Data breaches are all over the news, but those stories most often cover high-profile cybersecurity breaches that result from the malicious efforts of hackers or other outsiders. Just as insidious, and more likely to occur, are insider breaches in the form of the theft or disclosure of confidential company information by a current or recently departed employee.
Employee theft of company data may be motivated by a desire to monetize that data, to embarrass or retaliate against an employer, or by simple ignorance. For example, a Tufts Health Plan employee recently pled guilty to data theft after stealing customer information for more than 8,000 Tufts customers in a scheme to collect fraudulent Social Security benefits and tax refunds. In another recent case, a disgruntled employee of Morrison’s, a large UK supermarket chain, stole payroll information for thousands of the company’s employees and posted it online as a “concerned Morrisons shopper,” in addition to mailing copies to local newspapers. Finally, in one of the largest of the recent employee data theft cases, a Morgan Stanley financial advisor apparently obtained data from 350,000 Morgan Stanley clients by running internal reports on data he was not authorized to access. Some portion of that data was later uploaded online, possibly by a third party, and offered for sale.
A surprisingly large number of employee thefts, however, result from simple ignorance. In a recent Ponemon Institute survey, over half of the more than 3,000 respondents stated a belief that using competitive information taken from a previous employer was not a criminal act, reasoning that ownership of such information resides in its creator rather than the former employer. The respondents further justified transferring corporate data to their personal computers, tablets, smartphones, or to “the cloud” because of a belief that it didn’t harm the company, because the company didn’t enforce its policies, because the information was unsecured or generally available, or because that employee wouldn’t receive any economic benefit from doing so. Worse, in this same survey, more thanhalf of the employees surveyed admitted to taking information from a former employer and 40 percent of those employees admitted they intended to use it in a new job.
These disturbing statistics raise the question: What can employers do to prevent these losses? While there is no absolute preventative measure, steps can be implemented to greatly reduce the risk of such thefts and to detect any ongoing employee theft.
1. Implement Protective Policies and Agreements
Limit access to sensitive information to only those employees whose jobs require such access. This may include customer, employee, or vendor data, in addition to any other generally proprietary corporate data, such as financial models, formulas, etc. Access to the company network should be discontinued immediately upon termination of the employee or receipt of notice of intent to leave. The employer should also require that company laptops and other devices be immediately returned at that time. An additional benefit of limiting access to corporate information is that it makes the data far more likely to be considered a protectable trade secret under the Uniform Trade Secrets Act, which defines a “trade secret” as information that has been the “subject of efforts that are reasonable under the circumstances to maintain its secrecy.”
Put the company’s data security policies in writing. For example, the company’s employee handbook/manual/agreements should require employees to access and store company data only on company-owned devices and should further include a statement that the employee’s authorization to access the company’s network ends automatically when employment ends or when that employee has given notice of an intention to leave.
Implement appropriate restrictive covenants. These may go beyond the usual non-competition, non-solicitation, or non-disclosure clauses to include garden leave provisions, notice provisions, or forfeiture clauses. It is important to note before utilizing these provisions, however, that the enforceability of each varies significantly by state. Legal counsel should be sought before they are put in place.
Implement detection measures. To the extent possible, utilize your IT department to implement detection measures such as data loss prevention software (which limits the end user’s ability to transfer certain data and/or notifies the employer when an attempt to do so has occurred) or to monitor departing employees’ online activity in the last 30 days of employment. Studies have shown that 70 percent of intellectual property theft occurs within 30 days of an employee’s resignation announcement. Setting aside electronic means of detection, many data breaches are discovered by tips from other employees, which are more likely to be forthcoming if they can be made anonymously. Consider establishing a hotline that employees can use to report misconduct. Also, be aware of other red flags that may arise with respect to departing employees, i.e. statements regarding the employee’s desire or ability to harm the company, employee’s accessing of files not commonly used by that employee, or social media traffic that indicates an employee’s intentions to take corporate data to a competitor or use it as a basis for a new venture.
2. Educate Employees Regarding the Company’s Data Security Policies
The company must be clear with employees regarding the ownership of its intellectual property, appropriate use of company data, and the company’s willingness to enforce its rights if necessary. Employees should be informed of the employer’s data security policies at the time of hire. This should include, but not be limited to, a discussion of these policies in the interview, providing the employee with copies of all such policies, execution of appropriate restrictive covenants, and a request that the employee provide the company with copies of any restrictive covenants they have entered into with previous employers. Employees should then be reminded periodically throughout the term of their employment of the company’s data security policies, which can be as simple as a periodic reminder email from the company’s IT department or management. And, finally, the employee should be reminded again at the time that employment ends. This should be done in the exit interview, by follow-up letter, and by providing an additional copy of any restrictive covenants and data policies.
In the 2012 Global Fraud Study, conducted by the Association of Certified Fraud Examiners, researchers found that management’s failure to set the right ethical tone—i.e., that the company expects ethical behavior and treats its intellectual property and other proprietary data seriously and with appropriate care—was among the primary factors cited as the cause for employees’ theft of data resulting in a loss of $1,000,000 or more. Unsurprisingly, a lack of internal controls was, by far, the largest factor contributing to such thefts without regard to size.
3. Enforcement of Policies and Agreements
Depending on the applicable state law, a variety of civil claims may be available where data is stolen by a former employee. These may include, but are not limited to, breach of contract, misappropriation of trade secrets, violation of the Computer Fraud and Abuse Act, conversion, tortious interference with contract or business opportunities, or, depending on the role of the departing employee, breach of fiduciary duty.
Criminal penalties may also apply but are outside the scope of this article.
While many companies have employed substantial resources to protect against outside threats, such as hackers, worms, or viruses, the risk of an internal threat often goes unaddressed. The great majority of data leaks, however, are caused by company insiders. To best address and prevent data loss, companies must first recognize and address this problem at its source.