Early last week, a USB key containing hundreds of Ontario patient health information files was stolen. According to the CBC, the USB wasn’t encrypted and was stolen from the purse of a University Hospital Network (UHN) employee. The theft of these files has resulted in a call for efforts to increase the security of sensitive information. This is the second instance in under a year where private patient information was compromised in Ontario due to theft. The lesson learned from this story can be applied to any business that maintains client or customer personal information records: make sure sensitive information is encrypted. Controlling access to information can further prevent information security breaches, as the number of people viewing sensitive information is decreased. Regular evaluation of training programs and internal procedures related to information security must be undertaken to ensure each employee is completing the necessary steps to safeguard information.  

Preventing Information Security Breaches

Preventing information security breaches needs to become a main priority for any company when handling both customer and company information. In regards to the above-mentioned incident, a CBC article “Hundreds of Ont. Patient Health Files Stolen,” quotes Ontario’s Information and Privacy Commissioner, Ann Cavoukian, stating:

“The ease with which we transfer information now and we engage in online activities, somehow it’s factoring into this and not making people go through the steps they need to.”

The ease of accessing and sharing information has significantly increased due to the use of e-mail, Internet, intranets, mobile devices and other portable technologies. These developments make communication easier and faster, but can also compromise data security. Here’s a list of steps companies can take to ensure sensitive information remains protected and prevent future information breaches from occurring:

1. Encryption

Data encryption is one of the easiest ways to ensure sensitive information is kept private.  Data encryption helps keep information secure, prevents companies from losses incurred from security breaches and noncompliance fines. To secure information, there are a number of different data encryption software solutions on the market, as well, it might be wise to invest in encrypted USB keys to avoid situations such at the UHN incident above. There are various levels of encryption strength, therefore, choose the level of encryption appropriate for the type of information on the server. Develop a policy for password strength. Longer passwords that contain a variety of numerical, symbol, upper and lowercase letter characters are more difficult to crack.

2. Access Controls

Restrict access to information based on an individual’s role within a company. This helps reduce the spread of information and the risk of information landing in the wrong hands. If certain projects require access to information for a specific period of time, provide employees with access to the information but restrict immediately after the project is completed.

3. Evaluate Training and Procedures

 As with every other program or workplace procedure, train and reinforce data security protocols within the workplace. Effective training includes information on the risks and effects of information security breaches, the importance of following internal procedures to protect the privacy of information, as well as the various ways information security can be compromised. Training programs and procedures must be evaluated and updated on a regular basis to reflect new information related to security threats and laws. As mentioned at the beginning of this post, it’s important to ensure that each employee follows the established procedures and completes all of the steps necessary to ensure private information remains secure. Tailor training programs to different roles within the organization in order to address the different information security challenges throughout the entire organization. Every employee is responsible for ensuring information is kept secure, however, depending on the individual’s role in the company, they may be responsible for a greater number of information security related tasks.

Should an information breach occur, contact the Privacy Commissioner or similar regulatory body depending on the country of operation. In the case of last week’s privacy breach, the  UHN failed to report the incident to the commissioner based on the low numbers of compromised files. In the CBC article “Hundreds of Ont. Patient Health Files Stolen,” UHN president and CEO Dr. Bob Bell stated:

“‘There was a decision made that this wasn’t a significant enough breach to warrant informing the commissioner, and I’ve apologized to the commissioner for that,’ he said. He added that it is the UHN’s policy that medical information on any mobile device needs to be encrypted. ‘The employee had not realized that there was personal health information on that USB key,’ said Bell. The network is looking to make some changes to prevent future breaches, including the automatic encryption of any device that gets used by the network, he said.”

Intellectual property theft comes in many forms, as it ranges from counterfeiting, copyright and patent infringements to the sale of trade secrets and product creation processes. The risk of disgruntled current or former employees leaking important confidential information to competitors or the public is a universal concern.

In the United States, President Barack Obama named Victoria Espinel as the U.S. Intellectual Property Enforcement Coordinator, a position created to end the sale of pirated or counterfeited movies, music, drugs and software. The threat of intellectual property theft isn’t isolated— counterfeit items and stolen information can be found internationally. Here are some steps that you can take to protect your company’s intellectual property:

1. Document Tracking System

Information exists in a variety of formats and across various locations, making document management a difficult task.  According to the experts at Deloitte, one of the best ways to protect a company from IP theft is to know where corporate documents are at all times:

“Have an inventory of intellectual property across your enterprise and know what your company’s intellectual property is, where it is, and what it’s worth. It’s also important to understand that managing your company’s intellectual property is more than just registering patents and trademarks.”

