Insider Threat Example: Former Wal-Mart Employee Spied Because His Managers Told Him To

I have seen organizations where management and staff members were so fixated on protecting the company, to the disregard of observing laws and complying with policies, that they ended up doing completely inappropriate actions that involved infringing on privacy and breaking laws.

Have you ever watched The Office?
I love that show; I’ve known…and worked with…people just like every character on that show. The Dwight Shrute character demonstrates his zealousness for the company with complete disregard for the people around him, and often their privacy. He is always asking his coworkers for personal information he has no right to ask for, and he has often spied on them, often with the approval of Michael, his manager.
I recently blogged about the Wal-Mart employee who was fired for snooping on text messages and taping phone calls.
More news came out about this situation today.
The employee, Bruce Gabbard, who had been with Wal-Mart was reportedly doing the surveillance (taping outside calls and monitoring emails from the outside) at his management’s request.

“Gabbard said he recorded the calls because he felt pressured to stop embarrassing leaks. But he said his spying activities were sanctioned by superiors. Gabbard said that as part of the surveillance, the retailer infiltrated an anti-Wal-Mart group to determine if it planned protests at the company’s annual meeting last year and deployed monitoring systems to record the actions of anyone connected to its global computer network.”
“Wal-Mart (Charts) conducted an internal investigation of Gabbard and his group’s activities, fired his supervisor and demoted a vice president over the group, the paper said. “

This situation points out that the insider threat is not only a conscious malicious action against the company, or a mistake, but it also comes from a conscious decision based upon an overzealous effort to, in fact, try to protect the company in ways that not only infringe upon privacy, but also that break not only corporate information security policies, but also may be breaking data protection laws.
Monitoring is an important part of information security and compliance, but it must be appropriate and legal and not at the discretion of a manager’s whim.

Tags: , , , , , , , ,

Leave a Reply