Interesting that even Trendmicro were subject of an internal human behaviour issue - potentially 12 million people within the database. Potentially another GDPR or privacy prosecution in the making.
There are relatively few ways to control for rogue insiders 100% effectively.
A staffer with properly authorised access to data can often take it to sell on. The case of Morrison's in the UK is a case in point, in which the employer is being judged to be vicariously liable for the breach. And for those that suggest DLP is a solution, I've come across staff taking photos of screens, printing out materials and writing details on post it notes. You can do you're background checks, ban smartphones, implement DLP, lockdown removable media, implement VDI and disable cut and paste, install CCTV, closely supervise staff and conduct random physical searches. And still they'll be a residual risk if the data can be monetised.
I agree, this is much like privileged access of all kinds. The risk is always there, and you have to use the fear of getting caught as a mitigating control. All the controls you mentioned, CCTV, etc. need to be VERY visible, and if anyone is caught, it needs to be as public as possible, within the relevant privacy laws and policies, of course. But if everyone knows that John spent 60 days in jail and was fined $10K for selling PII, they are less likely to do it. If everyone is quiet about what happened (Not just what COULD happen, but what DID), then it is far more likely to happen again.
...controls... need to be VERY visible,
The thing about visible controls (including public executions) is that they also enable the adversary learn how to bypass your controls.
If you ever have the chance to visit Israel, you might contrast their approach to airport security vs the TSA/USA approach. Their focus is geared towards multiple subtle control points, rather than a single "castle wall" that the adversary can surveil for weakness.
@rsladeI think both myself and the community would be very interested in some additional examples and links, if possible?
It appears more is coming out, with even Twitter having similar problems: