What is the name of your state (only U.S. law)? Florida
I want to be sure I address this properly with my employer and my interest are protected.
We were working with a vendor that we later discovered was a family member of the high level decision maker who outsourced work to them. Besides the unethical business practice and clear violation of documented policy with regards to conflict of interest. I have documented proof that the vendor qualification was not conducted, background checks were not conducted and NDA was never in place. My guess is because of the vendor relationship there were shortcuts taken to expedite the outsourcing of work to them. Knowing the person how pushed this through the system was unethical and the relationship was father son. Remote access was granted to company data information systems, these systems for which they were granted access to maintains personal information of close to 1.1 million members with their personal information. The statement of work outlined a software solution for marketing tactics to our membership group, upwards to 1.1 million members. Flat files were given to this vendor for the development effort.
Aware of the vendor relationship I funneled all and any request for data to be exchange through the project lead who selected the vendor. Time goes by and the project lead is no longer with the organization. A recent issue came to light where the project plan was made public on a public web site that is marketing software solutions. It outlines the project plan word for word and images of proof of concept images that my organization considers confidential and sensitive. Literally to the point if I were to go ahead as an employee posted the information, I would be subject to termination for a policy violation.
In performing my investigation it is proven that the vendor was fast tracked, with no agreements, contract or nda in place. I discovered that remote access was given to the vendor to all our data systems that maintained personal information of our members. My assumption is that the person was no longer there to plug the holes and cover up the unethical practices, so when a routine audit was conducted it was proven the vendor never went through the proper processes in vendor selection and approvals because remote access privileges where removed because none of our tracking systems list the vendor as an approved vendor.
So here are my questions:
Does this constitute a data breach just based on unauthorized persons having access to our systems with personal information?
We know they are in possession of our data as portions of the project have been made publicly available on their website, word for word and with the same exact conceptual images.
Am I in anyway at risk of termination, I have all saved/printed emails expressing concerns, potential risk to the business due to vendor relationships, concerns of unethical practices, any and all data exchanges were funneled through the project lead so I was not sharing data directly to the vendor?
They have not made any members information public, but again they have proven they are in possession of company data, based on NCSL law and unauthorized access of membership data does this constitute compliance with informing all 1.1 million members that there personal information has been breached?
I want to be sure I address this properly with my employer and my interest are protected.
We were working with a vendor that we later discovered was a family member of the high level decision maker who outsourced work to them. Besides the unethical business practice and clear violation of documented policy with regards to conflict of interest. I have documented proof that the vendor qualification was not conducted, background checks were not conducted and NDA was never in place. My guess is because of the vendor relationship there were shortcuts taken to expedite the outsourcing of work to them. Knowing the person how pushed this through the system was unethical and the relationship was father son. Remote access was granted to company data information systems, these systems for which they were granted access to maintains personal information of close to 1.1 million members with their personal information. The statement of work outlined a software solution for marketing tactics to our membership group, upwards to 1.1 million members. Flat files were given to this vendor for the development effort.
Aware of the vendor relationship I funneled all and any request for data to be exchange through the project lead who selected the vendor. Time goes by and the project lead is no longer with the organization. A recent issue came to light where the project plan was made public on a public web site that is marketing software solutions. It outlines the project plan word for word and images of proof of concept images that my organization considers confidential and sensitive. Literally to the point if I were to go ahead as an employee posted the information, I would be subject to termination for a policy violation.
In performing my investigation it is proven that the vendor was fast tracked, with no agreements, contract or nda in place. I discovered that remote access was given to the vendor to all our data systems that maintained personal information of our members. My assumption is that the person was no longer there to plug the holes and cover up the unethical practices, so when a routine audit was conducted it was proven the vendor never went through the proper processes in vendor selection and approvals because remote access privileges where removed because none of our tracking systems list the vendor as an approved vendor.
So here are my questions:
Does this constitute a data breach just based on unauthorized persons having access to our systems with personal information?
We know they are in possession of our data as portions of the project have been made publicly available on their website, word for word and with the same exact conceptual images.
Am I in anyway at risk of termination, I have all saved/printed emails expressing concerns, potential risk to the business due to vendor relationships, concerns of unethical practices, any and all data exchanges were funneled through the project lead so I was not sharing data directly to the vendor?
They have not made any members information public, but again they have proven they are in possession of company data, based on NCSL law and unauthorized access of membership data does this constitute compliance with informing all 1.1 million members that there personal information has been breached?