The insurer claims to have "internal processes that track access to [customer] records". So why did this employee's privacy violations go on for 3 years without being detected?
One clue is the the company's announcement which does not indicate HOW they caught the rogue employee just that the "breach of privacy was brought to the attention of the Commission’s Chief Executive and Privacy Officer". Perhaps the passive voice is being used because their "internal processes" were not the source of the discovery.
"We have zero tolerance when it comes to unauthorized access to confidential client information." - Organization's Privacy OfficerIf the insurer was depending on employees to discover and report data privacy violations, it is not surprising it took years. A good Identity and Access Intelligence service would have caught the rogue employee 3 years earlier and demonstrated "Zero Tolerance" for breaches of customer data privacy.
Learn how to detect privacy violations when they happen, not 3 years after the fact. Download a whitepaper on service that proactively identifies unauthorized breaches of customer data privacy, even by employees - with no hardware and no on-site software.
(a) Workplace Health, Safety and Compensation Commission addressing privacy breach - Insurers website, February 3, 2012
(b) Workplace safety commission reports privacy breach - The Telegram, February 3, 2012