Data security is a critical risk area for businesses of all sizes. Yet one aspect of a company’s data security strategy that is often considered in less detail is the threat posed by employees – the insider threat.
This includes both accidental loss of data through negligence and deliberate misuse or theft of data by employees. Insiders can be current or former employees whose access has not been revoked or contractors, and can come from any level of the company hierarchy. But what should you do if you suspect that an employee is stealing confidential information?
This article reviews the issues in relation to deliberate misuse or theft, and what businesses should do if they discover such activity.
- Prepare an investigation plan
The investigation plan should also be your roadmap for how you want to proceed with your investigation. It should be kept under review as you obtain more information. The investigation should be carried out in conjunction with either in-house legal or external lawyers.
If litigation or regulatory action may follow from a breach, involvement of lawyers will increase your ability to claim privilege over documents relating to the investigation if necessary.
- Identify, as best you can at this stage, what information has been accessed, and how
This preliminary step is likely to shape the future conduct of the investigation. Begin by reviewing emails, phone and internet records, and any other relevant software logs which monitor who has accessed data, to the extent that your employment contracts with employees allow you to do this. This should be done covertly to prevent tipping off anyone potentially involved.
As such, it is important to understand what security limitations are already in place to eliminate avenues of investigation, and what information your current systems and software can provide.
- If information has been taken, consider whether you have an obligation to notify a regulator or contracting party
It is crucial that a regulator is notified at the appropriate time and in the correct manner. If your business handles personal data then you should consider whether to make a notification to the Information Commissioner's Office (ICO), although there is currently no legal obligation to notify the ICO.
A regulated financial business may have to notify the Financial Conduct Authority, particularly if the breach indicates a systems and controls failure.
- Consider for what purpose the information may have been stolen
If the theft was for monetary gain, then a key step will be to identify any third party recipients of the information. This is important to ascertain whether it may be possible to contain the breach by recovering the information. As the recipient of stolen data will become a target of the investigation it is important not to tip-off the employee or third party.
If the theft is not for monetary gain, then securing the return of the data before it is disseminated is likely to be the primary focus and, as such, a different course of action may be appropriate. Research increasingly indicates that major data breaches are for a secondary purpose, so it is important to think laterally when considering what the data may be used for.
- Consider when to interview the employees involved
It is important to ensure that the timing of employee interviews is right. If you interview involved employees too early, you may not have enough evidence to prove their 'story' wrong, or you may lose the chance to recover data.
However, there is a tension between cutting off access to data (and therefore risking tipping the employees off) and getting enough information to either secure the return of data and/or conduct successful interviews.
- Decide what steps, if any, can be taken to secure the return of the data
If data has been passed to third parties, or you believe that the employees involved will not cooperate when confronted, injunctive relief from the courts may assist you securing the return and/or destruction of the data.
- Finally, once the dust has settled, consider what changes can be made to prevent a future breach
These could range from providing training to employees, to reviewing access levels and controls, to a thorough review of the IT and security infrastructure, to upgrading logging. It is important to remember that it is impossible to prevent every possible incident, and regulators do not expect businesses to do so as long as reasonable steps are taken.
Prevention is better than cure
Often, making a few internal changes can dramatically reduce the opportunity for and, therefore, the risk of a data breach being initiated by an insider. While each incident of suspected data theft will require a tailored response, businesses can do a lot to prepare themselves.
If you have a plan of action in place and have implemented appropriate preventative measures, the potential fallout from a data breach can be limited as far as possible.
Paul Glass, partner in the Disputes and Investigations Group and Edward Spencer, associate in the Disputes and Investigations Group at Taylor Wessing.