Just looking? That’s a breach. Medical snooping has received a great deal of publicity over the past few years, resulting in health sector employees losing their jobs or being reprimanded by their professional colleges. And a Masters of Social Work student was ordered to pay $25,000 in March of this year – the highest personal fine to-date for a health privacy breach in Canada. The student was found to have been illegally accessing the records of family, friends, local politicians and staff of the clinic she worked at in Northern Ontario.
We’ve seen snooping cases hit the financial sector as well, and be determined to be a breach of the federal Personal Information Protection and Electronic Documents Act. See for example PIPEDA Case Summary 2016-001 where a customer’s bank account was inappropriately accessed several times by a bank employee who happened to be the customer’s neighbour; or PIPEDA Report of Findings 2015-011 where a banking customer’s financial data was inappropriately accessed by an employee at another branch, who was a family member with whom the customer had a contentious history.
A couple of weeks ago, the Canada Revenue Agency fired an employee for the biggest single privacy breach ever detected involving confidential taxpayer accounts. Last year eight Canada Revenue staffers were fired due to snooping into records last year. The CRA recently completed a $10.2-million technology project that promises to monitor employee accesses to taxpayer information and will flag accesses that appear inconsistent with the employees’ assigned duties. Proactive monitoring and system alerts are certainly important, and were noted as one of the ten tips for addressing employee snooping published by the Federal Privacy Commissioner. If employees are regularly reminded that they can easily get caught accessing data that they have no need to know, they may resist the temptation and not engage in such unauthorized ‘looking’ in the first place.
However, technology-centric security takes a defensive approach and is consistently deteriorated by emergent human behavior, including snooping. As soon as fear replaces the desire to ‘do good’ as the primary motivation for tighter security controls, security culture actually weakens. People need to be made part of the security solution. See Dr. Lance Hayden’s book on People-Centric Security.
your employees’ information values
Your business’s most important asset is not really information, it’s your people. All the software tools in the world can’t replace people with strong information values. So how do you reduce the people-risk? Look at your hiring practices for starters. Use job interviews to identify potential hires who already know and care about protecting confidential data. For example:
- Ask the candidate what their understanding is of the privacy principles;
- Ask the potential hire to offer examples of how security measures protect sensitive information;
- How would the candidate deal with a suspected data breach? Employees who are passive, uninterested or otherwise unmotivated to do anything about suspected incidents are not an asset to a company;
- Probe to determine whether the candidate understands security basics: Use the interview to cover password sharing, off-site data, use of mobile storage and any other areas your company feels particularly strongly about.
Aside from the specifics of the candidate’s responses, look for how receptive they are to the security discussion. For existing employees, Dr. Hayden’s book contains an excellent security culture diagnostic survey to gauge employee perspectives and behaviors.
So certainly invest in the technology – but less costly initiatives may take you even further. Working on your security culture, included incorporating security into your candidate interviews and, as discussed in a previous blog post, putting highly targeted awareness training into place, may take you even further…invest in your people.
For assistance with enhancing your organization’s security culture, contact PRIVATECH.3