In our daily lives, we all commit our souls signing a contract of employment. Whether an employee or a contractor, similar rules apply when it comes to respecting company data and the associated data policies.
In reality how many times have you reached over to a colleague to borrow a USB stick to copy data for a meeting, potentially and unwittingly compromising your company’s data policy?
When data gets compromised
Some compromises can be far more sinister. In a case recently reported by the Information Commissioners Office (ICO), an employee of a waste management company based in the UK emailed the details about 957 clients to his personal email address as he was leaving to start a new position at a rival company. These documents contained personal information including the contact details and purchase history of customers and other commercially sensitive information.
Steve Eckersley, head of enforcement at the ICO said:
“Taking client records that contain personal information to a new job, without permission, is a criminal offence.
“Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave. Don’t risk a day in court by being ignorant of the law.”
Appearing in Court on 26th May 2016, the now ex-employee pleaded guilty to unlawfully obtaining data and was prosecuted under section 55 of the Data Protection Act. He was fined £300, ordered to pay a victim surcharge of £30 and £405 costs.
This was a widely reported incident of an employee doing something many have done inadvertently. Imagine the number of similar occurrences that have gone unreported, the number that have occurred at sysadmin level, the number of contractors that had access to far more sensitive data that could a have found its way outside of the organisations that have employed them?
Unlawfully obtaining or accessing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of ‘fine only’ in a Magistrates Court or a Crown Court. The ICO continues to call for more effective deterrent sentences, including the threat of prison, to be available to the courts to stop the unlawful use of personal information.
Change is coming
Today the ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit. The ICO has the power to impose a monetary penalty of up to £500,000. With new General Data Protection Regulations (GDPR) now ratified, can companies take the risk with fines rising to 4% of annual worldwide turnover (e.g. breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent)?
So Why Wallix
The Wallix AdminBastion (WAB) Suite has a simple architecture designed for pervasive, sustainable deployment. It creates a single gateway with single sign-ons for access by system admins.
WAB’s agent-less architecture is lightweight, making the solution inexpensive and easy to deploy and adapt. The agent-less approach mitigates the risk that changes in protected systems will require extensive revamping of the PAM solution.
WAB has a simple architecture, but a sophisticated and rich feature set that can scale with even the largest organisations. WAB gives you the tools to make PAM an enduring, pervasive and consistent part of your security program.
For more information about the Wallix AdminBastion, visit www.wallix.com.