The discussion of disciplining an employee for privacy/security policy violations is a frequent one. Recently, I was privy to a conversation where “fear” was advocated as the means to prevent privacy/security breaches. This was in the context of breaches involving emails (e.g., attaching the wrong document to an email resulting in personal information being disclosed) and the author advocated mandatory termination for all such violations.
Using management techniques favored by despotic regimes isn’t going to advance information security within your organization. If there is no doubt that an employee will be fired for a infosec incident, there is no incentive for reporting it. The fact is, accidents to occur and even the most conscientious of us have our bad days.
All businesses should have a written HR policy that states violation of company policies may result in discipline up to and including termination. This should also be reinforced in training and awareness campaigns when appropriate. Whether an employee should be fired for a policy violation, including privacy violations, depends on the facts and that employee’s record with the company.
Most employees, particularly in high performing organizations, feel awful when they have made a privacy or infosec related mistake. In my experience the employee is almost always able to identify what they did wrong and what s/he could have done. Sometimes, these incidents expose a hole in your training and awareness materials that you need to fix (or that senior management isn’t supportive of privacy compliance). Often, these employees become evangelists within the organization about the issue on which they made a mistake. Why would you want to terminate an employee who is unlikely to make the same mistake and who is likely to take his/her personal experience and turn it into institutional experience by educating his or her colleagues and making sure the processes that s/he is responsible for take the issue into account?
Let me give two examples where termination and a policy to terminate may be appropriate:
(1) A very large vendor last three laptops over nine months containing information for the same client. The laptops did not have full disk encryption, but had specific folders that were encrypted in which customer information was to be placed. In all three incidents, the customer data was not placed in the folders. After the first incident, the vendor told the customer that full disk encryption program was being kicked off and all laptops would be encrypted within 12 months. After the second incident, the vendor stated that the program was already under way and that its speed would be increased to “break neck” and that the laptops belonging to employees working on the customer’s data would be prioritized. After the third, the vendor (among other things) initiated a policy that any employee that brought a laptop into a pub would be fired automatically, regardless of who the employee was. (An internal study determined that the vast majority of stolen and lost laptops occurred in pubs.) The policy was carried out without exception as far as I am aware.
This is an example of an appropriate termination policy for information security related events. It is limited (only to employees who bring laptops to pubs) and put in place based on the results of an investigation (a study showed this is where the majority of incidents were occurring). Millions in revenue were at stake, not to mention the reputation of a highly public brand.
(2) Advise was given to an employee re marketing in the EU. Three specific scenarios were described. The advice was concise and well written. The employee then engaged in one of the specific scenarios in a manner contrary to the advise given. That employee was fired and I agree with that decision.
I think that a lot of the push to elevate the sanctions for privacy related incidents was because for years privacy wasn’t taken seriously and discipline did not match the offense. Now that privacy is generally taken seriously and discipline is in line with violations of similar policies, I don’t want to see a rush to extreme responses.