Although the odds are data breaches will be executed by people outside the enterprise, the possible threat of insiders always has to be on the minds of infosec pros. The latest publicly-reported incident of an insider privacy breach came out last month in a report from Saskatchewan privacy commissioner Ronald Kruzeniski, who recommended the case of a SaskPower employee caught snooping and copying personel files on thousands of staff filers be looked at for possible charges.
During a network scan for an unrelated matter in November, SaskPower’s enterprise security team discovered a large caché of files on the unnamed suspect’s corporate workstation. The suspect had accessed files of about 4,800 current and former employees, previewing and saving files to his PC without a legitimate business purpose.
The two copied files included
–a Microsoft Access database with records of 3,135 current and former employees that included name, employee number, social insurance number, sex, marital status, home mailing address, home phone number, salary, spouse name and gender, life insurance coverage and beneficiaries, copied to a USB drive;
–an Excel file on a portable drive containing records for 2,402 current and former employees including name, employee number, social insurance number, birthday, start date, department and position.
During an interview with the utility’s director of internal audit and manager of security investigations the employee said no documents were sent outside from SaskPower, and the utility told the privacy commissioner that it had no evidence the employee distributed or forwarded the personally identifiable information to any other persons from his workstation or from his home.
The RCMP was called in December. The employee was fired in January. The privacy commissioner recommended the case be turned over to the provincial justice department for possible charges of violating the provincial privacy act or other legislation.
SaskPower has 3,100 full time employees. What the utility did right and wrong — at least according to the provincial privacy commissioner — will be of interest to privacy and security officers, particularly because it is expected that next year regulations for the federal privacy act making it mandatory to report breaches for affected private sector organizations will come into effect.
First, the privacy commissioner said the utility took every reasonable step to contain the privacy breach once it was discovered. Affected employees were notified by letter (with an apology) and included a general description of the compromised data elements, and contact information for SaskPower’s privacy officer for more details. Notice of the breach of privacy was posted on SaskPower’s Employee Information Network as well as to managers and supervisors in a weekly communication memo.
However, the utility’s privacy officer wasn’t prepared for the deluge of calls, which soon clogged his voicemail. “Had SaskPower established a strategy for handling these calls in advance of sending notification, the affected individuals would have been able to have their questions and concerns addressed more quickly,” the privacy commissioner wrote. The utility fixed the problem.
Lesson One: After a breach involving employee data whoever handles the response better have a big voice- and e-mail inbox.
After current employees were notified SaskPower also included a report on the breach in a newsletter that goes out to former employees. The privacy commissioner suggested the utility make sure all affected people be kept in the loop. But aside from not contacting the Association of Professional Engineers and Geoscientists of Saskatchewan to check on whether the fired employee was a member of the association (and thus possible open to discipline there), the privacy commissioner was satisfied that SaskPower sufficiently provided notice of this privacy breach to affected people.
The third step in a breach response is to hold an internal investigation. During this phase the utility concluded the fired staffer had more access to network drives than was needed for his job. “SaskPower had assumed they had the appropriate safeguards in place to restrict access to network drives to those with a legitimate business need-to-know.” says the privacy commissioner, “but that was not the case.”
Lesson two: You can never have too much access control.
And while the utility requires staffers to take annual privacy training, the fired staffer’s last refresher took place in 2013, just over two years before the breach was discovered. He was current in the annual code of conduct training, which included a privacy and confidentiality component. But SaskPower admitted it didn’t have a policy forbidding employees bringing removable storage devices from home, or taking removable storage devices from SaskPower property.
Still, policies are of little use if there isn’t strict access control.
SaskPower now says it has toughened access by locking the affected network folders and telling business areas to ensure only authorized units can have access. It has also verified security controls on network folders containing confidential information, and bought an additional reporting tool for large-scale audit assessments on systems that contain private, confidential and restricted information. The initial audits are focusing on those areas containing the information deemed as the most high-risk.
Finally, it plans to amend its employee Code of Conduct and training to address employee snooping.
As a result the privacy commissioner was satisfied SaskPower has adequately responded to the privacy breach and implemented sufficient safeguards to prevent future occurrences.