Penalties for not complying with GDPR and how they can be enforced
January 5, 2017
2 min read
4A former manager at Toll Transport who allegedly passed sensitive company information onto their competitor has been ordered to forfeit several USB devices for inspection.
The case is just one of many recent allegations of outgoing employees misusing their former employees’ data. These cases highlight the need for businesses to control removable media like USBs in order to avoid security breaches. In a broader context, many businesses are finding that they need to spend time and resources protecting customer information as well as their own organisation’s sensitive data.
Toll Transport Data Theft
The senior manager at Toll Transport worked for the company from 1981 to 2016, at which time he left for a job as a senior executive at one of their competitors.
As a senior manager, the employee had access to a large amount of data, such as pricing information, customer information, and profit margins. This information was available on the employee’s business laptop, which he returned on his last day of employment. Despite turning in the laptop, the company claims that the former employee used several USB devices to pass the data onto Toll’s competitor (and his new employer).
In April, the court ruled that the ex-employee had to provide Toll Transport with all the USBs within 17 days of the ruling. Toll quickly assured customers that their information was safe, but the aftermath of any security breach is more than unnerving; it can be financially detrimental.
Information Security Management Systems
The Toll Transport allegations highlight the importance of effective information security management systems for all businesses. The following are a few examples of information security controls outlined in ISO 27001.
1. Regularly Review Systems Logs
Irregularities can go undetected if no one reviews systems logs. These may include an exported list to an unfamiliar IP address, or to an employee’s personal computer.
2. Adding Dummy Email Addresses
Placing dummy email addresses in your database is a simple yet effective way to identify stolen contacts lists. These dummy email addresses exist solely to receive emails from that specific list, so any emails received at these addresses should be an alert.
3. Restricting Access to Information
By allowing employees to access only the information needed for their specific roles, you keep secure information out of the hands of more people. Keep track of who has what information, and control access to sensitive data.
ISO 27001 Standard
The international standard for information security management systems, ISO 27001, is applicable across all industries. ISO 27001 certification can give your customers, clients, and employees peace of mind regarding the security of your data.
To learn more about information security management systems contact us at Compliance Council.
Sign up for our newsletter
Stay Ahead: Subscribe for the Latest Compliance Insights and Updates.
We care about the protection of your data. Read ourPrivacy Policy.