Press enter to search, esc to close
Below we set out what we think are some of the big issues for companies and how these might be overcome.
It is not uncommon for employees to use their personal mobiles to check work emails or to continue working out of the office, either on work associated trips/meetings or at home. This brings with it the potential for employees to breach Data Legislation and is something that employers should be aware of and ensure that they implement the appropriate mechanisms and procedures to safeguard the personal data of both employees and customers. Personal devices should only be used if an employer can guarantee the security of the data stored on it.
Lost phones can be a problem – if a member of staff leaves a phone (work or personal) on a train, for example, which has on it customer or employee personal data, then (subject to it having the relevant password / encryption mechanisms) this is likely to be a data breach.
However, of more concern is the growing ability of hackers to get hold of a company’s data. This includes methods such as attacks via social engineering, including phishing and other email-based attack techniques, and the continuously evolving innovative use of malware delivered through compromised websites, apps, devices or networks. It has become more difficult for employees to spot whether an email has come from a hacker due to the level of sophistication used.
In the Verizon 2020 Report, it was discovered that only 13% of businesses had all four of the following basic protections: regular security testing; data encryption; need-to-know access and no default passwords.
It is more common today for groups of employees to use instant messaging apps such as Whatsapp and Facebook Messenger to keep up to date with work related information and projects. This has become more prevalent with the advent of Covid 19 and whole teams/offices being required to work from home. However, although many of these apps use encryption, the messages and any documents shared will all still sit in a Facebook datacentre. If the datacentre is breached in any way, the business whose personal data has been leaked (the data controller) will remain liable to any data subjects and the regulator, as per your obligations as a Data Controller.
Businesses may be inclined to set up group chats for various departments, but they must be cognisant of the need to ensure that they have their employees’ permission to do so, as they are essentially sharing the personal details of their staff. Businesses should reserve the right to view business-related group chats on personal devices if required for business purposes – for example, if they need to investigate a complaint of misconduct.
It is also important to consider what happens when employees leave the business. Will employees still be able to access the group and any content shared within it? Even if the leaver is deleted from the group chat, their data may not be fully deleted as the other group members will still have a copy of all the messages sent by the data subject to them and vice versa. Exit procedures should require departing employees to confirm in writing that they have deleted all work related data from their personal device, including colleagues’ contacts and group chats. Employers should, however, ensure that they can access and store information exchanged via group chats, in case it is needed in future litigation.
Employees must be careful when holding sensitive or confidential conversations within the home environment; in particular, they should consider whether there any internet connected and microphone enabled devices in the vicinity (such as Alexa). These devices should be considered compromised, and actions taken to limit any possible exposure.
Carelessness can cause a great deal of damage – many individuals find technology baffling, leading to them either ignore or defer security warnings or not having the correct security settings on their personal devices. In addition, they may unintentionally make ill-considered decisions when choosing apps, not knowing whether such apps are able to see and transfer their information. It is therefore important for employers to ensure, as above, that their staff have the correct level of security and awareness when processing personal data, and in these lockdown times, that will require additional attention in terms of keeping in contact with staff and providing sufficient ‘virtual’ support.
Companies can take all the necessary precautions to ensure that data is secure within their business, but malicious actions by employees / insider data breaches are, unfortunately, a threat that has become more prevalent over recent years.
Everyone in the data world will be aware of the recent Supreme Court decision in the Morrisons’ ‘vicarious liability’ case. In October 2018, the landmark decision of the Court of Appeal found that Morrisons was liable for the actions of a rogue employee who had leaked the payroll data of other employees online – criminally and without the knowledge of Morrisons - as an act of spite against the supermarket following his being disciplined and suspended. Thankfully, for companies, this far reaching decision was overturned by the Supreme Court. Nonetheless, although this is a positive outcome for employers, it does not create a blanket exclusion of vicarious liability in all data cases and employers will still need to be vigilant in the extent of access to data that they give to employees and the protections in place to ensure that data is not misused.
However, innocent employees can cause just as much damage as those with malicious intentions. Human error comprises a significant chunk of data leaks, from employees losing their mobile phones, to pasting confidential information in the wrong place or inadvertently copying third parties into emails/texts or simply forwarding messages to the wrong recipient, through to transferring company files onto a public cloud storage service, or inadvertently downloading/retaining personal data onto personal devices. It is all too easy to take photos on mobiles and share them via a variety of different social media platforms – but what if a photo was taken at work and contained personal data in the background? The list of accidental leakage of personal data is endless.
07 July 2020