American Express Insider Case: When Access Turns Personal

An Australian regulator has ordered American Express to compensate a customer whose personal financial data was improperly viewed by a company employee.

The investigation was conducted by the Office of the Australian Information Commissioner (OAIC) following a complaint from a former American Express customer. According to media reports, an employee of the company, with whom the complainant had previously been in a personal relationship, used their work access to view the complainant’s personal financial information. The data was accessed both during the relationship and after it had ended.

American Express did not dispute that the access had occurred. During the investigation, the OAIC found that the company had failed to take sufficient measures to protect the complainant’s personal information from unauthorized access by an employee.

According to the regulator’s findings, American Express breached Australian Privacy Principle 11.1 under the Privacy Act 1988. This principle requires organizations to take appropriate measures to protect personal information from unauthorized access, modification, disclosure, loss, misuse, and interference.

Following the investigation, American Express was ordered to:

• pay the complainant $23,000 in compensation for economic and non-economic loss, as well as reimburse the costs associated with filing the complaint;
• send the complainant a written apology signed by a company representative;
• implement technical access controls in relevant systems to restrict employee access to specific customer information;
• introduce unified access and activity logging at the customer account level across all internal AmEx systems.

Such logging must record when an employee accesses a customer’s data and what actions are performed on the customer record.

The case materials state that American Express initially told the OAIC it was unable to restrict employee access to specific customer records in some of the company’s systems.

Instead of introducing technical restrictions to ensure information security, the company relied on employee training, internal policies, and its code of conduct. American Express later stated that it could suspend an employee’s access to a system or remove their access rights entirely. However, the OAIC noted that this capability alone is not a sufficient measure if it is not used to reduce the risk of a data leak.

The regulator also considered the use of a just-in-time access approach to be reasonable. Under this model, an employee receives access to data only when there is a time-limited reason to do so, for example after confirmation from the customer, rather than having permanent access to all information available under their assigned role.

The American Express case shows why insider risk management requires more than policies and employee training. This is especially relevant for financial organizations, where employees work with large volumes of sensitive customer, payment, and account data. Regulators now expect organizations to have technical controls in place: restricted access to customer records, detailed logging of user actions, and the ability to understand who accessed sensitive data, when, and why.

A comprehensive DLP solution helps cover these requirements in practice. SearchInform Next-Gen DLP Risk Monitor enables organizations to securely manage access to sensitive data, monitor user activity, track user interactions with confidential information, proactively detect risky behavior, and support a just-in-time access approach by helping restrict access to sensitive data when it is no longer required for an employee’s task.

Request a free trial to see how SearchInform Risk Monitor can help your organization detect insider risks, control data access, and protect sensitive customer and financial information.