A recent incident in the news illustrates a common problem with sensitive and confidential information. People can and do make mistakes when it comes to properly handling personally identifiable information (PII).
According to news reports, insurance documents from 1996 and 1997 were accidentally placed into a Tooele County, Utah employee’s personnel file. The documents had names and Social Security numbers that were not his. The information had been misfiled a long time ago and was scanned to an electronic version.
When he was terminated from his job, he asked for his employee file. He got everything on a CD and discovered the insurance documents. He contacted the state Attorney General’s office since he knew something was wrong. He wondered how many other people may have PII in their files and was concerned for his privacy.
The Attorney General (AG) referred it to the local county Attorney’s office for resolution. The AG informed the former county employee that he could be faced with legal problems and jail time if he kept the documents. He had no intention of doing so and gave them to the appropriate authorities. It’s unclear if anyone at Tooele County will face fines or other legal problems, since it was their negligence that caused the breach.
The fired employee did the right thing when he realized that he had PII in his possession. He contacted legal authorities to inform them of the problem. It sounds as if the state AG wanted to sound tough by telling him he could be charged with a felony and face up to five years in prison if he didn’t cooperate. Maybe that was just standard procedure to inform someone of their rights and responsibilities; I don’t know, I’m not a lawyer.
Fortunately, everything worked out and the affected employee was not charged with anything. The Utah county had to send out letters to all affected people informing them of the data breach. It emphasized that the data had not been intentionally accessed for unlawful use and had been returned.
Unfortunately this doesn’t solve the problem. Human error was at fault. In most data breaches, human error is at fault. This was a case of an inadvertent mistake made over 15 years ago. Who knows how many of these mistakes exist in businesses and government offices. This was not a case of a hacker or unauthorized person, but a trusted insider making a mistake.
The only way to protect against this problem is to encrypt files with a persistent security policy that controls who can access documents and what they can do with them. If that insurance document had a security policy on it, the fired employee would not have been able to open it. Data breach and notification laws in the US state that if information is encrypted, then organizations do not need to report these incidents to authorities. If it’s encrypted, no breach occurred.
It may be time to look at your HR files for possible mistakes. Lock them down and take human error out of the equation.
Photo credit aaronshreve
