The insider data hack: A legal perspective

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/07/27/the-insider-data-hack-legal-perspective/


Data security is a critical risk area for businesses of all sizes. Yet one
aspect of a company’s data security strategy that is often considered in
less detail is the threat posed by employees – the insider threat.

This includes both accidental loss of data through negligence and
deliberate misuse or theft of data by employees. Insiders can be current or
former employees whose access has not been revoked or contractors, and can
come from any level of the company hierarchy. But what should you do if you
suspect that an employee is stealing confidential information?

This article reviews the issues in relation to deliberate misuse or theft,
and what businesses should do if they discover such activity.

1. Prepare an investigation plan

The investigation plan should also be your roadmap for how you want to
proceed with your investigation. It should be kept under review as you
obtain more information. The investigation should be carried out in
conjunction with either in-house legal or external lawyers.

If litigation or regulatory action may follow from a breach, involvement of
lawyers will increase your ability to claim privilege over documents
relating to the investigation if necessary.

2. Identify, as best you can at this stage, what information has been
accessed, and how

This preliminary step is likely to shape the future conduct of the
investigation. Begin by reviewing emails, phone and internet records, and
any other relevant software logs which monitor who has accessed data, to
the extent that your employment contracts with employees allow you to do
this. This should be done covertly to prevent tipping off anyone
potentially involved.

As such, it is important to understand what security limitations are
already in place to eliminate avenues of investigation, and what
information your current systems and software can provide.

3. If information has been taken, consider whether you have an obligation
to notify a regulator or contracting party

It is crucial that a regulator is notified at the appropriate time and in
the correct manner. If your business handles personal data then you should
consider whether to make a notification to the Information Commissioner’s
Office (ICO), although there is currently no legal obligation to notify the
ICO.

A regulated financial business may have to notify the Financial Conduct
Authority, particularly if the breach indicates a systems and controls
failure.

4. Consider for what purpose the information may have been stolen

If the theft was for monetary gain, then a key step will be to identify any
third party recipients of the information. This is important to ascertain
whether it may be possible to contain the breach by recovering the
information. As the recipient of stolen data will become a target of the
investigation it is important not to tip-off the employee or third party.

If the theft is not for monetary gain, then securing the return of the data
before it is disseminated is likely to be the primary focus and, as such, a
different course of action may be appropriate. Research increasingly
indicates that major data breaches are for a secondary purpose, so it is
important to think laterally when considering what the data may be used for.

5. Consider when to interview the employees involved

It is important to ensure that the timing of employee interviews is right.
If you interview involved employees too early, you may not have enough
evidence to prove their ‘story’ wrong, or you may lose the chance to
recover data.

However, there is a tension between cutting off access to data (and
therefore risking tipping the employees off) and getting enough information
to either secure the return of data and/or conduct successful interviews.

6. Decide what steps, if any, can be taken to secure the return of the data

If data has been passed to third parties, or you believe that the employees
involved will not cooperate when confronted, injunctive relief from the
courts may assist you securing the return and/or destruction of the data.

7. Finally, once the dust has settled, consider what changes can be made to
prevent a future breach

These could range from providing training to employees, to reviewing access
levels and controls, to a thorough review of the IT and security
infrastructure, to upgrading logging. It is important to remember that it
is impossible to prevent every possible incident, and regulators do not
expect businesses to do so as long as reasonable steps are taken.

Prevention is better than cure

Often, making a few internal changes can dramatically reduce the
opportunity for and, therefore, the risk of a data breach being initiated
by an insider. While each incident of suspected data theft will require a
tailored response, businesses can do a lot to prepare themselves.

If you have a plan of action in place and have implemented appropriate
preventative measures, the potential fallout from a data breach can be
limited as far as possible.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!