An Inside Job?

Audrey Williams
Audrey Williams

Last month a disgruntled Citibank employee was sentenced to 21 months in a Texan prison after he issued commands which left 90% of all Citibank branch offices without network or phone access. In court, the employee admitted “They [were] firing me. I just beat them to it… the upper management need to see what they guys on the floor [are] capable of doing when they keep getting mistreated…

Businesses are alive to external cyber attacks but as this example highlights, problems may be lurking closer to home. ‘Insider threats’ may be one of the biggest and least reported risks facing businesses today. A malicious employee can wreak havoc on an operating system at the touch of a button. Insiders can expose confidential information, violate data protection rules, compromise trade secrets and severely damage reputations, not to mention the impact on the bottom line.

Whilst most businesses would prefer to keep such things under wraps to avoid the bad press the problem is very real. In January this year, GlaxoSmithKline was reported to have been ‘attacked’ when two of their own scientists allegedly hacked into the system and stole confidential cancer research to sell on. According to the 2015 ‘Vormetric Insider Threat Report’[1] 89% of global respondents felt their business was now more at risk from an insider attack with 34% saying they felt “very or extremely vulnerable”. Businesses must be on the front foot to combat both opportunistic and premeditated attacks.

The Aftermath

If a similar situation to Citibank occurred in the UK, the individual would be prosecuted under the Computer Misuse Act 1990. Where individuals are found guilty of “unauthorised access to computer material” (as in the Citibank example) or worse, accesses a computer illicitly with the intent to steal and sell on hacked data (as in the GlaxoSmithKline example), the individual risks a prison sentence of between 2 and 10 years depending on the severity of the charge. In addition, if an individual is found guilty of personal data theft under the Data Protection Act 1998, he will be liable to a fine of up to £500,000.

The consequences for the business are wide ranging as is the action that can be taken. The regulatory ramifications of data theft were highlighted in the recent case of Axon where the court stated that an employer may be vicariously liable for a data breach caused by a rogue employee. Moreover, if a company suffers an attack of this nature, they may be liable to their customers or suppliers for (1) breach of an express or implied term that personal data would be stored securely and/or (2) negligence, in failing to take reasonable security precautions storing customer information.

Data protection regulation is being taken increasingly seriously under the new General Data Protection Regulation (GDPR) which is set to come into force in May 2018. Fines will be increased to up to €20 million or 4% of global turnover, whichever is greater. The amount will depend on the type of company and the scale of the breach. Furthermore, whilst it is currently not obligatory to notify the ICO of a data breach, the GDPR makes it mandatory to notify the ICO within 72 hours.

As the examples of Citibank, GlaxoSmithKline and even the NSA in the case of Edward Snowdon reveal, even the most secure of organisations are vulnerable to such attacks. Businesses have the tools and more of a responsibility to tackle insider threats than outside attacks over which they have no control.

Tackling the Threat

Prevention is always better than cure. Access to highly sensitive information should be limited, documents encrypted and passwords and access rights made use of. Recognising and neutralising ‘at-risk’ insiders before they reach crisis point is key. Precautions may include background checks for new starters, robust IT and Data Protection policies and comprehensive risk management procedures.

A support team comprising senior management, HR, IT and legal advisors who can identify trigger events (redundancies or a change of ownership) and high risk individuals (employees under notice to leave) should be ready to take action without creating a culture of distrust. If an individual is under notice period of termination, IT should monitor the employee’s access to the server to ensure confidential information is not sent to a personal account always assuming there is the appropriate monitoring power in the IT Policy. Robust confidentiality clauses should be included in all employment contracts to clearly identify and protect confidential information. Remedies for breach of confidentially include an application to the high court for injunctive relief or a civil claim for breach of contract. Finally, training your workforce on their security responsibilities will get them ‘on side’ and hopefully empower them to form the business’s strongest line of defence against both outside and inside jobs.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP and can be contacted at

Privacy in the Workplace?

Audrey Williams
Audrey Williams

Personal relationships at work are often a source of concern and some confusion for employers. Should it be accepted as part of the reality of modern workplaces? Or should employers recognise that such relationships have an impact on the working environment and thus adopt the position that it is legitimate to intervene when it comes to light? This is not so much on the basis of moral indignation but to protect work colleagues, where resentment or worse feelings may arise and the potential risk of a relationship breaking down.

When a relationship is suspected how far can an employer investigate, accessing personal emails for example? Or is there an obligation to respect employees’ privacy?

