In a Verizon Mobile Security Index 2020 Executive Summary, almost 40% of the organisations surveyed in 2020 said they had experienced a mobile-related compromise and the percentage of companies reporting a compromise has grown by 41% since 2018.
Below we set out what we think are some of the big issues for companies and how these might be overcome.
It is not uncommon for employees to use their personal mobiles to check work emails or to continue working out of the office, either on work associated trips/meetings or at home. This brings with it the potential for employees to breach Data Legislation and is something that employers should be aware of and ensure that they implement the appropriate mechanisms and procedures to safeguard the personal data of both employees and customers. Personal devices should only be used if an employer can guarantee the security of the data stored on it.
Lost phones can be a problem – if a member of staff leaves a phone (work or personal) on a train, for example, which has on it customer or employee personal data, then (subject to it having the relevant password / encryption mechanisms) this is likely to be a data breach.
However, of more concern is the growing ability of hackers to get hold of a company’s data. This includes methods such as attacks via social engineering, including phishing and other email-based attack techniques, and the continuously evolving innovative use of malware delivered through compromised websites, apps, devices or networks. It has become more difficult for employees to spot whether an email has come from a hacker due to the level of sophistication used.
In the Verizon 2020 Report, it was discovered that only 13% of businesses had all four of the following basic protections: regular security testing; data encryption; need-to-know access and no default passwords.
It is more common today for groups of employees to use instant messaging apps such as Whatsapp and Facebook Messenger to keep up to date with work related information and projects. This has become more prevalent with the advent of Covid 19 and whole teams/offices being required to work from home. However, although many of these apps use encryption, the messages and any documents shared will all still sit in a Facebook datacentre. If the datacentre is breached in any way, the business whose personal data has been leaked (the data controller) will remain liable to any data subjects and the regulator, as per your obligations as a Data Controller.
Businesses may be inclined to set up group chats for various departments, but they must be cognisant of the need to ensure that they have their employees’ permission to do so, as they are essentially sharing the personal details of their staff. Businesses should reserve the right to view business-related group chats on personal devices if required for business purposes – for example, if they need to investigate a complaint of misconduct.
It is also important to consider what happens when employees leave the business. Will employees still be able to access the group and any content shared within it? Even if the leaver is deleted from the group chat, their data may not be fully deleted as the other group members will still have a copy of all the messages sent by the data subject to them and vice versa. Exit procedures should require departing employees to confirm in writing that they have deleted all work related data from their personal device, including colleagues’ contacts and group chats. Employers should, however, ensure that they can access and store information exchanged via group chats, in case it is needed in future litigation.
Employees must be careful when holding sensitive or confidential conversations within the home environment; in particular, they should consider whether there any internet connected and microphone enabled devices in the vicinity (such as Alexa). These devices should be considered compromised, and actions taken to limit any possible exposure.
Carelessness can cause a great deal of damage – many individuals find technology baffling, leading to them either ignore or defer security warnings or not having the correct security settings on their personal devices. In addition, they may unintentionally make ill-considered decisions when choosing apps, not knowing whether such apps are able to see and transfer their information. It is therefore important for employers to ensure, as above, that their staff have the correct level of security and awareness when processing personal data, and in these lockdown times, that will require additional attention in terms of keeping in contact with staff and providing sufficient ‘virtual’ support.
Companies can take all the necessary precautions to ensure that data is secure within their business, but malicious actions by employees / insider data breaches are, unfortunately, a threat that has become more prevalent over recent years.
Everyone in the data world will be aware of the recent Supreme Court decision in the Morrisons’ ‘vicarious liability’ case. In October 2018, the landmark decision of the Court of Appeal found that Morrisons was liable for the actions of a rogue employee who had leaked the payroll data of other employees online – criminally and without the knowledge of Morrisons - as an act of spite against the supermarket following his being disciplined and suspended. Thankfully, for companies, this far reaching decision was overturned by the Supreme Court. Nonetheless, although this is a positive outcome for employers, it does not create a blanket exclusion of vicarious liability in all data cases and employers will still need to be vigilant in the extent of access to data that they give to employees and the protections in place to ensure that data is not misused.
However, innocent employees can cause just as much damage as those with malicious intentions. Human error comprises a significant chunk of data leaks, from employees losing their mobile phones, to pasting confidential information in the wrong place or inadvertently copying third parties into emails/texts or simply forwarding messages to the wrong recipient, through to transferring company files onto a public cloud storage service, or inadvertently downloading/retaining personal data onto personal devices. It is all too easy to take photos on mobiles and share them via a variety of different social media platforms – but what if a photo was taken at work and contained personal data in the background? The list of accidental leakage of personal data is endless.
Flexible working: the impact on our towns and cities webinarRead more
Emerging conduct risks and handling conduct risk incidents webinarRead more
Technology and innovation in SIPP & SSAS portfolio managementRead more
Key themes in member complaints and the litigation 'landscape' for...Read more
Keynote address and series wrap upRead more
Remediations and past business reviews and the FCA's focus on pension...Read more
SIPP & SASS Winter FestivalRead more
Acquisitions and disposals of SIPP & SSAS businesses - avoiding the...Read more
What next for International data transfers? WebinarRead more
There's a growing demand for retailers to do more to attract the Purple Pound – the collective spending power of disabled shoppers, estimated to be worth around £249bn. We look at the opportunities, the legal issues and...Read more
The way people shop is constantly evolving, from the growth of online and the changing use of stores...Read more
Helping you navigate your business through the risks and opportunities that Brexit will bring.Read more
Green finance is gaining speed, driven by global climate change pressures and the recognition of the vital role which sustainability plays in a resilient financial services sector.Read more
Keep on top of the employment law issues that matter most to you and your business with our new podcast.Read more
As businesses adjust to new ways of working and plan for an uncertain future, we keep track of the emerging legal and regulatory issues.Read more
Keeping you up to date with the latest guidance on regulatory change and legal impact of the coronavirus pandemic.Read more
While future trading relationship with the EU is negotiated, we will be in a 'status quo' transition period until 31 December 2020. Follow our latest updates.Read more
Our Senior Managers Regime hot topic features news and insight to help banks, building societies, investment firms and UK branches of foreign banks prepare for the new regime.Read more
Data protection law is changing rapidly and mistakes can lead to significant financial penalties and reputational damage. We can help you secure your data and use it to its maximum potential.Read more
Providing a complete service covering all aspects of regulatory law.Read more
We provide strategic and business as usual advice covering all aspects of employment law, as well as dealing with disputes, mediations, complex tribunal claims.Read more