Inside 1to1:Privacy

The Insider Threat: Washington AG Tackles Risks From Within

February 1, 2007

By Don Peppers and Martha Rogers Ph.D.

For all the concern about the privacy perils associated with online information theft, most of the recent large-scale issues have stemmed from the workplace. Increasingly the most pervasive threat has proven to be so-called insiders who wreak havoc from within.

In response to these damaging thefts, Washington State Attorney General Rob McKenna has endeavored to better educate employers and consumers. Among other things, he seeks bulked-up privacy/security legislation and more in-depth screening of employees. As part of the effort, McKenna has pushed for better coordination and deployment of resources among federal authorities, the law enforcement community and consumer protection entities.

Asked what prompted him to go after insiders using personal data for nefarious purposes, McKenna points to the high incidence of identity theft in Washington state, which ranks seventh in the country in identity-theft reports per 1,000 citizens. “[Insiders] aren’t responsible for all of this, obviously,” he explains. “It’s an area where you haven’t seen too much focus so far. Everybody’s been busy talking about encryption, when you have people sneaking in and stealing the data right from under companies’ noses.”

Insider identity theft can take any number of forms. Among the most common: A scamster hires an individual who works at a company in a non-data-related capacity to steal sensitive information left lying around by careless workers, or forges an ID badge allowing one of his/her minions access to similarly unsecured files. In one case recently filed, an individual employed by an after-hours janitorial service pilfered information left lying around in the open at a bank; in another, a medical-clinic employee loaned an access badge to a thief, who promptly rifled through medical records left out in anticipation of the next day’s patients.

As part of his effort to better coordinate identity-theft prevention among the aforementioned groups, McKenna helped assemble LEGIT (Law Enforcement Group against Identity Theft). Recently, the multi-agency group sent a letter to 800 government officials across Washington State, prodding them to take a close look at the security of the information they store. Among the letter’s recommendations were that they should run a background check on all employees with access to sensitive data (“screening for fraud convictions, basically,” McKenna says) and require all employees to wear an ID badge around the office, so that intruders are more readily identified.

“Those aren’t exactly new ideas, but there are lots [of organizations] who don’t even do that much,” he adds. A similar letter might be sent out to Washington Chambers of Commerce, businesses and private-sector groups.

As for privacy pundits, they have no shortage of ideas when it comes to preventing information theft by organizational insiders. They largely agree with the steps McKenna is taking, adding that at a very minimum, no records should be left accessible during the hours when an office is sparsely populated; that all sensitive information should be locked up overnight; and that documents containing personal data should be shredded, rather than chucked into a recycling bin.

“What they should be doing, and what many people are doing already, is the basic blocking and tackling of privacy and security,” says Alan Chapell, president of privacy/security consultancy Chapell & Associates, who points to another area of concern. “I worry that nobody’s quite nailed down the cell phone issue. How many peoples’ information do you have in your cell phone or BlackBerry? Now that the mobile device is increasingly becoming that portable PC, you have to be more careful, especially when the device can link to an organization’s network.”

McKenna declines to assess the success of his anti-insider-theft mission so far, as the before/after data won’t come in for another year or two. Still, he lauds businesses and law-enforcement entities for their cooperation and diligence, and is encouraged by the anecdotal evidence he has noticed. “There’s much higher percentage of businesses buying shredders and locking mailboxes,” he notes. “But we still have a long ways to go.”