Data breaches are typically associated with hackers maliciously attacking companies for financial gain. Often companies do not expect to face an attack and believe the risk of a breach is remote. However, the potential for human error should not be overlooked. In fact, most data breaches occur because of employee negligence (especially when working remotely).
The reasons for an employee-caused data breach vary from disgruntled (ex)employees seeking revenge (see for instance the Morrisons case in the UK) to employees performing work duties in “alternative” ways (e.g., an HR person sends a list of employee salaries to a personal email address). The fact that employees do not intend to cause harm does not always mean that no harm is caused.
Frequent examples of employee behaviour that leads to a data breach include leaving confidential documents in communal areas (e.g., printers, in social area, etc.); sending emails to incorrect email recipients (internal and/or external); misusing confidential information relating to other employees, customers or any other individuals; and allowing (including by negligence) cyber-attacks to occur by not following security practices or by disposing of confidential information improperly.
What should employers do?
First and foremost—prepare.
To prepare for a data breach, employers should focus on the following:
- Ensure that employees receive appropriate training
Many companies already have a cybersecurity training program in place. However, the depth of its content may be insufficient. Employees should be trained on what is relevant to their specific role (so that they can apply their new knowledge in practice right away). Employees must also understand what to do and whom to call in critical situations—often the only thing to do is to talk to the right person.
- Keep up to date
Employers should be informed about industry trends, compliance requirements and the latest global cybersecurity developments. It is crucial for companies to ensure that their internal regulations, policies and guidelines are kept up to date.
- Make cybersecurity a priority
It has become common practice for companies to focus on securing their networks, systems, applications and devices and to develop security protocols and establish incident-response processes. Securing physical access to information is no less important (i.e., restrict access to sensitive information, shred paper documentation when necessary, etc.).
- Partner with an expert
Having an experienced partner (in the field of cybersecurity, data protection, IT and law) may be lifesaving. Such experts may reveal vulnerabilities in your networks, applications, and infrastructure and can help put you on the path to correct them.
If a data breach has occurred, the employer should do the following:
- Find out what happened.
What information leaked? Will any individuals be harmed (personal data breach)? Will the company or operation of the business be impacted?
- Communicate with the right people.
Business/IT/Legal must assess what are the main actions. Include communications experts if the breach will likely be publicised.
- Act quickly.
It´s necessary to stop the breach as soon as possible in order to mitigate the damage.
- Make notifications.
Notify the data protection authority and other relevant authorities (as necessary).
HOW TO DEAL WITH BREACHING EMPLOYEES
Even if an employee causes a data breach unintentionally, there may still be adverse consequences.
Companies may choose to dismiss the employee. This must be considered carefully, as Slovak law allows only limited grounds for such a dismissal and the employee’s actions might not always qualify. A breach of work discipline (less serious) would probably be the most frequent charge. It is important, however, to consider the specific case. Has the employee manifestly broken clear policies? Did the individual try to inform the employer of insufficient security? Did the employer downplay possible risks due to budgetary concerns? In exceptional cases (when actions qualify as a criminal offence or a serious breach of work discipline), the employee may be dismissed with immediate effect.
It is imperative to understand what truly happened, as sometimes the facts may be different than they initially seemed. For example, the malicious action may have been carried out by someone impersonating a colleague. If the facts are not clear, a dismissal might be legally challenged.
Information gathering is therefore essential. In a situation where the employer identifies an on-going breach, it is crucial to secure appropriate evidence. If possible, eliminate the risk (e.g., by restricting the individual’s access to the internet), but allow them to continue the breaching activity. This may enable you to ensure that sufficient evidence has been collected to substantiate any dismissal or similar actions.
WHAT TO EXPECT
A data breach unfortunately does not end with resolving the IT issue, notifying the appropriate authorities and (possibly) dismissing an employee. There may be notification obligations towards your customers, crisis communications, and even litigation by impacted individuals.
Data breaches are not a question of “if” but “when”. They may not always be visible at the outset and may seem like minor or innocuous acts. Nonetheless, when one occurs, the company must not hesitate and act quickly. Are you ready?