Recently two of the most publicized cases of improper disclosure of personal information (Fidelity and the Veterans Administration) occurred through what might be described as the "clueless insider" threat. In both cases an employee had copied large amounts of critical information (names, Social Security numbers, account information and other data) onto a laptop, and then lost the laptop. In the Fidelity case, the laptop disappeared from a car at a company meeting. (I am one of the 198,000 whose personal information was on that laptop.) In the VA case, the employee took the laptop home - against policy - and it was stolen during a home burglary. Some experts think the VA case could cost $500 million in remediation and other costs.

It is difficult for any organization to prevent cases in which a current employee does something in direct violation of an organization's policy. That's why you could call this the "clueless insider" threat. More insidious, though, is the threat from people who were employees until recently, and then left the organization voluntarily or involuntarily but still have their data access privileges - the "ghost employee" threat. It is not the employees' responsibility to ensure that they no longer have access. The human resources and IT departments are responsible for this, and their failure to coordinate to ensure that these former employees are cut off at the right time means that the cluelessness resides in the organization. This issue applies equally for employees who have shifted roles in the organization - their access must be adjusted to reflect their new roles.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access