Plugging the Gaps: Reducing the Risk of Data Breaches by Employees

Data leaks are a hot topic, particularly in the retail sector.  

Whilst data leaks can result from external attacks, many businesses forget that human error can’t be eradicated and employees are a risk factor in the handling of data.

Employees may inadvertently or deliberately misuse an organisation’s confidential information and personal data.

Data leaks can result in significant financial exposure and reputational damage for organisations, so it’s essential to mitigate risks, by implementing appropriate technical measures, and reacting swiftly when things go wrong.

Policies and Procedures

Employers should ensure employees understand the organisation’s rules about confidential information and personal data, so they know what their personal responsibilities are.

Maintaining up-to-date and accessible policies is one practical step to take. Such policies could include:

1. Data Protection, Data Classification and Clear Desk Policies setting out the organisation’s required standards for the maintenance of data security; and
2. A provision that breaches of the organisation’s data policies will result in disciplinary action, up to and including dismissal. Instances of serious misuse of personal data or theft of confidential information should be clearly listed as examples of gross misconduct.

Policies which aren’t implemented day-to-day by an organisation or kept up to date are not fit for purpose. Effective management and regular training are therefore also important to embed good data practices amongst the workforce.

Contracts of employment

Employees’ contracts of employment, especially those for senior employees or individuals with access to personal data, should:

1. Clearly define what the organisation considers to be confidential information and trade secrets, and impose a duty on the employee not to disclose such information;
2. Directly refer, and insist on adherence, to the organisation’s data protection, communications and monitoring policies;
3. Require employees to surrender or delete all confidential information and personal data on termination of their employment. Employers can mitigate this risk by using secured environments that, for example, don’t allow employees to download data to personal devices; and
4. Include restrictive covenants prohibiting disclosure, retention or misuse of confidential information and personal data after the employment has come to an end.

Disciplinary action against employees following a data leak

More often than not, employers only become aware of misuse or theft of confidential information after an employee has left the organisation.

Disgruntled employees tend to have a greater propensity to breach an organisation’s rules in the lead up to their exit from the business.

Red flags include:

1. Sending data to personal email addresses;
2. Exporting data to USB devices or uploading data to external storage sites; and
3. Excessive printing or photocopying.

If discovered whilst in employment, an employee’s dismissal for the misuse or leaking of confidential information will usually fall within the ‘range of reasonable responses’ an employer’s actions must meet when considering a dismissal.

Employers will need to consider:

1. Suspension: an employer is likely to be well within their rights to suspend an employee suspected of a serious misuse of personal data or confidential information, to enable a thorough investigation and to prevent further misuse during this time.
2. Fair Process & Investigation: employees with more than two years’ service have the right not be unfairly dismissed. Someone senior within the organisation should be appointed to investigate and document the alleged breach.
3. Hearing & Decision: a decision maker, not involved in the investigation, should be appointed to hear the evidence and decide any sanction to be imposed if the breaches are well-founded.
4. Appeal: usually, even when allegations seem clear-cut, employers should ensure any appeal is carried out by someone more senior to the decision maker.
5. Is there a public interest defence? Organisations should get legal advice if an employee relies on a public interest defence or asserts that they are a ‘whistle-blower’. If established as a ‘whistle-blower’, a dismissal could be unlawful.

What if the employee has already left the organisation?

If an employee has already left the organisation when the breach is discovered, an organisation should still investigate and preserve evidence.

Organisations still have options to safeguard confidential information and personal data, including;

1. Enforcing the obligations and protections in the employee’s contract of employment;
2. Seeking undertakings from the ex-employee for the return or deletion of data; and
3. Applying for a court injunction prohibiting the ex-employee’s continued misuse of the data, or claiming damages.

Best practice in prevention, mitigating and responding to data breaches

1. Employers should make technical and organisational improvements to IT infrastructure to prevent and detect suspicious or unusual activity.
2. Organisations should adopt a data breach policy, outlining what senior management will do after a breach, and a data breach record detailing incidents and steps taken. This creates an audit trail and is particularly important if the data protection regulator (ICO) gets involved.
3. After a breach is discovered, time is of the essence. Organisations should try to contain it immediately. This may involve the IT team suspending the employee’s network access or shutting down affected systems.
4. Following any data breach, organisations should consider preparing a post-incident report addressing the cause of the breach and detailing steps taken to address any underlying issues. This could involve developing technical solutions, offering more staff training, or improving security measures.

If you have any information regarding this topic, please contact one of our Employment or Data & Privacy experts.