An Inside Job?

Audrey Williams
Audrey Williams

Last month a disgruntled Citibank employee was sentenced to 21 months in a Texan prison after he issued commands which left 90% of all Citibank branch offices without network or phone access. In court, the employee admitted “They [were] firing me. I just beat them to it… the upper management need to see what they guys on the floor [are] capable of doing when they keep getting mistreated…

Businesses are alive to external cyber attacks but as this example highlights, problems may be lurking closer to home. ‘Insider threats’ may be one of the biggest and least reported risks facing businesses today. A malicious employee can wreak havoc on an operating system at the touch of a button. Insiders can expose confidential information, violate data protection rules, compromise trade secrets and severely damage reputations, not to mention the impact on the bottom line.

Whilst most businesses would prefer to keep such things under wraps to avoid the bad press the problem is very real. In January this year, GlaxoSmithKline was reported to have been ‘attacked’ when two of their own scientists allegedly hacked into the system and stole confidential cancer research to sell on. According to the 2015 ‘Vormetric Insider Threat Report’[1] 89% of global respondents felt their business was now more at risk from an insider attack with 34% saying they felt “very or extremely vulnerable”. Businesses must be on the front foot to combat both opportunistic and premeditated attacks.

The Aftermath

If a similar situation to Citibank occurred in the UK, the individual would be prosecuted under the Computer Misuse Act 1990. Where individuals are found guilty of “unauthorised access to computer material” (as in the Citibank example) or worse, accesses a computer illicitly with the intent to steal and sell on hacked data (as in the GlaxoSmithKline example), the individual risks a prison sentence of between 2 and 10 years depending on the severity of the charge. In addition, if an individual is found guilty of personal data theft under the Data Protection Act 1998, he will be liable to a fine of up to £500,000.

The consequences for the business are wide ranging as is the action that can be taken. The regulatory ramifications of data theft were highlighted in the recent case of Axon where the court stated that an employer may be vicariously liable for a data breach caused by a rogue employee. Moreover, if a company suffers an attack of this nature, they may be liable to their customers or suppliers for (1) breach of an express or implied term that personal data would be stored securely and/or (2) negligence, in failing to take reasonable security precautions storing customer information.

Data protection regulation is being taken increasingly seriously under the new General Data Protection Regulation (GDPR) which is set to come into force in May 2018. Fines will be increased to up to €20 million or 4% of global turnover, whichever is greater. The amount will depend on the type of company and the scale of the breach. Furthermore, whilst it is currently not obligatory to notify the ICO of a data breach, the GDPR makes it mandatory to notify the ICO within 72 hours.

As the examples of Citibank, GlaxoSmithKline and even the NSA in the case of Edward Snowdon reveal, even the most secure of organisations are vulnerable to such attacks. Businesses have the tools and more of a responsibility to tackle insider threats than outside attacks over which they have no control.

Tackling the Threat

Prevention is always better than cure. Access to highly sensitive information should be limited, documents encrypted and passwords and access rights made use of. Recognising and neutralising ‘at-risk’ insiders before they reach crisis point is key. Precautions may include background checks for new starters, robust IT and Data Protection policies and comprehensive risk management procedures.

A support team comprising senior management, HR, IT and legal advisors who can identify trigger events (redundancies or a change of ownership) and high risk individuals (employees under notice to leave) should be ready to take action without creating a culture of distrust. If an individual is under notice period of termination, IT should monitor the employee’s access to the server to ensure confidential information is not sent to a personal account always assuming there is the appropriate monitoring power in the IT Policy. Robust confidentiality clauses should be included in all employment contracts to clearly identify and protect confidential information. Remedies for breach of confidentially include an application to the high court for injunctive relief or a civil claim for breach of contract. Finally, training your workforce on their security responsibilities will get them ‘on side’ and hopefully empower them to form the business’s strongest line of defence against both outside and inside jobs.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP and can be contacted at Amwilliams@foxwilliams.com

Advertisements

ICO publishes blog on the EU-US Privacy Shield

Laura Monro
Laura Monro

Following the approval of the EU-US Privacy Shield on 1 August 2016, the ICO has published a blog summarising the “what, why, and how” of transferring data from the UK to the USA.