When things go sour

A recent Appeal Tribunal case shows just how difficult such situations can become and illustrates the balance expected between the right to privacy and legitimate intervention. In Garamukanwa v Solent NHS Trust problems arose after G’s relationship with a staff nurse ended and he began to suspect her of starting a relationship with another member of staff. He sent both of them emails, threatening to inform their manager if they did not and a letter was also sent anonymously to the manager alleging an inappropriate sexual relationship, which was denied.

An unpleasant campaign then began using fake accounts, Facebook and more anonymous emails. The staff nurse complained to the police who investigated the matter but brought no charges.

This then left matters to the Trust to deal with and conduct their own investigation. The police provided the investigating officer in the Trust with photos from G’s mobile, others found at his home, and information including a notebook. G was dismissed for gross misconduct for sending malicious emails, relying on the evidence supplied by the police.

Unfair and invasion of privacy?

In the subsequent claim for unfair dismissal G accused the Trust of breaching his Article 8 right to privacy by relying on issues to do with his private life. The Tribunal was very clear that the circumstances here were impacting on the employment relationship and work matters; that being the case, the Trust was entitled to rely upon the evidence, investigate and address concerns especially given the fact:

• emails were being circulated using work addresses;
• the issues and allegations raised concerned the work environment and relationships; and
• was impacting on other employees.

The EAT agreed rejecting G’s argument that there was a distinction between the police using private emails and the Trust – or that the Trust should have distinguished between the public emails sent to Trust employees and his private information ( the notebook and photographic evidence).

Limits to privacy in work

The EAT reiterated that whilst the material might have been private, it was G who by his actions had brought personal matters and the personal relationship into the workplace. Even though some of the earlier emails to the staff nurse had been sent to her personal email address, because she had raised a complaint about them and G, he could not expect the employer not to address the concerns raised.

The passing of evidence seized from G to the employer is surprising here and an employer would be well advised to treat such information with caution. However, what is clear from this case is that where personal issues and private relationships begin to impact the work environment, privacy rights are likely to come second especially where other individuals are facing consequences.

The writer has experience of many cases where evidence from personal devices and work equipment has been accessed and produced as part of an investigation, and in a range of content (videos, security footage, text messages). This case emphasises the need to weigh carefully the relevance and ability to make use of such evidence, and the personal rights of individuals in the workplace.

Audrey Williams is a Partner in the HR law team at Fox Williams LLP

Monitoring Employees – A New Outlook

Audrey Williams
Audrey Williams

There has been a lot of commentary on the recent European Court of Human Rights (ECHR) case of Barbulescu. The issue in the case was whether the Employer’s investigation of Mr Barbulescu’s Yahoo Messenger account (which he had opened in order to respond to client enquiries) was in breach of his right to Privacy (Article 8 of the European Convention on Human Rights). See previous article on idatalaw (

Key to the Court’s decision was the company’s internal regulations in that case which stated: “It is strictly forbidden ….to use computers, photocopiers, telephones, telex and fax machines for personal purposes”. Whether this was clearly communicated to Mr Barbulescu appears to have been disputed.

It would be wrong to read this case as giving employer’s carte blanche to monitor employees’ usage of equipment and technology and of much more interest are the observations made by the Court, particularly Judge Pinto de Albuquerque, who disagreed on some aspects with the majority of his fellow judges.

Judge Pinto made this interesting comment about the increasingly blurred division between work and home life…”Strict limits apply to an employer’s surveillance of Internet usage by employees during their worktime and, even more strictly, outside their working hours, be that communication conducted through their own computer facilities or those provided by the employer.” When organisations are encouraging employees to bring their own devices and expect greater accessibility, this becomes even more important. One of the key issues is the need to protect freedom of expression and not just privacy. An employer drafting (or updating) their Email/ Electronic Communication, Internet and Social Media Policy or undertaking related investigations, must bear this in mind. The acid question is why interfering with these rights is necessary for the business?

The blanket ban relied upon in the Barbaluscu case is increasingly impractical – even more so where that policy operates across borders and where, in many European jurisdictions, there are stronger privacy rights than the UK. A more expansive and comprehensive policy is recommended, dealing not just with usage but also rules around monitoring and investigations. These need to address emails, instant messaging, social networking, blogging and web surfing – or in the Court’s words “cyberslacking”.

