How to Ensure Compliant User Access with Role-Based Access Governance

An increasing number of organizations are reporting that their employees, either out of personal curiosity or other potentially more devious motivations, are peeping at the account records of public figures. As a result, suspensions and firings are being announced on an almost weekly basis. Here, Knowledge Center contributor Brian Cleary discusses how these institutions can reduce the likelihood of these access-related peeping breaches by putting automated, role-based access controls in place across their entire organization.


Employees across all industries are quickly finding out that peeking at records that contain information about their favorite celebrity will now cost them their job. The natural curiosity of employees to view the private records of politicians and well-known figures is increasingly leading to firings and criminal convictions.

Most of the these workplace incidents are not tied to bad intentions or identity theft; they are simply employees taking advantage of access policy gaps at the companies for which they work (without realizing that they are breaking privacy laws and exposing their organizations to risk).

An example of this trend occurred when it was revealed on Nov. 22, 2008 that Verizon had fired several employees who had looked at the cell phone records of President-elect Barack Obama. Politicians and celebrities are just like everyone else, and they use cell phones, apply for passports and seek healthcare at major hospitals.

Employees at these organizations need to realize that, unless there is a job-related reason for them to access these records, even sneaking a peek for curiosity's sake is a very bad idea. However, the real problem here is not the natural nosiness of employees, but rather the poor controls for how user access is governed at these organizations.

President Obama has been a prime target of these types of attacks, with three different unauthorized data breaches on his private records in the last year alone. This type of incident is something that is fast becoming a daily trend with companies that store sensitive personal records of politicians and celebrities.

While organizations are quick to point out that they have specific policies related to accessing sensitive information, too often these policies are confined to a three-ring binder on a bookshelf in the IT security or compliance office. It is wishful thinking to believe that employees will heed these policies through training alone and make them part of their daily operating practice and procedure.