HR and IT professionals must be even more vigilant in protecting data that comes into the possession of the business and take even more precautions to prevent accidental and deliberate breaches. The on-going court case involving Morrison's potential for vicarious liability arising when a disaffected former employee copied the personal data of thousands of fellow employees and at a later date, after he had left the company, uploaded all the private information of his former colleagues on to a file-sharing website where it was visible to all, should make all businesses starkly aware of the position they could be placed in if they do not exercise robust procedures to avoid cyber breaches and malicious behaviour by disgruntled employees. Morrison's has been granted permission for a final appeal to the Supreme Court as so far the courts have held Morrison's vicariously liable for the breach.
The HR professionals in any business must maintain the strictest controls on the access to sensitive data regardless of whether it is client data or staff data and commission the drafting employment contracts that set out in explicit terms how such information should be handled including what should happen when a member of staff leaves the company. The consequences of a data breach deliberately or carelessly caused by an employee should be clearly itemised. In some instances there is a case for sending certain employees on immediate garden leave when they resign. Giambrone's employment law team are experts in drafting watertight employment law contracts and have expertise in various jurisdictions enabling them to address cross-border contracts.
The IT professionals must act straight away to change both passwords and the ability to access to sensitive data as soon as a member of staff leaves. However, the damage can already have been done; so procedures and processes must be set out how data may be accessed, with steps to access involving more than one person and clearly specified justifiable reasons to access the information which have to be noted down, timed and dated. Limiting the number of employees who need to have access to risky data on a need to know basis ensures that every effort has been made to prevent any breaches. Staff, even senior staff, must not be permitted to use their own devices for two reasons, their personal devices may not be as secure as they should be and there is more to opportunity to copy data more easily and take it home and asking to inspect an employee's personal laptop just in case they have uploaded something sensitive brings up all kinds of issues.
The latest research on global data breaches carried out by Verizon has shown that C-suite executives are more likely to be the targets for cyber attacks. The motivation for mounting the attacks has consistently; year on year, proved to be financial, 76 per cent of the breaches that were carried out had a financial motive. With hacking, malware, misuse and error being the main causes. However, there are people who indulge in hacking for "fun". It seems that people are not taking in the lessons learned as cyber criminals are successfully using the same techniques and are obtaining personal information to use in identity fraud. Most attacks are random, in that the hacker is opportunistic and will get in wherever they can but in manufacturing the breaches are far more targeted. These attacks tend to be focussed on intellectual property theft and are researched and planned to steal new innovations to gain the competitive edge. Often the breaches are not immediately discovered and two thirds of the attacks are not noticed for months after the event.
It is a sobering thought that 87 per cent of the 53,308 security incidents and the 2,216 data breaches recorded globally in 2018 took a matter of minutes to carry out.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.