Data Loss Prevention (DLP) is one of the key IT security measures a company must undertake. DLP is one of the 20 Critical IT Security Controls that the nonprofit security training agency SAN recommends. A recent news item provides a great real life of how Nationwide Insurance used DLP technology to prevent an employee’s unlawful activities.
Nationwide recently installed new monitoring software to prevent unlawful transmission of data by its employees. The software snagged Qiang “Michael” Bi, a 36-year old employee, who was caught transmitting unlawful data from his home computer to his Nationwide Insurance email account. The information was in the form of a spreadsheet that listed eBay accounts, credit card numbers and related information that Bi had used in a counterfeited computer game business that he managed for 5 years.
Bi is in prison today, following a two and a half year sentence handed down to him by a Judge on December 29th, 2010. Besides forfeiting over $367,000, Bi’s 2006 Lexus SUV and his house were also seized by the government. Bi has agreed to a yet-to-be determined restitution amount – the total amount of the games sold is approximately $700,000.
Bi had used both Paypal and eBay for his illegal game sales business, but was blacklisted by both companies and his accounts were suspended. Bi had used more than 50 accounts that he had opened under different names.
In this particular case, Nationwide Insurance avoided being the conduit for an illegitimate business. DLP technology and policies can also help minimize other kinds of employee misuse of a company’s computer systems. Since various studies have shown that inside employee theft of data is overall, the biggest source of data losses suffered by a company, DLP deserves to be accorded the highest priority in enterprise security planning.