Breathing a sigh of relief that he neither works for U.S. agencies requiring security clearances nor do his hiring policies require the details of mental illnesses, drug and alcohol use, past arrests, bankruptcies, Joe Hyre was oblivious to the ranting of Dez Grunteld, a whining employee who he fired last week. Over the weekend Dez hacked into the Ten U Us Employment records and downloaded personnel files containing social security numbers, dates of birth and credit histories of Ten U Us Employment’s people. Not satisfied, Dez deliberately crashed five of the company’s eight network servers as further retribution, permanently erasing all of the information, and forcing Ten U Us to shut down operations in its headquarters for two days sustaining losses in excess of $100,000. Can Joe Hyre instruct his Ten U Us employees to access Dez Grunteld’s old email account to investigate the damage Dez caused? Is Ten U Us responsible to the employees whose information was stolen?
Hack Grunteld Back?
Maybe Hyre can access Dez’s old email account to investigate the damage he caused. Among other things, the Electronic Communications Privacy Act (ECPA) regulates private individuals and businesses, arguably giving employees of private entities a right to privacy in their e-mail. While there are equally good arguments that employers who own the computer system used by their employees have the right to monitor employees’ e-mail, the simplest solution is for Ten U Us to follow the terms to which Dez Grunteld agreed in his employee handbook.
Responsible for Employee Files?
Yes, Ten U Us is almost certainly responsible to its employees for the loss of their sensitive personal information. The Texas Business & Commerce Code obligates businesses to implement reasonable procedures, including taking any appropriate corrective action, to protect the unlawful use or disclosure of any sensitive personal information collected or maintained by a company in the regular course of business, both for customers and employees. Moreover, Texas law imposes notification requirements for the breach and disclosure of sensitive personal information, even if only potentially exposed, for employees and customers alike.
Although the cyberbreach of more than 14 million U.S. government personnel records detailing, among other things, military records, job and pay histories and life insurance and pension information was the clever work of Chinese hackers, most business cyber breaches are inside jobs. Speaking of China, did you know that, over the centuries of repelling Mongolian invaders, the only time that the Great Wall of China was breached was in 1644? The gates at Shanhaiguan were opened by Wu Sangui, a Ming border general who disliked the activities of rulers of the Shun Dynasty. Whether in 1644 or 2015, the most likely breaches of your secure walls – whether they be fortifications or computers – is a dissatisfied employee like Wu Sangui or Dez Grunteld.
Tilting the Scales in Your Favor
Ideally? Immediately address resentful or disgruntled employees in a fair and benevolent way. For double coverage, however, plan for a possible separation or firing by implementing the following recommendations:
- Cyber Insurance. The detailed insurance company evaluation of your company’s IT department should become the blueprint for internal company protection of sensitive information. Premium costs, depending upon coverage and current IT protection systems can vary dramatically.
- IT Policy. Create and enforce an acceptable use policy for your Internet, Email and Computer systems.
- Content Filtering. With a content filtering device, monitor internet usage to restrict websites accessible to employees. Consider restricting access to personal emails – a common vehicle for “stealing” company files.
- Social Networking Sites. Deny, or at least limit, free access to social networking sites like, Facebook, Twitter and the like, as they invite inappropriate content, viruses, and theft.
- Password Integrity. Require separate and regular changed passwords for each employee who accesses a company computer and server. The password should not be known by anyone else.
- Regular Audits. Audit computer files for user access and deletion.
- Monitor server event logs.
- Use Terminal Servers if possible.
- Back up at least once a month. Test your backup because restoration data is frequently corrupted, or worse was never backed up at all.
Past Related Articles: Cyber Security: Forewarned is Fair-Warned
Don’t Be a Target: Mitigating Liability From Cyber Attacks
Weighing in – 1.2 Billion Usernames and Passwords. What, Me Worry About CyberSecurity?
Sony vs. N. Korea – Let Capitalism Fight Totalitarianism!