I’ve been noticing lately more and more organizations sanctioning their employees for not following information security policies. I first blogged about it recently on September 24 about a hospital actively enforcing sanctions for HIPAA violations, then again on October 10 about another hospital sanctioning employees for noncompliance, then again on October 11, and then again just yesterday.
And today I see another story about an organization applying a sanction to an employee who had a laptop containing personally identifiable information (PII) stolen from his unlocked car parked at a hotel.
This time the sanction was at a state agency; the Connecticut state Department of Revenue Services (DRS) suspended Jason Purslow, a 15-year employee at the department, for 6 weeks without pay after his laptop computer, containing PII including Social Security numbers of 106,000 Connecticut taxpayers, was stolen from what is believed to be his unlocked car parked at a hotel in New York.
The DRS reported Purslow violated the agency’s information security policies.
Purslow was not fired because the agency’s commissioner determined the incident did not occur because of willful neglect or malicious intent.
It is good to see this trend in organizations actively applying sanctions for noncompliance with their policies. If sanctions are not actively applied, personnel will not be motivated to follow the policies. If personnel know they could be laid off for a period of time with no pay if they do not follow policies, they will definitely be motivated to follow them!
The DRS is a great example of applying a sanction after taking into consideration the situation. It is appropriate, and important, for all organizations to consider the situation surrounding the incident when determining the sanction. The sanction must fit the incident, and the intent of the person involved.
This is another example of why training and ongoing awareness communications are so important. The story didn’t talk about the training and awareness within the DRS, but it is likely that if perhaps more effective and frequent training about mobile computer security, and ongoing communications and reminders about the importance of mobile computer security, had taken place, this incident may not have happened.
Tags: awareness and training, Connecticut, data breach, Department of Revenue Services, Information Security, IT compliance, Jason Purslow, laptop theft, Ohio, personally identifiable information, PII, policies and procedures, privacy, privacy breach, security sanctions