Recent headlines featuring unauthorized data leaks of state secrets by wannabe whistleblowers—U.S. citizens Edward Snowden and Bradley Manning—have demonstrated how significant the ramifications can be when employees who have access to classified information leak it publicly. In this day and age, any employer can face a similar situation—and potential liability—should an employee disclose confidential information stored by the employer. Although they may not reach the level of state secrets, such confidential information may include clients’ medical records or personally identifiable financial data.
Clearly, employers risk their business reputation, resources, equipment, or even their livelihood in the wake of a data leak. The recent leaks underscore the importance of making sure that employers focus their efforts on those employees who handle classified data, and have an effective plan in place to protect that valuable data—and their company.
What steps might an employer take to mitigate the risks posed by a rogue employee that leaks sensitve data?
First, employers should scrutinize their employees that have or will have access to confidential information very carefully. Determine, independently, whether any employee handling sensitive data has a history of similar violations or conduct—the mandatory employee background check is likely not enough as evidenced in both the Snowden and Manning cases.
The next thing the employer should do is to proactively monitor the ongoing behavior of all employees that have access to sensitive data. Employers should have systems of monitoring to ensure that people are not doing things they should not be doing with the stored data. In this regard, employers must also make employees aware that they are being monitored and why. Openly tell employees about the need for monitoring, the liabilty involved should data be leaked, and the potential consequences for both the employee and the employer.
If monitoring is to be used to enforce rules and standards, it is advisable that employers consider clearly laying out these conditions in writing and have internal policies and procedures in place, as well as any other employment agreements in writing and signed by the employee.
How should an employer tackle a data leak?
When a data lead occurs, the employer will want to undertake an immediate internal investigation. This will include a review of both the information that was leaked to determine whether the data specifically contained any confidential information that could cause injury to individuals, companies, or governments and the employee’s activities over a certain period of time when the leak may have occurred.
First, the employer should determine whether copies of the stolen documents exist and whether they had been marked as confidential. The employer should involve its information technology department to evaluate the data breach, as well as to preserve the electronic evidence of the incident.
Next, the employer can interview the suspected employee and investigate his or her activities, as well as interview other employees that may have seen or heard something. Depending upon the nature of the data, the employer may have an obligation to report a data breach to authorities or individuals affected by the breach.
Depending upon the seriousness of the situation, the employer has several options for dealing with the leaker(s). At a minimum, the employer may consider suspension or termination of the employee. In more serious cases, the employer may also consider taking legal action against the employee—keeping in mind that in advance of any legal action a qualified attorney can help them evaluate if any potential claims by the employee against the employer exist and to determine any whistleblower protections that the employee may have.
If an employee is caught in a data breach and refuses to return the documents or copies that have been made, the employer should seek immediate injunctive relief in court.
In conclusion, it is important to understand that the content of this post is not intended as legal advice, nor should it be used as such. It is offered only for educational purposes. Your circumstances will vary and we recommend that should you suspect an employee may be violating your data privacy policies, or may have already leaked sensitive or confidential data, that you consider engaging an investigative team and legal counsel, immediately.