In most cases, documents are stored in various locations and many storage facilities use bar codes, RFID tags or other tracking devices to locate the data you send to them. These types of tracking systems are invaluable when implemented internally. Make sure inventory systems are managed properly and include procedures for information access to enact tighter controls over the flow of information.

 2. Signed Confidentiality Statements

Have employees read, understand and sign a statement addressing the need for strict confidentiality regarding the protection of intellectual property and corporate information. Employees need to understand they will face consequences for violating information protection policies. The article “Business Intellectual Property Theft” on BusinessTheft.com mentions companies can:

“Protect patented technologies and company trade secrets by requiring employees and contractors to sign non-disclosure, confidentiality, or non-compete agreements when necessary. Make it clear what information is proprietary and confidential. While this won’t stop all instances of intellectual property theft by employees, it gives your business a more solid legal foundation to pursue damages if you have to take it to court.”

3. Internal Reporting Systems

Implement a system that allows for both employees and external sources to report counterfeit products or IP theft. This helps to stop employees from attempting to sell trade secrets or client lists, as they are aware of the consequences for violating policies. External sources can be used to report and locate vendors that are selling counterfeit products. i-Sight Investigation Software is easy to integrate into existing systems, allows for multi-channel case entry and helps the investigative team conduct timely, accurate investigations.

4. Limit Access to Information

If an employee doesn’t warrant access to certain areas of information, don’t allow them access. If an employee requests to view files temporarily, consider allowing the employee to do so, but then restricting them as soon as they have the information they need. Work together with the IT department to make information policies a reality. Internal access restrictions help enable stronger control over company information. Restrictions also reduce the ability for employees to take company information with them whenever they are away from work or their employment has been terminated.

5. Use Data Loss Prevention Software

Regulations (both governmental and commercial) have been put in place to penalize companies in certain industries for failure to demonstrate appropriate or sufficient data controls. Certain industry guidelines require mandatory IT audits on a regular basis. This is common in the healthcare (HIPAA) and finance fields (GLBA and Basel II for example). Many data loss prevention software providers have built in controls to help prevent the theft of intellectual property.  DLP software monitors users and data while information is both in use, closed and in transit. DLP software ensures company rules are followed when users access and send information. This prohibits information from being viewed or sent if the employee isn’t permitted to do so.

Privacy and information protection are issues addressed during the planning stages of the investigative process. Cases involving top level executives, multiple employees or cases dealing with legal violations are sensitive matters requiring the highest level of confidentiality. Some workplace investigations require that access is restricted within the investigative unit itself.

Security and privacy are also important issues when information is transferred across borders within an organization, as the level of security over personal and corporate information differs, further complicating workplace investigations.

Investigations and Personal Information Security

In many countries, information can only be exported out of the country if federal laws approve of the security standards established in the destination country. In the GRC 360 blog post “Resolve: Part of Internal Investigations for Control and Compliance Violations (5 of 5)” they touch on the issue of global considerations related to personal information transfer during investigations:

“Rules governing how personal information must be handled are different all around the world. For example, the European Union’s Directive on Data Protection restricts the transfer of personal data to non-EU nations that do not meet the European Union’s ‘adequacy’ test for privacy protection– namely the United States. As such, any information gathered in the EU before or during an investigation may or may not be allowed to be transmitted to a U.S. location for analysis or follow-up.”

In 2001, Canada established the Personal Information Protection and Electronic Documents Act (PIPEDA). On December 20th, 2001, the EU recognized PIPEDA as providing sufficient protection of certain pieces of personal information when transferred between Canada and the EU. This recognition allows information to be transferred between the two areas without additional safeguards to be put in place within specified industries.

Executives and investigation managers of multinational companies need to understand the different laws and regulations governing the transfer of information across borders to begin implementing channels for “cross-border data transfers”. In the White & Case Newsletter “Global HR Hot Topic: Conducting Internal Employee Investigations Outside the US (part 1) ,” they discuss the importance of cross-border data transfers and the need to establish information channels before investigations begin:

“In cross-border investigations, information identifying employees almost inevitably gets transmitted back to headquarters. Before undertaking a specific investigation, build channels allowing the legal ‘export’ of investigation data. This is a keen issue in jurisdictions like Belgium and the Netherlands where laws impede cross-border transmissions of workplace accusations specifically. In Europe these channels include ‘model contractual clauses,’ ‘safe harbor,’ and ‘binding corporate rules.’ If existing channels fail expressly to cover ‘investigation’ data, expand them. In Hong Kong an appropriate data-export channel can be employee-signed data-transfer consents. Start early: Building these channels takes time, and it will be too late after a specific allegation or suspicion sparks an actual investigation.”

Investigation Privacy with i-Sight

Most jurisdictions around the world have implemented legislation to govern the handling and use of personal information. We understand that many organizations operate across multiple jurisdictions and we follow a set of procedures to ensure compliance with all of the legislation listed below.

