The industry has suffered public security breaches last year some stemming from employee misconduct or error, like at CIBC, Certegy Check Services and others. Whether the blunders take root in a wayward employee or one who is just plain irresponsible, how far should the ripples of accountability resonate?
When an employee downloads sensitive data from the corporate network to a removable device and walks out the door with it, premeditated malicious intent makes the person an obvious target to blame. But while this may be true, the incident also illustrates that the company lacked the necessary safeguards to have prevented the theft in the first place.
Likewise, the accidental misplacement of a hard drive or a laptop containing confidential customer data may have been an honest error. But again, it can prove the absence of internal procedure around secure data handling.
However, even if the company had taken the time to implement such a security process, the company could still take the fall for inadequate employee training and awareness.
The world of occupational work health and safety is an excellent example of an area where accountability resonates pretty broadly, understandably so, given accidents can result in worker fatality. A worker injury or death resulting from another worker’s negligence will likely lead to an investigation followed by possible charges being laid on the shift supervisor and company owner.
But if the company owner and supervisor can prove the existence of a written safety guideline that’s prominently displayed, and on which workers have been trained, then they may evade the charges.
In the world of IT, physical injury or fatality won’t result from stolen personal data, but identity theft and loss of privacy can have some pretty destructive consequences for customers.
A recent proposed amendment to the Criminal Code, Bill C-27, aims to make companies more proactive in this area, and cause the accountability to ripple even harder and further throughout the organization.
Should it pass, it will make “reckless” handling of personal data a crime. In other words, it will be an offense to have been reckless around making available or selling personal information knowing it will or might be used to commit fraud.
As with work health and safety, security breaches are always followed by a long stern look at procedure and awareness, had any existed in the first place.
Things can get tricky for the organization because “reckless” can entertain a pretty broad definition. But if a wayward employee’s misconduct falls beyond his or her job, then the company might escape the “reckless” label.
But at the end, affected customers don’t care if the core culprit is a wayward employee who refused to follow established procedure. They see the company, as a whole, as accountable for the damage they’ve endured.
For this reason, companies who handle sensitive data can’t afford to get lax around how employees operate on the job. It’s always best to be proactive, imagine the worst and prepare for it.