What your employees know about your business may be of strategic value and provide that competitive edge.  It may be the special sauce that took the company years to develop and it may walk out the door prior to any exit interview or tender of resignation.

Recent surveys, media reports, prosecutions, and our investigations show an alarming number of ex-employees stealing company data, including when changing jobs.  Compromised data may include customer lists, contact information, know how, and other forms of intellectual property.  The majority do so in order to benefit in some financial arrangement or assist with a new job.  A recent theft of a proprietary trading platform at a major Wall Street financial institution is under investigation.  The platform enabled the firm to generate millions of trading profits each year.

There is a growing pervasive sense of entitlement to works for hire. Access to computers and technology without appropriate controls makes such theft inviting and simple for those inclined. How these thefts occur and remain undetected for extended periods of time has much more to do with the lax protective measures in place within the organization then the skills of the perpetrator.

In our investigative experience we have seen far too many cases where there is employee theft, limited binding agreements, no procedural or technical controls or measures, and far too much blind faith and trust extended to those who are not trustworthy.

Forgive me if my experiences make me appear cynical but I have seen thieves rob charities, business owner’s life’s work compromised by over zealous employees, and organizations hobbled and made vulnerable by employees gone bad.

Too often the lack of detective measures, extended periods before suspicion and investigation, further compounded by the lack of protocol in disengaging employees compromises critical evidence.  Lacking sustentative evidence, it is increasingly complex and costly for the organization to pursue justice in what may have been otherwise a clearly defined case.

Organizations must take comprehensive controls and measures seriously to avoid a potentially devastating event precipitated by a individual to which the organization has extended its trust.  This starts with the appropriate legal, technical, and procedural controls from engagement through discharge, employer beware.

Essentially it goes like this.  In 2004 BJ’s Wholesale Club’s ineffective information risk management lead them to first, store customer credit card data that they should not have been storing, and secondly not provide even a modicum of security around it.  Apparently the data was stored unencrypted, with default passwords, and limited or no monitoring.  All of which allowed the customer credit card data to be stolen.

BJ’s settled charges with the FTC “that it failed to provide adequate security for its customer data” in 2005.  BJ’s also recorded $10 million in related costs.  In addition to the $10 million, under terms of the settlement BJ’s will implement a comprehensive information security program and be subject to third-party audits every other year for the next two decades.

PSECU, a card issuer who suffered $100,000 loss reissuing suing cards to its effected members, sued BJ’s and Fifth Third Bank in 2005. The credit union lost at the district court.  The new ruling reverses the district court ruling and will allow Pennsylvania State Employees to continue with their case against BJ’s and Fifth Third Bank.  The ruling found that even though the credit union was not a direct party to the contracts between VISA, BJ’s, and Fifth Third, it has third party beneficiary rights.

I can understand PSECU suing BJ’s.  After all it was BJ’s inadequate security that led directly to PSECU’s loss.  However PSECU is claiming 5/3 bore some responsibility for inadequately training BJ’s staff.  It is completely beyond me why this is 5/3rds responsibility.  Nevertheless, this ruling could have far reaching consequences in the payment card industry by effectively making card processors responsible for the sins of their merchants.  It could possibly lead to changes in the PCI-DSS standards, to processor-required training programs, have insurance impacts, or even force processors into effectively “policing” the PCI compliance and information risk management practices of their merchants.

It will be interesting to see how the suit finally turns out.