This is a great article from HartfordHelp, a site designed for Hartford policyholders and partners. The site is a treasure-trove of information for employers to arm themselves against claims of wrongful termination, harassment, discrimination, employee theft, etc. Knowledge is power! http://www.hartfordhelp.com.
When Computer Network Employees Go Bad
A terminated employee of a not-for-profit organization pleaded guilty to unauthorized access to her former employer's computer network. She now faces a two-year prison term and will have to pay $94,222 in restitution to the employer. "Houston Computer Administrator Sentenced to Two Years in Prison for Hacking Former Employer's Computer Network," www.usdoj.gov (July 15, 2009).
The evening following her termination and the next day, the former director of information technology illegally accessed the not-for-profit's computer network via a remote connection in her home. She then deleted important database records; including accounting invoice files, database and accounting software applications, and various back-up files. In an attempt to conceal her sabotage, she also disabled the computer logging functions on several employer servers and erased the computer logs that recorded her remote access.
Commentary and Checklist
A surprising aspect to this story is that many employees that destroy data have no clue that they are committing a crime. To some, it is just a cruel prank to get back at their employers. Employers should make their employees aware that data destruction is a crime. In this example alone, the network employee that went bad has nearly $100,000 to pay in restitution and is looking at two years in a federal prison.
The ironic aspect of this story is that the person who was in charge of data protection used her knowledge to damage her employer. Too many employers, especially smaller employers, do not take data protection seriously enough and therefore are more vulnerable to attack.
Protecting your data from theft, destruction or corruption by an employee is akin to protecting your finances from embezzlement. Employers must set up safeguards, including having more than one person in charge of data security.
In this case, the person in charge of data security had given herself the ability to access the employer’s system remotely. Had another person had access to oversee the data’s protection at the time of termination, he or she could have dismantled the remote entry at the same time that he denied her other access points.
Moreover, organizations should make it an employee offense to develop remote entry access without authorization. The organization should approve all access points.
To that point, employers should establish and enforce a policy on computer usage and data management. This Site offers a model policy on Computer, Internet and Network Usage. To see if you have access to this policy, log on and go to Knowledge Vault and then Model Policies. [for access, go to HartfordHelp and register to obtain a login id and password]
Consider these steps to get your message across that your data is not to be stolen or sabotaged:
- Establish a clear and concise policy that employer data is valuable.
- Define what is appropriate use and transfer of employer data, and provide examples of what is improper use of employer data.
- Explain that data thieves will go to extraordinary measures to capture sensitive data.
- List possible outcomes to an employee that steals or sabotages data including, but not limited to, termination and possible criminal prosecution.
- As part of employee orientation, make certain that employees acknowledge your data protection policy.
- Develop a procedure that locks down your data when an employee is terminated.
- Consider banning personal memory transfer devices such a USB memory stick.
- Consider limiting the sensitive information that employees can store on laptops.
- Consider regulating the information that employees can have access to from home and other remote entry places of origin.
This informational piece is part of "The Loss Prevention Journal" published on July 29, 2009.