Web Monitoring: How to Track Employee Data Access (Without Going Overboard)

Monitoring access to corporate data can be an effective way to keep the crown jewels from walking out the door, but it requires a careful balancing act.

The Massachusetts Department of Revenue has been practicing data surveillance longer than most. More than a decade ago, top managers at the state agency realized that some employees would be unable to resist the lure of the department's treasure trove of personal taxpayer information.

"Sports figures seem to be the biggest draw. It's like a disease. People just can't seem to resist" peeking at athletes' private financial information, says John Moynihan, a 22-year veteran of the department who's now deputy commissioner and internal control officer.

Other people's tax data may be a draw for the curious, but resist they must, as it is against department policy for anyone, including employees, to access taxpayer data without a legitimate business reason. And it's illegal under Massachusetts law for anyone to disclose such data. So in 1992 the agency built a homegrown system that would alert the information security department every time an employee accessed a high-profile resident's income tax file. The system worked well, catching a handful of illegal browsers (some of whom immediately lost their jobs) each year, including a case where an employee accessed the income tax records of one of her husband's coworkers. Seems the husband had been passed over for a promotion (which went to the coworker), and snooping through that person's financial data made the couple feel better.

Eventually, Moynihanâ¬and his boss, the commissionerâ¬realized the DoR had to monitor every access of every taxpayer's personal information on the database. Integrity of the process was not only an ethical matterâ¬a public-sector breach could lead to major political ramifications. "If at any time a confidentiality problem hit the papers and taxpayers felt the system was not protecting their information, it could impact voluntary [income tax] compliance. The consequences could be immeasurable," he says.

In 1997, the Department of Revenue spent $300,000 (out of an overall IT budget of $25 million) to custom develop its Transaction Tracking system based on a Unisys mainframe. The system captures every access of taxpayer data in Massachusetts and creates audit trails for future reference. Once auditors monitoring the database identify a potential violation of the data access policy, such as an anomaly in the audit trail, they give the employee a chance to explain. If there is no reasonable explanation for the data access, the case is referred to internal investigators for further analysis and an interview with the employee. Disciplinary actions that could follow include firing an employee for a first offense.