United States

• (HIPPA) Healthcare Insurance Portability and Accountability Act
• (GLB) Financial Modernization Act of 1999 or Gramm-Leach-Bliley

Canada

• (PIPEDA) Personal Information Protection and Electronic Documents Act of 2000

European Union

• EU Data Protection Directive
• EU E-Privacy Directive

The following is a list of some of the principles that are built into i-Sight Software to ensure compliance with privacy laws:

Consent for the Collection, Use, and Disclosure of Personal Information- The knowledge and consent of the individuals are required for the collection, use or disclosure of personal information, except where inappropriate.

Limiting Collection of Personal Information- The collection of personal information will be limited to that which is necessary for the purposes identified by Customer Expressions (CEC), the company behind i-Sight. Information will be collected by fair and lawful means.

Limiting Use, Disclosure and Retention of Personal Information- Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by contract or law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

Ensuring Accuracy of Personal Information- Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Ensuring Safeguards for Personal Information- Security safeguards appropriate to the sensitivity of the information will protect personal information. Administrative, physical, and technical safeguards are provided to ensure that all personal information is readily available at all times to those that have access rights to the information. CEC Information Technology Policy (ITP) Manual outlines those safeguards.

Openness about Personal Information Policies and Practices- CEC will make readily available to individuals upon request specific information about its policies and practices relating to the management of personal information as outlined in this manual.

Individual Access to their own Personal Information- Upon request, an individual will be informed of the existence, use and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

To learn more about our commitment to world class security and reliability at i-Sight, please review our “i-Sight Security and Reliability” manual.

Kickbacks, payroll fraud, false reimbursement claims and the use of company credit cards and accounts for personal use are all issues of employee embezzlement that employers are faced with on an all-too-frequent basis. As employees try to become more creative with their schemes for embezzling company money into their own pockets, employers can fight back and put up internal “road blocks” to help deter employees from getting their hands on money that is not theirs.

One of the harshest realities about employee embezzlement is that it’s usually conducted by employees who have gained significant levels of trust from their superiors. Embezzlers usually begin by taking small sums of money, and if they realize they have yet to be caught, can continue taking money for many years, equating to significant losses to your company.

Signs of Embezzlement

There are many different signs that signal the presence of embezzlement. Sometimes it’s can even be company policies and the roles and responsibilities outlined in employee job descriptions that make it easier for embezzlement to take place.  According to the article “Embezzlement: Everything You Need to Know “ by Stephen Linker, organizational conditions that create an open door for embezzlement to occur include the inadequate segregation of duties, lack of employee training and understanding regarding company policies and the consequences for violating them, high turnover rates, failure to consistently enforce standards and policies or punish violators and operating in an environment that frequently acts in “crisis” mode.

Aside from the organizational conditions that increase the opportunity for embezzlement, you can also observe changes in employee habits and discrepancies in financial reporting and accounting statements to identify embezzlement. In the FindLaw.com article “Embezzlement Warning Signs“, they state that other key signs that point to the occurrence of embezzlement within the workplace include:

• Untimely and unorganized financial statements and reports.
• Unbalanced accounts, altered check amounts and the occurrence of duplicate payments.
• Creation and payments made into false accounts that have matching addresses to that of an employee.
• Unexplained losses of company funds.
• Missing documents related to account, payments, etc.
• Unexplained or unauthorized charges to company accounts.
• An employee refuses to take vacation, works long hours.
• Alterations in an employee’s lifestyle- high medical bills, divorce, gambling problems, living beyond means for salary level, etc.
• Bank deposits delayed or made on an inconsistent schedule.

Embezzlement Prevention

There are a number of measures that employers can take to reduce the number of opportunities within the workplace that allow embezzlement to occur- the chance that you can prevent embezzlement altogether is a bit of a stretch. The separation of duties and task rotation are some of the best measures an employer can use to reduce the opportunity for employee embezzlement. When rotating tasks, if an employee is guilty of embezzlement, chances are, they will protest and try to remain in control of any process that involves access to or the handling of money, so that another employee cannot uncover their scheme.

When creating job descriptions, outlining employee responsibilities, company codes of conduct and ethics, as well as any other policy governing your workplace, you will want to conduct a risk assessment that identifies vulnerabilities that may expose the company to to embezzlement, pressures or tasks that could motivate an employee to turn to embezzlement, money handling procedures that do not require enough checks throughout the process, compliance with legal guidelines and any other weaknesses that increase the risk of embezzlement.

