By Michelle Drolet
On Jan. 5, federal law enforcement seized several automobiles valued at about $100,000, which had belonged to the former president of the Massachusetts Bank and Trust Company, as restitution for his defrauding the bank in 1997. Last year in May, Bank of America sustained a $10 million loss when an insider sold the bank’s customer data to organized criminals who then committed fraud against the bank’s customers. The former associate sold scammers customer names, addresses, Social Security numbers, phone numbers, bank account numbers, driver's license numbers, birth dates, email addresses, mother's maiden names, PINs and account balances.
If confidential information – sales leads, customer accounts, trade secrets, intellectual property (IP) is stolen or misused, your competitive edge can evaporate and your reputation and balance sheet can take a major and potentially fatal hit. Regulated information – such credit cards, personal and financial information – is frequently the target of attacks. Theoretically this data is protected by U.S. state and federal regulations that require strong security controls. But many businesses are not fully compliant with these regulations. Or they may have all the right policies in place, but lax or no monitoring or enforcement.
Whether a hacker steals customer data, or a well-meaning employee loses a laptop or other portable device containing sensitive data, the loss of regulated information amounts to a reportable data breach. Recently enacted state and federal regulations mandate security breach reporting if it involves customer or employee personally identifiable information (PII). But the increase in breaches can’t be accounted for by increased reporting alone. We’ve all seen it: Critical, sensitive information is backed up on USB drives that dangle at the end of key chains, or other devices that IT has little or no control over, such as smartphones, tablets and MP3 players. Employees often fail to encrypt it, compounding the impact of its loss.
When employees leave for jobs at other companies, they often believe that they own their relationships with customers. Unlike piracy or patent infringement, customer information theft exists in a legal gray area. In many states, non-compete and non-solicitation agreements favor the organization, but in other states non-compete clauses are not enforceable. The employee can retain the relationship so long as it doesn’t involve any solicitation. When departing employees take sensitive organizational data with them, you may be left to deal with a costly, reportable security breach, and a mass exodus of customers who have lost trust in your organization, or who follow your former employees to their new companies.
Even if you suspect an employee has improperly taken customer information, you need a strong forensic process and tools in place, as well as policies that prevent, for instance, the re-issuing of computers the moment someone leaves. Otherwise you’ll be hard-pressed to prove any wrong-doing.
One way to minimize insiders’ opportunity to steal sensitive data is through vulnerability scanning and penetration testing, which can help your organization find weaknesses in access controls, the technical implementation of administrative policies, and other vulnerabilities that enable insider attacks.
Michelle Drolet is founder and CEO of Towerwall, an IT security services provider in Framingham, Mass.