A Data Breach by an Employee Lands on Security, HR, and Compliance in the Same Hour. Each Leader Can Quietly Solve Their Own Slice and Assume the Rest Is Handled — or Recognize That It’s One Shared Incident and Pull the Others In. Three Competent People. One Decision, Repeated Three Times.

Quick Answer

When a data breach involves employee misconduct, whose problem is it — IT security, HR, or compliance?

All three, at the same time, from the first minute. An employee who deliberately accessed and exfiltrated protected health information creates a security incident (close the hole, preserve the logs), a personnel matter (investigate and discipline the misconduct — without retaliating against the colleague who reported it), and a regulatory event (a HIPAA breach assessment whose notification clock has already started).

The failure mode is not that any one leader makes a bad call. It’s that each competent leader solves their own slice and assumes the rest belongs to someone else — so the deadline gets missed, the reporter gets exposed, or the evidence gets destroyed. The right behavior at every seat is the same: recognize that the incident is shared, and pull the other two in immediately, before handling only your part.

Pressure 1 — Clear Ownership

“This is a security incident. It’s mine. Everyone has their lane — I’ll run mine cleanly and hand off a tidy package when there’s something to hand off.”

Pressure 2 — Speed

“Every minute I spend convening other people is a minute the hole stays open. Coordinating feels slower than acting — and right now acting is what matters.”

Pressure 3 — The Hand-Off Assumption

“Compliance and HR will get looped in through the normal process. That’s not mine to trigger — it’ll reach the right people on its own.”

Pressure 4 — Keep It Tight

“The fewer people who know, the better — less chance of leaks, panic, or premature escalation. I’ll widen the circle once I understand what we’re actually dealing with.”

The CISO’s Moment — Nathan Osei

Nathan Osei, Calderwynn’s CISO, sees it during routine log review: Coyne pulled tens of thousands of patient records over several days, far outside his role, and exported them. Following Sam’s earlier flag, Nathan’s team has the trail.

Nathan does what a strong security leader does. He moves to contain — revoke Coyne’s access, isolate the affected systems, preserve the logs and forensic images, and start mapping exactly what was left in the building. He opens an incident ticket and begins writing it up so that when it’s buttoned down, he can hand a clean, complete package to whoever needs it next.

Everything he’s doing is right. The problem is the frame. In Nathan’s head, this is a security incident he owns, to be resolved and then handed off. What he hasn’t named — yet — is that a person did this deliberately, which makes it a personnel matter the moment he revokes access, and that the records are regulated PHI, which means a notification clock is already running and the people who manage that clock are not in the room.

He’s deciding how wide to open the circle, and how soon.

The CHRO’s Moment — Yvonne Tran

Yvonne Tran, the CHRO, gets the call framed as an employee-conduct issue: an analyst pulled data he shouldn’t have. She knows this playbook cold. Serious misconduct calls for a prompt, firm, well-documented response — suspend Coyne today, secure a formal interview, move toward discipline, protect the company.

Her instinct to move fast and decisively is, in almost every other context, exactly right. Here, it runs into two things she has to recognize before she acts. First, if she suspends and confronts Coyne on HR’s normal timeline, she may tip him and taint or destroy evidence that the security and compliance investigations depend on — the sequence matters, and it isn’t hers to set alone. Second, Sam Devlin, who raised the alarm, is now a reporter who must be protected; a fast, opaque process that pulls Sam into interviews or lets Coyne guess who flagged him can chill the very behavior Calderwynn needs and create a retaliation problem on top of the breach.

She’s deciding whether this is hers to run on HR’s clock — or whether the clock belongs to the room.

The CCO’s Moment — Curtis Lane

Curtis Lane, the Chief Compliance Officer, is brought in last, on what’s described to him as a possible data exposure that IT and HR are “already handling.” His instinct is patience: let security finish the forensics and HR finish the investigation, then he’ll run a clean HIPAA breach assessment on settled facts rather than chasing a moving target.

That instinct is the trap, and it’s a quiet one. Under the HIPAA Breach Notification Rule, the organization is treated as having discovered the breach on the first day any workforce member knew — or with reasonable diligence should have known — about it. That was days ago, when Sam first flagged Coyne’s queries, not today, when compliance was finally told. The notification deadline has been running continuously, unmanaged. Waiting for the others to “finish” doesn’t pause the clock; it just burns days off a deadline Curtis didn’t know had started — and state breach laws may run shorter still.

