• Categories

  • Archives

    « Home

    Organizations Must Protect Against Insider Threats to Security

    As personal information becomes more accessible and shareable through massive databases there is the question of security. Agencies and companies build protections against threats, but there is a unique problem with insider threats: Often, people are misusing or abusing their access privileges to private data rather than attempting to illegally gain access to the information.

    We’ve seen the problems that arise when insiders abuse or misuse their access privileges to individuals’ data and violate the individuals’ privacy rights. Last week, the Florida Times-Union reported that Jacksonville and a Highway Patrol trooper reached a settlement after she sued, accusing police of misusing their access to a driver’s license database to gather information on her and harass her.

    A similar situation is said to have occurred in Minnesota, where 104 officers from 18 agencies in the state accessed one woman’s “driver’s license record 425 times in what could be one of the largest private data breaches by law enforcement in history.” A state report later found such misuse was common.

    Federal databases also have the problem of insiders misusing or abusing their data-access privileges. A recent ProPublica investigation found a variety of privacy violations at Department of Veterans Affairs facilities. “Some VA employees have used their access to medical records as a weapon in disputes or for personal gain, incident reports show,” such as one case where health data was improperly accessed and used in a divorce proceeding. Other individuals misused their authority to access medical information after suicides or suicide attempts by fellow employees.

    In 2014, the National Security Agency’s Inspector General revealed in a letter (pdf) to Sen. Chuck Grassley (R-Iowa) that there were cases “in which NSA personnel intentionally and willfully abused their surveillance authorities.” One person, a member of the military, “queried six e-mail addresses belonging to a former girlfriend, a U.S. person, without authorization.” And several years ago, the State Department found that federal employees repeatedly snooped into the passport files of entertainers, athletes and other high-profile Americans.

    It’s not just government databases that are problematic. Earlier this month, ride-sharing service Uber reached a settlement with New York over alleged misuse and abuse of access to riders’ locations and personal data. The company agreed “to encrypt rider geo-location information, adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices,” the state attorney general said. The investigation into Uber’s data-access security began after the general manager of Uber NYC did something that raiseed privacy questions. During an e-mail exchange with a journalist, the Uber executive “accessed the profile of a BuzzFeed News reporter, Johana Bhuiyan, to make points in the course of a discussion of Uber policies. At no point in the email exchanges did she give him permission to do so,” BuzzFeed reported. (Uber spokeswoman Nairi Hourdajian wrote a blog post to clarify the company’s privacy policies, but it raised more questions.)

    And in 2014, the Indiana Court of Appeals upheld a jury’s verdict against a Walgreen concerning a pharmacy employee who accessed the medical record of a customer and gave the prescription information to the customer’s ex-boyfriend, whom the employee was dating. In the case, Hinchy v. Walgreen Co., et al. (pdf), Walgreen was found liable for negligent supervision and retention and invasion of privacy.

    Government agencies and private companies need to be vigilant about the security threats that come from the inside, from trusted employees. All employees need to be trained on appropriate use of private data, and there must be security protections in place in case employees choose to ignore their responsibilities. There should be access logs, including the reasons for accessing the information, and such logs should be routinely audited internally and periodically audited by an external monitor. These best practices would substantially cut down on misuse or abuse of individuals’ personal information.

    Leave a Reply