ICO Warns on Leaving Employees Walking Off With Company Info

Steve Gold - SC Magazine UK

The Information Commissioner's Office (ICO) has warned staff that walking off with the personal information of their employer when changing jobs is a criminal offence.

The warning comes in a week when a paralegal - who previously worked at Dewsbury-based Jordans Solicitors - was prosecuted for illegally taking the sensitive information of more than 100 people before leaving for a rival firm in April 2013. The UK data regulator say the information was contained in six emails sent by James Pickles in the weeks before he left the firm.

Pickles had hoped, says the ICO, to use the information - which included workload lists, file notes and template documents but still contained sensitive personal data - in his new position. He was prosecuted under section 55 of the Data Protection Act and on Tuesday fined £300, ordered to pay a £30 victim surcharge and £438.63 prosecution costs.

Commenting on the case, Stephen Eckersley, the ICO's Head of Enforcement, said that stealing personal information is a crime.

"The information contained in the documents taken by James Pickles included sensitive details relating to individuals involved in ongoing legal proceedings. He took this information without the permission of his former employer and has been rewarded with a day in court and a substantial fine," he said.

"Employees may think work related documents that they have produced or worked on belong to them and so they are entitled to take them when they leave. But if they include people's details, then taking them without permission is breaking the law. Don't risk a day in court," he added.


Three main challenges
According to Nigel Stanley, practice director for cybersecurity, risk and compliance with OpenSky UK, there are three main security challenges facing employers when it comes to tackling information theft by staff: governance, policy and procedures.

"Employers clearly need to enforce a security policy, typically using suitable technology, but there are limitations to the technology. An employee could, for instance, photograph the screen of data they are working on. That doesn't mean we shouldn't take precautions, such as locking down USB ports on a machine and so on," he said.

An incident response plan, says Stanley, is something of a must-have in these situations, as it advises managers who to call - eg legal, public relations etc., when an employee data theft situation - or similar security incident - takes place.

Response plans, he adds, are necessary, because - as the Pickles case shows - incidents like this will happen to organisations, since the insider threat is quite prevalent in many organisations.

"I've just completed this process with a client. We developed an incident response plan that advises on who to call, developed a flow chart on what happens, and what actions need to be taken. This is something that all businesses need to think about," he explained.

Tom Cross, director of security research with Lancope, said that research by US-CERT at Carnegie Mellon University breaks down malicious insider attacks into three common themes: disgruntled insiders who damage systems or data; insiders who commit fraud using information they have access to, such as credit card numbers; and insiders who steal intellectual property because they intend to use it in a new job or sell it to a competitor.

"Insiders who steal intellectually property usually do so in the last few weeks of their employment. They often feel a sense of ownership or entitlement to the things that they are stealing, because they worked on them in their jobs," he said, adding that detecting this type of data leakage can be carried out using audit trails on network activity, as well as network monitoring for anomalous data transfers, particularly during the last few weeks of a person's employment.

Toyin Adelakun, vice president of Sestus, meanwhile, says there is a lot more to covering this risk - to corporate entities as well as to individual staff members - than technology.

It is often, he said, best to address the risk in top-down fashion, using people, processes and technology, with dual controls being imposed on personally identifiable information, and the enforcement of policies through the use of IAM (identity and access management) technologies and tools.

Defend your data
Professor John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, said that the need to defend data in an employee-company situation is all the more necessary today, when words of agreement do not result in real security.

If a company does not tie down its active directory and its access control lists, he says, it will likely hit security problems.

"Allowing employees to populate open shares containing PCI-DSS data, client data and a plethora of sensitive and business-related data, is becoming all too common," he explained, adding that the appointment of young and inexperienced security managers in our industry is only adding to the potential scale of the problem.