suppliers and temp workers – to minimize the risk of them improperly accessing or stealing information.
However, technology – including restrictions on who can access what information – may be your company’s best defence.
“A business should organize itself and structure itself so employees have access to the data they need, but no more,” Freedman says.
“You shouldn’t have one big network where everyone can access everything. It should be all be segregated and locked down, with technological measures that do that.”
Organizations’ systems should collect logs of who is accessing what information – and those should be reviewed periodically for red flags.
Staff should also be trained on appropriate access, the consequences if they breach such policies, and how to avoid inadvertent misconduct – as well as how to avoid being caught out by phishing scams that could compromise the organization’s systems.
Freedman suggests companies also use multi-factor authentication for logins to prevent staff unwittingly handing over their username and password to scammers.
When an employee leaves the company, their credentials should immediately be revoked, and system logs should be inspected to check for any inappropriate access to files.
And if a breach does occur, a company should have systems in place to minimize the risk, and prevent a full-scale disaster.
“Organizations ought to have an incident response plan and a designated team – a trained and tested team and plan – so that they’re ready to respond immediately,” Freedman says.
That team should be prepared to contain and investigate the breach, elevate the issue to senior management and give notice to authorities, and remedy the breach – then ensure lessons are learned to prevent a repeat.
“It’s really a multidisciplinary thing – none of the stuff we’re talking about is an IT issue, it’s all an organization-wide risk-management problem.”