[BreachExchange] Protecting Confidential Information from Untrustworthy Employees

Thu Jan 5 18:55:53 EST 2017

http://www.ctemploymentlawblog.com/2017/01/articles/protecting-
confidential-information-from-untrustworthy-employees/

Employers that maintain records of their employees and customers and allow
employees have access to confidential information have long needed policies
that not only secure the information, but ensure that employees who have
been granted access to such information are complying with the corporate
policies and are trustworthy.

An insurance agency in Massachusetts thought it had done everything right,
but was sued for negligence in its retention of an employee that it thought
was trustworthy, but was not.

An employee used her computer to access confidential information that she
then gave to her boyfriend about the identity of a witness to a car
accident in which the boyfriend had been involved with her car.  The
boyfriend used that information to contact and threaten the witness.  The
witness reported the threat to the police and ultimately the boyfriend and
the employee pleaded guilty to witness intimidation and conspiracy.  After
the police visited the employer to obtain information about the threat,
which was traced back to the employee, the employer fired the employee.

That, however, did not end the tale.

The witness then sued the employer for failing to safeguard personal
information, and for negligent retention and negligent supervision.  While
the trial court dismissed the case, the appellate court has determined that
the facts alleged are sufficient to go to trial.

Where did the employer go wrong?  The company had adopted a data security
plan and policy that prohibited employees from accessing or using personal
information for personal purposes.  The computer software even required
employees, who wished to access the data base with confidential
information, to agree to use the information for one of four limited
purposes, all of which were business related.

Those were positive steps.

The problem arose because the unrestricted access did not stop the employee
from reviewing information that had an impact on her personally.  The
second failure had to do with an inadequate investigation of the employee’s
background and simply taking the employees word about a weapons arrest that
occurred during her employment in another state.

The employee told her boss that the arrest was a misunderstanding, that she
was clearing it up, and subsequently said it was resolved.  The employer
simply took her word for it.

What he would have discovered with a very simple inquiry was that there
were serious issues with her honesty and fitness for accessing other
people’s personal information.  The company could have learned that she was
traveling with her boyfriend when they were stopped for speeding and that
she was arrested for having two semi-automatic guns concealed in her purse,
one had the serial numbers filed off and the other was stolen.  She also
had a half-mask and police scanner.  After her arrest, she told the company
that there had been a misunderstanding as the weapons belonged to her
boyfriend, that she didn’t know anything about them and that she was
exonerated.

Her story was not true, but her account itself should have raised questions
about her having access to personal information.

The court said that the company had a duty to protect the confidential
information and that it was foreseeable that the employee could access
information and use it for personal gain.  The company had an obligation to
investigate the employee’s continuing fitness after the arrest.  The court
said that a jury could decide that the failure to take action under these
circumstances was unreasonable as the company knew about the weapons charge
and could have learned of her lies and her willingness to commit a crime
with her boyfriend.  The company did not take sufficient steps to limit the
risk of harm to those whose personal information its employees could access.

There are steps to take to avoid this problem.  After an employee is hired,
that does not end the need to be vigilant about their fitness for the job.
When information comes to light that may raise questions about the actions
of an employee, an employer cannot simply take his/her word for what
occurred.  It must take affirmative steps to explore what the underlying
issue is, analyze the employee’s story, and assess the risk the employee
poses if access to confidential information is abused or if other employees
and the public may be put at risk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170105/54f8e3ad/attachment.html>