A few lessons for us infosec professionals from this:
First: The definition of insiders expands as businesses continue to outsource functions which used to be done in house.
Second: Vendor Risk Management programs need to pay special attention to law firms. These guys are like companies’ confessors; we tell them all of our deepest secrets and rely on them to keep things secret.
In the UK, a disgruntled employee leaked payroll data for 100,000 employees of a very large supermarket chain to newspapers in order to embarrass the firm after they were disciplined for bad behavior. The courts found that employees have the right to sue the supermarket chain for damages as they were “vicariously responsible” for the acts of their employee.
In contrast, a similar case in the US against Coca Cola had a very different outcome. A Coca Cola employee sold laptops which they were tasked with destroying and these laptops contained personal information of employees. Employees sued, but the courts dismissed all of their claims, saying that Coca Cola could not have known about the rogue employee’s activities.
This case has a few lessons for infosec professionals:
First, if your firm operates in multiple jurisdictions, the laws and norms in these jurisdictions can be very different. When judging risk and formulating policy, work with your legal departments to make sure you understand these differences.
Second, I feel that this case also shows the differences in attitudes to personal information in the US and the rest of the world. It seems like the US does not value individual privacy nearly as much as other countries. Again, if you operate in multiple jurisdictions, you need to keep this in mind.
As the stakes get higher for organizations (for example $20M or 4% of global revenues for each breach of the EU GDPR), these are things we need to worry about. Buy your general counsel a beer and talk it out before you have to deal with a lawsuit.
I have the privilege as serving as a mentor for a course at SUNY-Albany focusing on the problems posed by insider threats. Since I am SUCH a wonderful mentor, I will be keeping an eye out for interesting resources for the students. Since these might also be useful to others, I will be a list of them blogging them each week.