What's behind the rash of employee cybersnooping?

It seems like a month doesn't go by anymore without news of another celebrity's personal data being peeked at by some employee at some workplace where the files are kept. It's news when Britney Spears' hospital records or Barack Obama's passport files get perused. But do these incidents represent a growing risk that privacy and security officers need to move up on their agendas?

Certainly we're hearing about more of these incidents. Among the more recent ones:

• In July, the State Department reported that employees had accessed nine "high-profile" passport files -- including those of Obama, Hillary Clinton, John McCain and Anna Nicole Smith — more than a hundred times. A subsequent audit of the files of 150 celebrities revealed that during the past six years, 127 of them had been accessed more than 4,000 times total.
• In May, five IRS workers were charged with computer fraud and unauthorized access to tax files beginning in 2005.
• The same month, a TV news anchor in Philadelphia came under investigation for allegedly reading the private e-mail of his co-anchor for several years.
• In April, the UCLA Medical Center detected that different groups of employees and unauthorized doctors since 1995 had been accessing medical records of celebrities such as Tom Cruise, Farrah Fawcett and Spears. At least one of the employees has been indicted for selling the data to media outlets.
• In February, Wisconsin utility giant WE Energies learned that employees had been routinely accessing customer information of local celebrities and others as far back as 2004.

But is there truly more employee snooping, or just more reports of it? One perspective says that we're hearing about more of these incidents because we're getting better at detecting them — not necessarily because they're increasing in number.

Advocates of this point of view cite three recent developments: the PCI Data Security Standard has prompted an increase in system logging and monitoring, corporations and academia have boosted their deployment of privacy breach-response plans to comply with various states' breach-notification laws, and federal agencies have done likewise to comply with a directive promulgated in the aftermath of the Department of Veterans Affairs laptop breach.

These are compelling points, but I don't agree with the conclusion.

If you look at the details of the cases above, they don't appear to be the result of improved execution of privacy breach-response plans. Rather, the perpetrators are getting busted by auditors and the data subjects themselves.

I do think there's more snooping going on. In June, Cyber-Ark Software Inc. released a survey of 200 IT professionals attending an Infosecurity Exhibition Europe conference the previous month. One-third admitted to using their system access to peek at other employees' personal information.