He’s deciding whether the compliance assessment starts now, in parallel, or after everyone else is done.

Choice A — Proceed siloed. Contain and remediate quietly, preserve the evidence, finish a clean incident report, and route it onward through normal channels once it’s fully buttoned up.

Choice B — Coordinate. Contain the technical issue immediately and, in the same hour, pull in the CCO and CHRO — naming the deliberate-misconduct and PHI dimensions explicitly — so all three clocks start together and the response is sequenced as one.

Choice C — Overcorrect. Treat it as a full catastrophe — shut down broad swaths of systems, lock out adjacent employees, and escalate straight to the CEO and board before the facts are established.

Choice A — Proceed siloed. Run HR’s standard misconduct playbook on HR’s timeline: suspend Coyne today, interview, move to discipline — a personnel matter to resolve cleanly and fast.

Choice B — Coordinate. Sequence the disciplinary steps with security and compliance so that evidence is preserved before Coyne is confronted, and immediately put protections in place for Sam Devlin as a reporter — shielding their identity and monitoring for retaliation.

Choice C — Overcorrect. Lock everything down — suspend Coyne, Sam, and the whole team pending investigation, and freeze communications so hard that security and compliance can’t get the people or information they need.

Choice A — Proceed siloed. Wait for IT and HR to finish so the breach assessment rests on complete, settled facts before the notification clock “really” starts.

Choice B — Coordinate. Start the breach risk assessment immediately and in parallel, document the organizational awareness timeline from Sam’s first flag forward, and begin preparing notification paths — refining as the facts firm up.

Choice C — Overcorrect. Notify HHS, every individual, and the media right away on incomplete facts “to be safe,” before the risk assessment establishes whether, what, and whom the organization must actually notify.

The Right Calls — Coordinate, at Every Seat

For Nathan: Choice B — contain and convene in the same hour.

Choice A is the most seductive because it looks like discipline: own it, finish it, hand off a clean package. But the “hand off when it’s buttoned up” delay is exactly the window in which HR’s clock and the regulatory clock run unmanaged. A deliberate insider exfiltration of PHI is almost certainly a reportable breach, and the two functions that handle that were not in the room. Choice C swings too far — shutting down broadly and escalating to the board before the facts exist destroys proportionality, can wreck evidence, and can tip the employee. Containment is urgent; isolation of the whole company is not. The move is to contain and name the other two dimensions out loud, immediately.

For Yvonne: Choice B — sequence with the others, and protect the reporter.

Choice A is dangerous precisely because it is good HR practice in the wrong context. A fast, unilateral suspension and interview can tip Coyne before forensics are preserved and can expose Sam as the source, converting a clean breach response into a spoliation problem and a retaliation claim. Choice C overcorrects into paralysis and, by suspending Sam alongside the wrongdoer, becomes the retaliation it was meant to avoid. The discipline will happen — but the timing is up to the room, and the reporter is protected from the first minute.

For Curtis: Choice B — start now, in parallel, and document the timeline.

Choice A misreads the rule: the clock didn’t wait for compliance to be invited. Because HIPAA imputes discovery to the organization at the first workforce member’s awareness, “I’ll start when the others finish” means days have already been lost from a deadline that began at Sam’s first flag. Choice C — blanket notification on incomplete facts — isn’t caution, it’s a different failure: premature, potentially inaccurate notice carries its own regulatory and reputational cost and preempts the risk assessment the rule actually requires. The assessment runs in parallel with the security and HR work, not after it, and the awareness timeline is documented from day one, because that timeline is the first thing a regulator will ask to see.

Functional excellence built the silo.

Each of these leaders is good at their job, and being good at it means owning your lane decisively and not meddling in someone else’s. The same instinct that makes a strong CISO, CHRO, or CCO — clear ownership, fast action, respect for other functions’ turf — is the instinct that keeps each of them inside their own slice. The virtue and the failure share a root.

The incident doesn’t announce its other dimensions.

