Data security is a critical risk area for businesses of all sizes. Whether it is in relation to personal data or confidential business information, companies need to be alive to how they control access to valuable and/or sensitive information in their possession.
One aspect of a data security strategy that is often considered in less detail is the threat posed by employees – the insider threat. This includes both accidental loss of data through negligence and deliberate misuse or theft of data by employees. This article reviews the issues in relation to deliberate misuse or theft, and what businesses should do if they discover such activity.
Who are "insiders"?
Insiders can be current employees or former employees whose access has not been revoked, contractors or service providers, and can come from any level of the company hierarchy. A customer service representative may have access to your complete customer database, including personal data; or a senior executive may possess confidential pricing information. Each of these individuals has access to important company information and may have a legal or contractual duty to protect it from wider disclosure outside the business.
What should you do if you suspect that an employee is stealing confidential information?
Prepare an investigation plan
Preferably this should be done in conjunction with either in-house legal or external lawyers. If litigation or regulatory action may follow from a breach, involvement of lawyers will increase your chance of being able to claim privilege over documents relating to the investigation if necessary. The investigation plan should also be your roadmap for how you want to proceed with your investigation, although it should also be kept under review as you obtain more information.
Identify, as best you can at this stage, what information has been accessed, and how
This preliminary step is likely to shape the future conduct of the investigation. Begin by reviewing emails, phone and internet records, and any other relevant software logs which monitor who has accessed data. This should be done covertly to prevent tipping off the employee. It may be necessary to secure a forensic image of the employee's workstation for interrogation by IT forensic experts.
Electronic information can be stored on any number of devices, including mobile telephones, USB data sticks and DVDs. As such, it is important to understand what security limitations are already in place to eliminate avenues of investigation, and what additional information you may be able to obtain; for example, do your security systems monitor each occasion a USB stick is plugged into a computer, and log information as to what was transferred to or from the USB stick?
If information has been taken, consider whether you have an obligation to notify a regulator or contracting party
If your business handles personal data then you should consider whether to make a notification to the Information Commissioner's Office (ICO). There is currently no legal obligation to notify the ICO (although this is likely to change under the proposed EU General Data Protection Regulation), but a data controller should consider whether it should notify in any event. A regulated financial business may have to notify the Financial Conduct Authority, particularly if the breach indicates a systems and controls failure.
It is crucial that a regulator is notified at the appropriate time and in the correct manner. Having undertaken some preliminary investigative steps, you can approach the regulator from a position of knowledge. This will allow you to answer questions and reassure the regulator that you are in control of the situation.
If the information has come from third parties within the data ownership chain, consider to what extent your contracts have reporting obligations, and whether they have been triggered. In a breach situation, you will likely be dealing with a number of urgent issues at once, so having a good understanding of your contractual obligations in advance is important.
Consider for what purpose the information may have been stolen
If the theft was for monetary gain, then a key step will be to identify any third party recipients of the information. This is important to ascertain whether it may be possible to contain the breach by recovering the information. As the recipient of stolen data will become a target of the investigation it is important not to tip-off the employee or third party.
If the theft is not for monetary gain, then securing the return of the data before it is disseminated is likely to be the primary focus and, as such, a different course of action may be appropriate. Research increasingly indicates that major data breaches are for a secondary purpose, so it is important to think laterally when considering what the data may be used for.
Consider when to interview the employees involved
It is important to ensure that the timing of employee interviews is right. For example, if you interview involved employees too early, you may not have enough evidence to prove their 'story' wrong, or you may lose the chance to recover data if the employee denies involvement then puts stolen data beyond reach. Having said that, there is a tension between cutting off access to data (and therefore risking tipping the employees off) and getting enough information to either secure the return of data and/or conduct successful interviews.
Decide what steps, if any, can be taken to secure the return of the data
If there is evidence that the data has not been passed to a third party, then securing its return may only require the threat of proceedings. Often employees have not thought through the consequences of their actions and will cooperate when confronted.
On the other hand, if data has been passed to third parties, or you believe that the employees involved will not cooperate when confronted, injunctive relief from the courts may assist you. If data remains within the jurisdiction and you have sufficient evidence of wrongdoing, you can approach the court without notice to the alleged wrongdoers to obtain a search and seizure order, which will entitle you to access premises to preserve evidence and seek delivery up of data.
Finally, once the dust has settled, consider what changes can be made to prevent a future breach
These could range from providing training to employees, to reviewing access levels and controls, to a thorough review of the IT and security infrastructure. Where a breach went undetected for some time, you should also consider upgrading logging software to enable you to identify unlawful access more quickly. It is important to remember though that it is impossible to prevent every possible incident, and regulators do not expect businesses to do so as long as reasonable steps are taken.
Prevention is better than cure
Successfully detecting and stopping a data breach is easier where the requisite policies, procedures and software are already in place. The identification and investigation of the source of the breach can then be quicker and cheaper. If it is necessary to seek injunctive relief from the courts, it will also be easier to evidence the activities in question and demonstrate breach of the employee's contract of employment and other civil offences.
Software often includes inbuilt logging equipment but it is only useful if it is properly activated. If the functionality is active, is anyone actually reviewing the logs to identify suspicious activity? When are the logs reviewed, and are they reviewed by employees with the right skillset to identify potential misuse? If software has built-in analytics capabilities, are those capabilities properly configured?
Is access to information on a business needs basis? If the person dealing with customer information only needs a specific subset, restrict access to the rest.
Apart from procedures, it is also important to ensure that employment contracts and handbooks are drafted to allow monitoring of company computers and use of email in the office. This step has the dual effect of reminding employees that their computer use is subject to monitoring and making it easier to investigate suspected misuse.
Often, making a few internal changes can dramatically reduce the opportunity for and, therefore, the risk of a data breach being initiated by an insider.
Human nature is such that if the potential reward is high enough a determined individual will always try to exploit a weakness to extract data. While each incident of suspected data theft will require a tailored response, businesses can do a lot to prepare themselves. If you have a plan of action in place and have implemented appropriate preventative measures, the potential fallout from a data breach can largely be mitigated. Deploying a range of internal measures can also ensure that when outside legal assistance is required the evidence is available to allow the full arsenal of tools to be deployed against a perpetrator risking the reputation and security of a business.