Submission Date:
Question:
What recourse may a library board take, if a former director removes all library files from a library owned computer that relate to the running of the public library?
Answer:
Every employer struggles with this issue: give employees enough access to electronic information to do their jobs, but protect that information from accidental disclosure, file corruption, and theft.
Solid practices like routine security updates, back-ups, password re-sets, and employee training can help a library avoid the worst IT disasters. But what if someone in a position of trust simply abuses their access? What if a scenario like the member's question should arise?
There is a process to address this type of scenario. In order to ease an adrenalized mind,[1] it is presented below in grid form.
Upon suspicion that files have been removed or inappropriately removed by a former library employee, follow these steps to assess what recourse a board might have:
|
Action |
Why you do this |
Results |
|---|---|---|
|
1. Upon suspicion that files have been removed, if possible, do not take further steps alone. Create an "Initial Response Team" of at least two people to do the next four steps, and designate one of them as the note-taker and document-keeper. If your library's computer system is supplied or supported by a cooperative library system, one of these people should be from the system.[2] Organizing a time-line and take photos or screenshots of information showing the potential problem. |
The facts you assemble and first steps you take may have far-reaching consequences for your library's response and recovery, as well as for the potential wrong doer. At this stage, however, you'll just be documenting what appears to be missing. No deep-dive investigation. It should only take an hour or two.[3] |
Initial Response Team formed and responsibilities of team members made clear. Note-taker assembling information. |
|
2. Without letting it take more than an hour (or two) and without making any changes to your system, assess and create an informal list of what appears to be missing (file types, specific types of information, locations), when this was noticed, and what the first signs of the concern were. This will be your "Initial Inventory." |
You need to have a foundation for your next steps, so you're creating a quick description of the possible situation. |
An Initial Inventory you will use in the next few steps. Note: The "Initial Inventory" is not an attempt to assess what happened, just to list what might be missing, and a few initial details.
|
|
3. Look over the Initial Inventory. Could any of the missing files contain personal/private information, such as: name, address, date of birth, ssn, library card number, credit card information, contact information, banking information, health-related information, computer use, passwords, or circulation records? |
If the answer is "yes," add the phrase "…possibly includes loss or compromise of private information and/or library patron records" to the Initial Inventory. |
This part of the Initial Inventory will help those assessing the issue quickly appreciate the possible privacy and confidentiality implications of the situation. |
|
4. Contact the library's insurance carrier, and alert them that you may have had a loss of data related to "unauthorized computer access that may involve a former employee." If your Initial Inventory includes a "yes" to Step #3, also state: "The situation may have involve personal and confidential information." If your initial contact is by phone, confirm the notice via a letter or e-mail. |
Depending on your library's insurance type, you may be covered for this type of event. Notifying your carrier and following up in writing will help the library determine if the carrier will provide coverage and/or assistance for the event. |
Timely notice to the library's insurance carrier, enabling your carrier to let you know if you have coverage and if they can provide assistance in recovering from the event. NOTE: If the event is covered, some or all of the remaining steps could be impacted by the participation of the carrier. |
|
5. With the Initial Inventory complete and the carrier on notice, the board (or director, if the board has delegated the right amount of authority to them) must decide who is in charge of next steps: the full board, a board committee, the Director and a team, or any combination of people needed to assess the matter. This "Response Team" should have the power to appoint a qualified professional to assess the situation, to retain legal assistance if warranted, and to recommend a final course of action to the board. In no event should a report to the board (or Executive Committee) extend the timeline for arranging a response beyond 3 business days. |
Unauthorized computer access involving a former director (or any employee) is serious enough to warrant board involvement, whether or not personal and confidential information. This is especially true since, in a worst-case scenario, the library may have to report a data breach, expend resources to re-create or retrieve the information, work with an insurance carrier to recover from the loss, consider if any aspects of the former employee's contract or severance apply (if there was either/or) and based on what is discovered, consider whether or not to file a report with law enforcement. |
Clarity as to who is in charge, what level of authority they are working with, and who they will bring on to assist with the investigation and recovery. |
|
6. Alert the library's lawyer by sending them a copy of the Initial Inventory, and connect them to the Response Team, so they can assist at needed.