Whilst it remains the case that:

  1. the eighth data protection principle requires organisations that wish to transfer personal data outside of the EEA to ensure an adequate level of protection for data subjects; and
  2.  the European Commission has not deemed the USA as providing such adequate level of protection,

transfers to the USA are “adequate” if the organisation receiving the personal data is certified under the EU-US Privacy Shield.

The ICO makes it clear that any organisation still relying on the predecessor to the EU-US Privacy Shield, the Safe Harbor scheme, to transfer personal data from the UK to the USA needs to review their position. Seeking to continue to rely on the Safe Harbor scheme on its own will mean that an organisation is acting in breach of the Data Protection Act.

As a first step, the ICO recommends that any organisation looking to transfer data to the USA should ensure that the receiving organisation is certified under the EU-US Privacy Shield – if the receiving organisation is not certified you will need to rely on other ways to legally transfer the personal data to the USA.

At the present time, these include the model contractual clauses and binding corporate rules. However, the ICO is aware that such methods, whilst currently valid, are not free from uncertainty. This is not least because the model contractual clauses have been referred to the EU court by the Irish data protection regulator as to whether these clauses provide the adequate level of protection for international data transfers.

The ICO intends to issue guidance for organisations on international data transfers early in the Autumn – watch this space.

Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at lmonro@foxwilliams.com

Privacy in the Workplace?

Audrey Williams
Audrey Williams

Personal relationships at work are often a source of concern and some confusion for employers. Should it be accepted as part of the reality of modern workplaces? Or should employers recognise that such relationships have an impact on the working environment and thus adopt the position that it is legitimate to intervene when it comes to light? This is not so much on the basis of moral indignation but to protect work colleagues, where resentment or worse feelings may arise and the potential risk of a relationship breaking down.

When a relationship is suspected how far can an employer investigate, accessing personal emails for example? Or is there an obligation to respect employees’ privacy?

When things go sour

A recent Appeal Tribunal case shows just how difficult such situations can become and illustrates the balance expected between the right to privacy and legitimate intervention. In Garamukanwa v Solent NHS Trust problems arose after G’s relationship with a staff nurse ended and he began to suspect her of starting a relationship with another member of staff. He sent both of them emails, threatening to inform their manager if they did not and a letter was also sent anonymously to the manager alleging an inappropriate sexual relationship, which was denied.

An unpleasant campaign then began using fake accounts, Facebook and more anonymous emails. The staff nurse complained to the police who investigated the matter but brought no charges.

This then left matters to the Trust to deal with and conduct their own investigation. The police provided the investigating officer in the Trust with photos from G’s mobile, others found at his home, and information including a notebook. G was dismissed for gross misconduct for sending malicious emails, relying on the evidence supplied by the police.

Unfair and invasion of privacy?

In the subsequent claim for unfair dismissal G accused the Trust of breaching his Article 8 right to privacy by relying on issues to do with his private life. The Tribunal was very clear that the circumstances here were impacting on the employment relationship and work matters; that being the case, the Trust was entitled to rely upon the evidence, investigate and address concerns especially given the fact:

• emails were being circulated using work addresses;
• the issues and allegations raised concerned the work environment and relationships; and
• was impacting on other employees.

The EAT agreed rejecting G’s argument that there was a distinction between the police using private emails and the Trust – or that the Trust should have distinguished between the public emails sent to Trust employees and his private information ( the notebook and photographic evidence).

Limits to privacy in work

The EAT reiterated that whilst the material might have been private, it was G who by his actions had brought personal matters and the personal relationship into the workplace. Even though some of the earlier emails to the staff nurse had been sent to her personal email address, because she had raised a complaint about them and G, he could not expect the employer not to address the concerns raised.

The passing of evidence seized from G to the employer is surprising here and an employer would be well advised to treat such information with caution. However, what is clear from this case is that where personal issues and private relationships begin to impact the work environment, privacy rights are likely to come second especially where other individuals are facing consequences.

The writer has experience of many cases where evidence from personal devices and work equipment has been accessed and produced as part of an investigation, and in a range of content (videos, security footage, text messages). This case emphasises the need to weigh carefully the relevance and ability to make use of such evidence, and the personal rights of individuals in the workplace.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP

Amwilliams@foxwilliams.com