Now, here’s a great example of an organization actually following through on their procedures to review access logs, and then to apply sanctions and take necessary other actions in response to non-compliance with not only organizational policies, but also with applicable laws…
On August 20, John Snyder, a tax examiner in the Covington, Kentucky IRS office, was sentenced to three years probation, 60 hours of community service, and a $1,000 fine after he illegally obtained information on at least 202 taxpayers…most of whom are celebrities or sports figures…without authorization.
According the various news reports, all but five of the taxpayers were celebrities, their spouses, sports figures, or well-known Cincinnati-area individuals. The celebrities included Kevin Bacon, Alec Baldwin, Chevy Chase, John Cleese, Vanna White, Ethan and Joel Cohen, and former Cincinnati Reds and Chicago Cubs baseball players. Snyder also accessed at least one of his neighbor’s tax information.
Snyder’s manager indicated Snyder had no business reason to access the tax files for these individuals.
The complaint filed against Snyder indicated the Treasury Inspector General for Tax Administration routinely reviews the audit trails to look for unusual or suspicious accesses by IRS employees.
It is rare to see such reports as this, but with the increasing concerns over privacy and identity theft, along with increasing incidents occurring as a result of insider lack of knowledge or malicious/deliberate intent such as this, you will start seeing more.
Do you review the access activities to your confidential files and information?
Tags: awareness and training, Information Security, insider threat, IRS, IT compliance, IT training, John Snyder, Kentucky, logs review, policies and procedures, privacy training, risk management, security training