|
It will be the lawyer's responsibility to work with the Response Team and others to ensure the library is positioned to seek relief from the carrier or the former employee, to assess any relevant contracts (for instance, if the files were deleted from a cloud server), and to advise the board about filing a report with law enforcement, or pursuing civil remedies. |
Attorney-client privileged input to help assess response options in the best interests of the library. |
|
7. The Response Team should retain a qualified IT/data security professional to assess and develop an "Incident Report" with a Final Inventory of what is confirmed as missing, a conclusion as to how it went missing, and if/how it can be recovered. |
This should be done within 3 days of discovery and before there are any changes to the system. Ideally, this work should only be performed after the library and the IT professional sign a written contract that is reviewed by the lawyer. |
A contract with a qualified firm; A certificate of insurance from the professional firm; A written Incident Report from the firm. |
|
8. Based on the value, sensitivity, and type of information in the Final Inventory, work with the IT professional and lawyer to assess any legal steps the library must take to recover or to give required notifications of data breach. |
Depending on what went missing, the library could have concerns under any number of laws. |
The final recommendation should be a memo to the board, regarding any necessary steps (or confirming not are needed). |
|
9. Based on the complete Incident Report's assessment of what is missing, how it went missing, and if/how it can be recovered, and any relevant details about the employee, develop a course of action. |
For more on this aspect, see the rest of this RAQ. |
Recourse. |
What happens as part of number "9," is the actual answer to the member's question. But until a library follows steps "1" through "8," it can't fully know its options under "9."
And what can happen as part of "9"? The range of consequences for unauthorized computer access and/or data destruction is vast, running from criminal penalties to civil remedies. And if considered with solutions for how a library can recover from the loss, there are further possibilities.
If I was on the board where a former director removed all the library files from a library owned-computer that relate to the running of the public library, at the end of the day, here's what I'd want get out of "The Files Are Gone" process:
- Know if the files were simply removed, or if they were removed and accessed/disclosed beyond the library;
- If they were disclosed beyond the library, what the library must do to address that (including special considerations if personal or confidential information was accessed);
- If the files were only removed, know if they can easily be replaced, or if they were the library's only copy;
- If they can't be easily replaced, how much it will cost to replace them, and any negative impacts we'll experience until we do;
- How we have concluded the files were removed by the former employee, if they were an employee when they did it, and what the due process is for addressing that;
- If (based on all the information gathered, and more that will be specific to the situation), the board should contact the police, or consider a civil claim against the former employee.
By demanding solid, well-documented and qualified answer to these questions (What happened? how does it impact the library? What can we do?) a board member is being a good fiduciary, and positioning the library to identify the best recourse.
Now let's say that, in the grand scheme of things, the "missing files" appear to be pretty minor (and do not involve private information). Let's say that, for whatever reason, the outgoing employee deleted all the library's "standard operating procedures." Not the policies--those are on the library's website and backed up in numerous places - but all the details about (as the question says) "running the library:" How to organize the courier manifest. The templates for the volunteer letters and community meeting notices. The budget template and calendar for strategic planning. Their own emails on their library account. Nothing private, no circulation or credit card information, but a body of work that represent hundreds of compensated hours…lost.
This may seem like the kind of loss that isn’t dire enough to warrant the steps I have outlined above, but it absolutely is. First, only a professional can say when data is truly "lost" (especially emails). And even if, at the end of the day, there is a board decision not to pursue any consequences (privately, civilly or criminally), such (in)action must be based on good information--not just the result of a decision not to investigate in the first place.
The budget for such response, if planned carefully, can be very modest (under $1500).[4] Reaching out to a library's system and regional council to find the professional you need might help the library get those services at a reasonable price (and again, depending on the system-library service agreement, much more).
Why am I adamant about this follow-through, even for a "small" incident? Because sometimes a "small" incident is only the tip of a much larger iceberg. Unauthorized data destruction by a former employee could be a serious breach of their duty, the law--and even their oath of office. But it might not be. The right response, and the fair response, can only be formulated through careful documentation and analysis.
This is what positions the board to know what recourse it can take, when presented with such a serious situation.
Thank you for trusting "Ask the Lawyer" with this sensitive question.
[1] If you are reading this while working on this type of issue, take a deep breath. You've got this.
[2] There are too many types of IT supply/support arrangements out there for me to be more precise than this. Some systems are essentially the IT department for their member libraries. Others are not. This aspect will be governed by the System's member contract…but generally, a good place to start is on the phone!
[3] In keeping with the question, this chart addresses what to do if the person involved is former employee. If the person is a current employee, the Response Team should include someone qualified to assess an appropriate response that ensures 1) due process for the employee; 2) security for the investigation; and 3) stability for ongoing operations of the library.
[4] Is this a low-ball figure? Could it be much bigger? Yes. But if it gets much bigger, that should be because it's actually a big problem that needs to be solved.
Tag:
Data, Ethics, Management, Security Breach, Employment, Templates
