The Duke Energy incident isn't the only local (N.C.) breach arising from employee theft of data already this year. According to the Identity Theft Resource Center's 2014 breach list, an employee of the Alamance County Department of Social Services whose job had been to investigate claims of abuse and neglect against minors and disabled adults, stole and then sold the personal information of abuse victims. The Greensboro News & Record reported that the DSS employee sold personal information to two tax return preparers in Greensboro, who listed them on their client's returns in order to claim inflated tax refunds on the clients’ behalf. The preparers paid the DSS employee $200 to $300 per identity.
The lesson here is fairly straightforward: Even the best software will not protect an organization from a breach at the hands of a dishonest (or foolish) employee or contractor. Therefore, it is important to focus not only on preventing hackers from penetrating your organization's computer systems, but also to recognize the very real possibility of a breach and establish a response plan that complies with the law and mitigates the liability and reputational risk to the organization.
When an employee obtains unauthorized access to customer information about N.C. residents, the employer must quickly determine the following:
- Which laws apply? (North Carolina's general ID theft statute and/or industry-specific statutes, such as federal financial institution law or healthcare law)
- Does the information accessed include protected information?
- Has a "breach" actually occurred as defined under the applicable law(s)?
- Does the law require a notice to customers?
- What must, or should, the customer notice include?
- Does the law require a report to authorities? If so, which authorities?
- What must, or should, the report to authorities contain?
- What steps can be taken to mitigate losses?
- What immediate steps can be taken to prevent similar incidents?
- What steps does any existing breach response policy require?
- What steps do existing contracts require, if any?
- Who will be responsible to take these steps?