The Solution | First, companies need a policy that explicitly states what can and cannot be sent out via e-mail or IM. "A lot of companies don’t have good acceptable-use policies for e-mail," says Michael Osterman, founder of Osterman Research. He suggests that they map out how employees should handle confidential information, offer them training and have them sign a one-page document stating that they have taken the course and understand what to do. University of Kansas officials say they have "undertaken internal measures—such as reviewing e-mail and privacy policies, and training staff—to ensure it does not happen again."

Osterman also suggests that CIOs add an outbound scanning system to the existing e-mail system that looks for sensitive content in e-mails (such as 16-digit numbers, which could be credit card numbers). He says these systems are inexpensive and are offered by scores of messaging vendors; some vendors will even do a complimentary scan of a company’s messages to see how bad it might be. One vendor that he’s familiar with started scanning a new customer’s network and found 10 violations in 10 minutes.

No One Noticed? Really?

The Hole | Orazio Lembo, of Hackensack, N.J., made millions by purchasing account information from eight bank employees who worked at several financial institutions, including Bank of America, Commerce Bank, PNC, Wachovia and others. Lembo paid $10 for each pilfered account. Most of the felonious employees were high-level, but two bank tellers were also arrested. Lembo had approximately 676,000 accounts in his database, according to Capt. Frank Lomia of the Hackensack Police Department, an official investigating Lembo.

The Problem | Capt. Lomia says that many of Lembo’s contacts usually accessed and sold 100 to 200 accounts a week—but one managed to access 500 in one week. "What surprised me is that someone could look at 500 accounts and have no one notice," he says.

The Solution | CIOs, with the help of the HR, security and audit functions, need to institute a clearly defined policy on who has access to what information, how they can access it and how often. After all, with HIPAA, Sarbanes-Oxley and Gramm-Leach-Bliley looking over CIOs’ shoulders, compliance and controls have to be on the top of the to-do list. "Through all the phases of information creation to maintenance and storage and destruction," asks PwC’s Lobel, "do you have that data classification and lifecycle process, and do people know what it is?" Lobel says many of his clients have compliance controls, but employees either don’t know such controls exist or aren’t clear where they apply. "User education is not easy, but it is worth the effort," he says.