It is important that companies maintain control over this potential problem. In addition to the traditional competitive reasons that that we are all familiar with, when an employee compromises the private data of others that the company maintains, it triggers all of the privacy and data breach concerns that we now hear so much about all over the news.
This is serious and can be devastating to a company. What is worse, as an attorney focused on helping companies address these kinds of concerns, I can tell you one thing for sure:if you do not know it’s happening, you can not do a thing about it!
Consider, for example, the subject of yesterday’s blog which was the case Wells Fargo Bank, NA v. Clark. In that case the employee had to resort to more traditional means of obtaining the data by storing it on his company laptop which he then refused to return for over a month. And, when he did, it was virtually destroyed though with skilled computer forensics they were able to retrieve enough of the data to reveal what he had been doing. But,
What if they had not regained possession of the laptop?
What if they had not been able to obtain from that laptop the data showing that he had posted its confidential information on the internet?
One of the most common modern problems facing organizations is managing data migrating to the cloud. The very self-service nature that makes cloud computing so appealing also makes unapproved data transfers and leakage possible. Any employee with a credit card can subscribe to a cloud service and launch instances, deliver or consume applications, and store data on the public Internet. Many organizations report that individuals or business units have moved (often sensitive) data to cloud services without approval from, or even notification to, IT or security.
Fortunately, Rich tells companies how they can help mitigate these risks in two steps:
1. Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM).
2. Monitor for data moving to the cloud with URL filters and Data Loss Prevention.
He then goes on to explain exactly what each of the above mean and how companies can do it. I encourage you to read the full blog post.
This is good advice that companies need to implement. Remember, if you don’t know what your employees are doing with your data or if you don’t know who’s doing it, there isn’t a thing you can do legally to stop it. As Rich observed, this solution isn’t perfect, however, these suggestions are a great way to help protect your data and, should that data be compromised, be in a position to find out who was responsible.
Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at firstname.lastname@example.org.
View all posts by Shawn E. Tuma