Naming and shaming

So here’s a bit of an odd story… according to the Financial Times, the US Federal Reserve has publicly sanctioned an ex employee of a leading financial institution after said employee was terminated for sending confidential work information to his personal email account “so that he could work on it at home.”

Most of the story is familiar to any CSO – the company provides employees with at least one (and probably multiple) ways to remotely access the corporate network securely, but our “hero” decides that it is easier to simply send the files they want to work on at home to their Yahoo email account. Of course, this is a bad idea and against corporate information security policies – the email account or employee’s home computer could be compromised, needlessly exposing corporate data. So, the financial institution does the right thing and disciplines the employee, in this case by termination. End of story, one would think.

But no – apparently, somehow the Fed then got involved and filed an administrative action that names and shames our protagonist and requires them to disclose this breach to any future financial industry employer AND keep the Fed informed of where they work in the financial industry in the future.

This is a really interesting case – I cannot remember seeing anything remotely like this in the past. There was no disclosure of customer information or damage to a customer – this was strictly a violation of corporate security policy.

On the one hand, actions like this provide a rather strong deterrent to folks who may be thinking of taking a “shortcut” when it comes to security. It also provides companies with a way of identifying potential security risks during hiring.

It is really not a bad idea – if it were to be something applied universally and consistently for specified serious security violations. Of course, there would need to be a lot of work done to decide what kinds of violations would qualify and to ensure that the accused would get a fair chance to defend themselves against spurious charges.

As an isolated event, the deterrent power of this type of action will be limited – people have very short memories. And if it remains an isolated event, it seems a bit unfair to impose such a harsh sanction on a single person when I am sure there are many, many people being fired from their jobs for security related violations who will never face this type of action.

It sort of makes me wonder what the back story to all of this is – how the Fed got involved and how the decision to proceed with this action was made. I am also curious to see if this action marks a beginning of a new regulatory approach in general or if it is a one off event. Stay tuned…

Leave a Reply