Readings and Case Studies for Info Security - Case Study 3e
Essay by cdooley42 • October 4, 2012 • Case Study • 818 Words (4 Pages) • 2,571 Views
Essay Preview: Readings and Case Studies for Info Security - Case Study 3e
Discussion Questions 3E
1. When an employee removes confidential records from the workplace without permission, without special controls, and against policy, is that a violation of the law?
It depends on the company/industry you work for, but for the most part the answer is no. Medical records for example are governed by rules and regulations that are enforced by the government. The Privacy Act of 1974 states what types of employee information government agencies may be collect and when and by whom it may be disclosed to other people. It prohibits federal agencies from disclosing private information about you without your written consent. If a government agency is found violation of the Privacy Act you can sue them for damages. The agency/employee may be found guilty of a misdemeanor and may be ordered to pay a fine of up to $5,000 if they did it intentionally or maintain a system of records without disclosing its existence.
There are very few legal requirements when it comes to private employers and their workers' records and personal information. There are a few exceptions like the ADA (Americans with Disabilities Act) which states that employers must protect the privacy and confidentiality of medical information of any employee who has a handicap, disability, or impairment covered by the ADA. Employers who provide health care benefits to their employees must protect the privacy and confidentiality of their works' personal health and medical information under HIPPA (Health Insurance Portability and Accountability Act. Government agencies like the IRS who receive information from employers are required by law to keep your information safe and secure.
2. What would you recommend as a punishment for a policy violation involving removal? Of confidential records for a "harmless" reason like catching up on reading them at home? Would your recommended punishment be different if the violator used them for a different purpose, perhaps using them to perform identity theft?
I would recommend a mandatory training class for the employee which would require a passing score before they can return to work. If the company does not have training outlined for this they should implement it for all employees. I would recommend that if they had no reason to view the information that the employee be fired and that the offended parties be contacted and the employer should turn it over to a law enforcement official. The victim may turn around and sue them and their employer so it is important that the employer do everything they can to make the victim from feel that everything possible was done to remedy the situation.
...
...