Another way to help detect and prevent embezzlement is through the use of internal reporting systems. Internal reporting systems allow employees to report any issues of observed misconduct or awareness of financial fraud that is occurring within the organization. Sarbanes-Oxley requires financial firms to have an anonymous reporting system in place, making employees more comfortable when reporting misconduct, since their name isn’t attached to the allegations. Internal hotlines and reporting systems are the number one tool for identifying misconduct within the workplace, as it is usually an employee’s peers who are aware of any forms of misconduct before they make their way up to top level executives to deal with.

Solutions such as i-Sight Investigation Software make it easy for new cases to be documented and reported through a variety of intake channels. i-Sight is a customizable solution, designed to meet the unique needs of each individual company and has built in rules to maintain compliance with legal regulations throughout the investigation process. i-Sight uses alerts and centralized case information, making it easier to manage the investigation process from the time a new misconduct tip is received, through to the reporting stages and conclusion of the investigation.

The article “Embezzlement Prevention and Detection” by Vincent Ruocco, LLC, CPA, advises management to conduct the following three steps when establishing policies to make embezzlement difficult for employees to conduct:

• Adopt a policy of mandatory vacations and mandatory duty rotations.  It is not uncommon for the embezzler to interfere with the customary workflow to effect the embezzlement.  However, if your policies require the embezzler to give up control of his/her work, he/she will recognize that the fraudulent scheme might be more easily detected, and thus be detoured from committing the illegal act.
• Don’t hire thieves.  This means that if you intend to place an individual in a position of trust, you should conduct a background check.  The typical background check involves employment and education verifications, reference checks, criminal conviction checks, drug screenings and a credit check.  You may need the candidate’s consent prior to conducting some components of your background check, so you should seek the advice of a qualified attorney.
• Conduct periodic surprise internal audits.  These are most effective after identifying high risk areas and designing procedures to achieve the desired objectives.  It is not uncommon for management to engage a qualified CPA to help them plan the audits and perform the procedures.  It is important to note that simply knowing that the organization has a policy of conducting surprise internal audits can act as a deterrent to the would-be embezzler.

Corporate security investigations vary depending on the type of observed misconduct or internal policy violation reported. Internal affairs investigations that deal with instances of corporate security are highly sensitive cases that require extreme levels of confidentiality and protection. Cases involving criminal acts, such as employee property theft, fraud, embezzlement, credit card fraud, forgery and retaliation, pose greater risks for any company, therefore, making investigation information protection a number one priority.

Depending on the circumstances, it may be required that access to case information be restricted amongst members of the investigation team. Managing control over information can become very difficult, but web based case management solutions such as i-Sight can make these situations a lot easier to handle.

Corporate Security Investigation Tools

Here are some of the features offered by the i-Sight Investigation Software that will help your company better manage case information, evidence, timelines and privacy.

1. Access Control Down to the Field Level

i-Sight offers you the flexibility to restrict access all the way down to the field level. This means that two people may access the same case file, but some information may be hidden from each during the internal investigation process. This is most often used to restrict access to highly confidential cases or information within a case. This information can be suppressed while all other case information is made available. This allows you to have greater control over the privacy of specific pieces of information within a case, while ensuring that all others working on the case continue to have access to the information required for them to meet their deadlines regarding the investigation.  With i-Sight, you can also create access rules that allow members of a third party to access your case management system and view case information that is specific only to their role in the investigation.

2. Access Control on Case by Case Basis

i-Sight allows you to decide who can view and edit case records and reports. Many of our clients are conducting highly confidential investigations that contain very sensitive information and even require privacy within their own companies. i-Sight has been built to support the kinds of restrictions necessary to ensure the right people have access to the right information. Each user has a “Profile” within i-Sight where you can set their access rights. This function allows you to establish restriction rules based on the structure of your organization in order to ensure that there are no information leaks throughout the company- for example, if you use restrictions based on office location, your users in the New York office can only see cases for that particular area.

3. Alerts & Workflow Rules

Using workflow rules, you can easily prioritize, assign and route cases and tasks to the most appropriate people in a seamless manner. This feature allows you to control the assignment of cases and place sensitive cases higher in priority to ensure that action is taken immediately. This feature is especially important when handling corporate security cases that could potentially end up in court, as your company’s liability increases if you do not conduct an investigation soon enough- or in a timely fashion.

With i-Sight, you customize the workflow rules to suit your company and its structure. Here are some of the key components of the workflow rules:

• Notifications/Assignment: Automatically notify and assign new cases to the appropriate investigator or group
• Reminders: Set task or action due dates with built-in email reminders
• Inactivity Alerts: Automatically notifies managers if there is no activity on case for a specified number of days
• Escalations: Overdue cases and actions generate escalation email notices to managers
• Approval Requests: Create notices requesting/providing approvals
• Fully Customizable: Create any other business rule to help optimize your case management process