The seemingly simple “Who” question can generate more consternation than the previous two questions combined, particularly from your partners in HR and Labor & Employment Law. While answering the first two questions is often labor intensive, this last query raises issues of policy, organizational culture, and law. Companies may learn that some CBI is assigned to contractors, and the team must wrestle with the issue of whether people with less allegiance, and more transient tenure, should be entrusted with the firm’s future. Yet, identifying employees who require access to CBI is easy compared to planning how to relate to them insider threat programs. This discussion should include: standards for employees to receive and maintain CBI access; policies on travel and device security; enhanced computer monitoring; and, governance protocols for investigative response to suspicious conduct. Importantly, the approach to such vital and often singularly knowledgeable employees should be an inclusive one that views them as special stewards with more responsibility than the average employee.