Insider Access to Sensitive Data Must Be Carefully Controlled to Avoid Security Threats
Friday, May 31st, 2019Recently, a news report said employees of multimedia messaging app Snapchat were using internal tools to violate the privacy rights of users, shining a light on the security threat that can arise from knowledgeable insiders. But the problem of insiders misusing or abusing their access privileges in order to invade the privacy rights of individuals is not new.
In Snapchat’s case, Motherboard reported: “Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users.” Sources and emails obtained by the news outlet, “described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user’s Story).”
But Snapchat is hardly the first private company to face problems with employees abusing or misusing their security access privileges to violate customers’ privacy. And it is not just technology companies facing these issues.
In 2014, the Indiana Court of Appeals upheld a jury’s verdict against a Walgreen concerning a pharmacy employee who accessed the medical record of a customer and gave the prescription information to the customer’s ex-boyfriend, whom the employee was dating. In the case, Hinchy v. Walgreen Co., et al. (pdf), Walgreen was found liable for negligent supervision and retention and invasion of privacy. In 2015, the court, upon rehearing, affirmed the original decision (pdf).
Read more »