According to DataLossDB, which has been tracking dataloss events since 2001, 20% of all data loss incidents are due to employee negligence and 8% were due to employee theft of data.
Why so many employee data loss incidents? To evaluate accidental data loss, let's look it the problem from the perspective of the data. In this case, let's consider data that is stored in a data warehouse.
The data warehouse security is locked down and access is restricted to a
small set of data analysts and administrators. Of course, the data exists to be
used to support business decisions. To that end, a business analyst who fancies
herself good at twisting data around in Microsoft Access gets the database
administrator to dump a set of data for her for use in a financial product
analysis. She does her primary work on her workstation, but being a high
performer she stores the data on an external drive so she can work on it at
home off hours. She discovers some very interesting patterns that support
creation of a new financial product. She emails her analysis and the supporting
data to a half-dozen people. Three of the recipients save the reports to their
unencrypted laptops. One person fetches the document from home using his home
computer through the company Outlook Web Access mail system. And another just
forwards the email to her personal email account to read from home.
From its secure origins in the warehouse, the data quickly
spread to numerous unsecure and unauthorized systems.
Here are a few real-world examples that show our
hypothetical scenario isn’t so hypothetical:
·
April 3, 2009 – An Oklahoma Department of Human
Services laptop containing the personal data for one million was stolen from an
agency employee’s car.[1]
·
June 18, 2007 – A Texas A&M professor lost a
USB flash drive containing personal identification information of 8,000
students while on vacation in Madagascar. The professor claimed he took the
data so he could do work while on vacation.[2]
·
September 2008 – An ADP employee accidentally
sent a spreadsheet containing the personal identification information of a
client’s employees to the wrong client.[3]
·
October 2006 – The Republican National Committee
inadvertently emailed names and social security numbers of top donors to a
reporter.
Here is a link to the DataLossDB statistics. Good stuff there.
[1] http://www.scmagazineus.com/unencrypted-laptop-with-1-million-ssns-stolen-from-state/article/131333/
[2] http://attrition.org/dataloss/2007/06/tamcc01.html
[3] http://datalossdb.org/primary_sources/973