In this issue, we discuss the risks involved with allowing unrestricted access to the
records of high-profile customers.
by employees that require access to perform their jobs”.
Are you sure you can live
up to that promise?
While your policies may state this, it is difficult at times to deliver.
The urge for employees to, “bend the rules” can become too great to resist when celebrity accounts are involved.
Part of management's job is to identify opportunities to lie, cheat or steal and reduce
or eliminate the opportunity. For instance, banks don't let employees enter the cash vault by themselves. You don't
do this because we distrust a specific employee. You do it to eliminate the temptation from all employees.
The UCLA Medical Center had a recent scandal where over 100 employees reviewed the medical records of a celebrity. A
number of the viewings actually happened after the Medical Center warned employees that the records were being monitored.
Don't think this is limited to your computer systems. The signature of a celebrity on a
signature card, a work authorization, a personal check or credit application might prove tempting.
Many years ago, a colleague of ours was in charge of signing all Accounts Payable checks. This included the monthly Board
of Directors stipends. This bank happened to have a director that was a famous TV judge. To this day, our colleague still
shows her friends the copy of one of the checks with her signature and the Judge's name. Customer Information Security
How would your company respond if the credit card charge or personal check of a politician/customer
were linked to an illegal or unseemly act, and the leak of the information was traced back to your company?
Removing or restricting access to sensitive information is not an option. It is a requirement.
Reducing or eliminating the temptation to access special accounts is smart business.
For consideration: Do your systems allow you to restrict account access on an
individual account level? Do you have a specific policy for celebrity accounts similar to employee accounts? What restrictions
are placed on information stored on paper, microfilm or disks? What about archived records? What changes could be made
to your Incident Response program? What damage to your reputation could ensue? Has your annual Security Controls audit
reviewed all repositories of customer information, not limited to computerized systems?
information:More UCLA Medical Center employees peeked at celebrities' records, state says