Editorial: Inside Traitors

December 2007
As the national news media rightfully continues to home in on the dangers of hackers breaking into organizational databases, there remains one threat that businesses and other institutions often overlook, a challenge just as salient and, in some ways, more problematic. It’s the risk posed by corrupt insiders.

The phenomenon spans the history of human drama—from the Biblical narrative of Judas Iscariot to Shakespeare’s Macbeth, to filmmaker Martin Scorsese’s more recent gangster epic, “The Departed.”

For institutions that warehouse sensitive data, employees who steal are a disastrous wild card. A business or government agency can do everything within its power to fortify its databases against outside intruders, but if it fails to take the same defensive measures against insiders, any potential intramural schemes bent on exploiting those weaknesses can enable criminal employees to raid databases with relative ease. Then, unsuspecting consumers are left to salvage their credit and identities largely on their own as organizations struggle to mend their customers’ broken trust.

Consider the numbers from the recent study by the Center for Identity Management and Information Protection: of the 517 identity theft cases investigated by the U.S. Secret Service between 2000 and 2006—among the worst identity theft cases under investigation—176 of them (that’s 34 percent) were perpetrated by someone working within the organization. Not surprisingly, restaurants and gas stations, where credit cards are constantly switching hands, stand among the most vulnerable establishments, as do doctors’ offices and car dealerships, where an abundance of private identifying data is readily at a corruptible employee’s fingertips.

This brings us back to the mantra familiar to those working in the trenches of identity theft protection: an institution’s security is only as good as its weakest link. While a twenty-foot-high electric fence may keep the bad guys out, it does nothing to dissuade the criminals working within. Data security is no different. Protocols designed to mitigate foul play internally are just as important as those designed to prevent hacking from abroad.

The circumstances may seem outside of many business administrators’ purviews—how can one employee prevent another from running off with potentially valuable customer information?

While it’s true that short of a crystal ball, there is no surefire way to predict or completely prevent employee-related identity theft (or any type of identity theft, for that matter), there are ways to mitigate it. And it doesn’t need to involve Orwellian systems of internal surveillance. As with any good business strategy, a combination of pragmatism and emotional tact can provide a solid foundation for data security protocol.

Store only the data your business needs

Consider first the factors that exist within an organization’s control. This would include the information that is itself being collected. Earlier this January, after TJX experienced its monumental data security breach that left approximately 94 million credit and debit card accounts exposed to computer hackers, one of the more troubling questions the company found itself being pressed to answer was why it was storing unencrypted debit and credit card numbers in the first place. According to Payment Card Industry standards, the self-regulatory guidelines advised by Visa and MasterCard, unencrypted data should never have been maintained. Keeping only the information that your business needs on a day-to-day basis is the critical first step.

Limit internal access to data

Limiting employee access to sensitive data, and performing stringent background checks on those who do have access to it is a logical follow-up safeguard. Temporary workers should be similarly screened if they’ll have access to sensitive personal data. Some may argue that such measures seem excessive, but background screening of employees who handle financial and private data is no different than screening a pilot for sobriety before takeoff. The risk to the greater populace justifies a minor intrusion on the privacy of the individual. For those handling sensitive private information, we should expect and demand a baseline of moral competency.

Unfortunately, in a marketplace of increasingly disposable minimum-wage tasks, for some the most direct route to material accumulation is through the quick and immediate strike of identity theft and credit fraud.

Evidence from the CIMIP study suggests that employees who are dissatisfied with their jobs are more likely to steal from employers without remorse. And while this would imply that more attention ought to be paid to employees who seem disgruntled or unmotivated, the inverse of the statement should also be considered—that a positive, reinforcing work environment, paired with proper security training, can be a great deterrent to employee crime. It’s not difficult to understand why somebody would have a harder time ripping off somebody they like. Likewise, employees who care about their jobs may be more likely to act as whistle-blowers when they spot suspicious behavior among co-workers.

If nothing else, the CIMIP study should serve as a stern reminder to businesses and institutions that they must establish clear-cut rules in the workplace—uncompromising policies concerning data storage, disposal and equally important, access. In fact, they should pay attention to how the Secret Service treats personal data—as highly classified information—and follow suit.