  • When and why would checks i.e. monitoring and investigations be required in your business?
  • Who is authorised to conduct these?
  • The way in which any investigations are conducted must also be managed carefully. It is essential to balance each individual’s right to privacy against concerns which the business is looking to address:
  • If the concern is the amount of time spent cyberslacking, not much more is needed than to assess the time spent – without needing to access the content of messages;
  • By contrast, if the concern is abusive or offensive emails which are being sent to colleagues, there is no need to access what are clearly personal emails.In the UK the Information Commissioner has issued detailed guidance on such matters (see and recommends that before conducting any monitoring or investigation, an impact assessment is conducted; the Code also sets out some core principles:
  • In Barbalescu there was some criticism about the investigation into emails sent to the employee’s fiancé and brother but the employer was given credit for basing the decision on the evidence of use of the system for personal purposes during working hours, rather than on the content of the communications and had analysed usage over a short period, limiting the intrusion.
  • Workers have legitimate expectations that they can keep their personal lives private and are entitled to a degree of privacy in the work environment
  • It will usually be intrusive to monitor your workers
  • Employers who wish to monitor should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by real benefits that will be delivered.
  • Workers should be made aware of the nature, extent and reasons for any monitoring,
  • Covert monitoring is justified only in exceptional cases.
  • Workers’ awareness and giving warnings about monitoring will influence their expectations.

Those undertaking the monitoring/investigation must be aware of the employer’s responsibilities under the Data Protection Act 1998 and rights to privacy attached to these provisions, particularly around personal and sensitive personal data.
Audrey Williams is a partner in the HR team at City law firm Fox Williams LLP and can be contacted at

Social Media – lessons in the workplace

42306_070 - Audrey Williams
Audrey Williams

With the increasing use of social media (according to Twitter, the number of tweets has grown to 500 million Tweets per day and to around 200 billion a year) there is greater risk of blurring the distinction between work and home, with repercussions for employers and individuals.

It is perhaps surprising that there have been relatively few reported cases and that the courts in the employment arena are not keen to set hard and fast ground rules. So what can we learn from the cases in the last 12 months?

The majority of the cases have been claims of unfair dismissal as a result of employees sharing information and expressing views via social media, with the key question being whether dismissal can be justified (or to use the legal test, is within the range of reasonable responses). The extent to which postings, tweets or blogs are private, who has access and the impact on an organisation’s reputation are all relevant considerations in determining the appropriate response. Most important, is demonstrating that the employer has made clear what is unacceptable via rules or a social media policy and when dismissal may result.

There seems to be increased recognition by the courts that derogatory comments do impact on an employer’s reputation and that employees should take greater care when using social media to the extent of even curbing some freedoms:

  • In an early case from 2011, Ms Witham was found to have been unfairly dismissed for making negative comments about her colleagues – the Tribunal concluded they were relatively minor and there was no evidence that it had harmed client relationship. In this case the key relationship was with Skoda/VW and the individual was a Team Leader working with this client. She complained on her Facebook: “I think I work in a nursery and I do not mean working with plants”. Witham v Club 24 Limited t/a Ventura
  • Another early case rejected the argument that an employer was able to fairly dismiss an employee who had posted his views on gay marriage on Facebook; this was despite the fact many colleagues were Facebook friends and it was also clear from his profile that he was a manager at the Trust. The High Court in that view concluded that his Facebook was personal (Smith v Trafford Housing Trust)

So we move on to the cases in the last 12 months , which seem to have moved the position forward and recognised that even private postings can overlap into the work place, leading to an impact on colleagues and the employer’s reputation. It also suggests that the courts are now recognising the impact such media can have in the workplace.

Game Retail Ltd v Laws illustrates this best :  As a risk and loss prevention investigator , Mr Laws was responsible for 100 Game stores and had his own Twitter account , which was followed by 65 stores including both staff and managers. He posted 28 tweets containing expletives or bad language , such as “ This week I have mainly been driving to towns the arse end of nowhere …” going on to complain about other road users. The Appeal Tribunal accepted these tweets could be read by staff and customers – even though it would be those who chose to follow him. In addition there was no need to show that employees or customers had actually been offended – Game Retail had formed an honest and reasonable belief that they might have caused offence.

During the summer there was another Facebook case before the Tribunal which contrasted markedly with Smith v Trafford. In the case of British Waterways Board v Smith the employee posted comments on Facebook about drinking alcohol whilst on standby duties and complaining about his supervisors in colourful terms: “the f****** don’t even pay us for this s***” and “why are gaffers such p********…”  His dismissal was found to be fair by the Appeal tribunal, who disagreed with the original employment tribunal. It was useful that the Board’s social media policy stated “any action on the internet which might embarrass or discredit BW (including defamation of third parties for example by posting on bulletin boards or chat rooms” was prohibited.

So the legal position, from an employment law perspective, is evolving and this evolution looks set to continue. A good resolution for the New Year might well be to revisit employer social media and disciplinary policies in light of these lessons.

Audrey Williams

Fox Williams LLP