It arrives at each door looking like one thing. To Nathan, it’s a log anomaly. To Yvonne, it’s a conduct file. To Curtis, it’s a possible exposure someone else is handling. Nothing about the way the incident presents itself signals that it has two other owners — that recognition has to be supplied by a person, not by the alert. If no one names the full shape, everyone responds to the silhouette they were handed.

Speed and coordination feel opposed — but the siloed path is the slow one.

In the moment, convening two other executives feels like a source of friction that slows the response. It’s the reverse. The siloed path misses the notification deadline, taints the evidence, and fabricates the retaliation claim — each of which costs far more time and damage than the ten minutes it takes to pull the others in. Coordination is not the expensive option; it’s the one that prevents the expensive outcomes.

The clock already started — earlier than anyone in the room thinks.

This is the trap hiding under the calm. Because HIPAA treats the organization as having discovered the breach when its first workforce member became aware, the deadline began the day Sam flagged the queries — not the day compliance was told. “We’ll start the regulatory assessment once IT and HR wrap up” feels prudent and is quietly the most dangerous sentence in the incident, because it assumes a clock that has, in fact, already been running. (Breach analysis is fact-specific; confirm obligations, deadlines, and any overlapping state-law requirements with counsel for any live matter.)

Missed breach-notification deadlines. Treating a breach as purely technical or purely personnel lets the HIPAA clock — already running from the moment of organizational discovery — expire unmanaged.

Retaliation against a reporter. A fast or opaque HR process can expose or punish the colleague who raised the alarm — a second violation layered on the first.

Evidence destruction (spoliation). A disciplinary process that moves before forensic evidence is preserved can tip the wrongdoer off and compromise the investigation, on which the regulator and the company both depend.

Incomplete regulatory documentation. Without an awareness timeline captured from the first flag, the organization can’t show a regulator when it knew what — the first question OCR tends to ask.

Siloed incident response. The core risk: three functions each solving their slice, no one owning the seams, and the gaps between them becoming the failure.

Overcorrection. The opposite failure — blanket shutdowns, mass suspensions, or premature notification on incomplete facts — that trades one kind of damage for another.

Read the Companion Article

This scenario is the concrete embodiment of Cross-Functional Compliance Decisions: Why Incidents Get Routed by Department Instead of by Risk, which argues that cross-functional failures usually start with one employee’s decision to route an incident by org chart rather than by risk, and that organizations reach for reorganization when the missing variable is decision-making. This page shows what good looks like at the seams.

Governance, Risk & Compliance Scenarios →

Where this scenario lives — the decisions that fall between functions, where ownership is shared, and the seams are where things break.

Reporting & Non-Retaliation Scenarios →

The reporter-protection thread in this scenario, explored in depth, examines what retaliation looks like when no one intends it.

Data Privacy & CCPA Scenarios →

The privacy and notification dimension — breach obligations, data handling, and the decisions that surround regulated data.

Compliance Reinforcement Kit — Cross-Functional Facilitation Guide

Running This Scenario as a 20-Minute Cross-Functional Discussion

Best run with security, HR, and compliance in the same room. If you can, assign one participant to each chair — CISO, CHRO, CCO — so the silo instinct shows up live.

Step 1 — Read the Situation (3 min)

Read all three moments aloud — Nathan, Yvonne, Curtis. Note that each is doing their job well. That’s the point.

Step 2 — Name the Pull (3 min)

Ask each function: “Reading your leader’s moment, what’s the honest pull — to handle your slice and hand off, or to stop and pull the others in?” Most people admit the pull is to handle their slice. That admission is the whole exercise.

Step 3 — Show of Hands (2 min)

For each leader, vote A (siloed) / B (coordinate) / C (overcorrect). Watch for the room confidently picking A for their own function while picking B for the others — the classic “my lane is simple, theirs is the complicated one” blind spot.

Step 4 — The Right Answer and the Key Concept (5 min)

The answer is B at all three seats. The concept of land: an incident should be routed by risk, not by department, and the clock often starts before the function that owns it is ever told. Use the HIPAA discovery point as the anchor: the deadline began when the first employee noticed, not when compliance was invited.

Step 5 — The Key Question (7 min)

Ask: “In our last real incident, who recognized that it crossed functions — and how long did it take before all the right people were in the room?”

Then the harder follow-up: “If it surfaced in your function tomorrow, what would actually make you pull the other two in within the hour — and is that a habit, or just a hope?”