The official privacy policy of virtually every company has a provision to the effect of, “Your private information will only be viewed by employees that require access to perform their jobs”.

Are you sure you can live up to that promise?

While your policies may state this, it is difficult at times to deliver. The urge for employees to, “bend the rules” can become too great to resist when celebrity accounts are involved.

Part of management's job is to identify opportunities to lie, cheat or steal and reduce or eliminate the opportunity. For instance, banks don't let employees enter the cash vault by themselves. You don't do this because we distrust a specific employee. You do it to eliminate the temptation from all employees.

The UCLA Medical Center had a recent scandal where over 100 employees reviewed the medical records of a celebrity. A number of the viewings actually happened after the Medical Center warned employees that the records were being monitored.

Don't think this is limited to your computer systems. The signature of a celebrity on a signature card, a work authorization, a personal check or credit application might prove tempting.

Many years ago, a colleague of ours was in charge of signing all Accounts Payable checks. This included the monthly Board of Directors stipends. This bank happened to have a director that was a famous TV judge. To this day, our colleague still shows her friends the copy of one of the checks with her signature and the Judge's name.  Customer Information Security breach?

How would your company respond if the credit card charge or personal check of a politician/customer were linked to an illegal or unseemly act, and the leak of the information was traced back to your company?

Removing or restricting access to sensitive information is not an option. It is a requirement.  Reducing or eliminating the temptation to access special accounts is smart business.

For consideration: Do your systems allow you to restrict account access on an individual account level? Do you have a specific policy for celebrity accounts similar to employee accounts? What restrictions are placed on information stored on paper, microfilm or disks? What about archived records?  What changes could be made to your Incident Response program?  What damage to your reputation could ensue? Has your annual Security Controls audit reviewed all repositories of customer information, not limited to computerized systems?

More information: