I work at a small rural college, and we have recently had our Director of IT intentionally give another director full access to our reports server. Reports on this server include SSNs, direct-deposit account information, and some health information - basically full employee and student records. An employee overheard the orders to give access and "don't tell anyone or fill out the proper forms" comment and complained to the Chief Business Officer. Nothing was done. Over a week later, someone got word to our president and she shut down the access.
History on the director getting access: He was hired about a year ago, and sometime since he reprimanded an employee for what he said on his time off during a college-hosted speech debate. Some students started a petition to have the reprimand removed. He looked up the students' transcripts and called their instructors to ask about their personal information. I'm suspecting this was the motive again, but REALLY don't like the idea of this guy having access to my personal information.
I don't know yet how our management and HR are planning to deal with this. My goal is to "cover our assets" and limit liability. Since I have never dealt with this kind of breach, I would love feedback on similar instances. Pretty much everyone I've talked to about this agrees that the directors should have been fired immediately. Both directors have shown an extreme lack of ethics, so I need to make sure the VPs and president are properly informed. I will ask upper management to also consult legal to keep us covered, but want more information before I step into this steaming pile.
So, the biggest questions are:
1) What policies do you have in place for intentional internal violations such as this one?
2) If this were an external breach, I'm pretty sure we would be required to inform everyone with records in our database. What steps are required for an internal abuse of access?
Thanks!