Protecting Against Misuse of Information
Businesses and employers face exposure to a variety of claims for mismanagement or misuse of personal information by employees. Damages may depend on how sensitive the information is and how it is misused. It was recently reported that an Alberta employer faced a serious security breach and fraud by a former IT employee which purportedly occurred between 2008 and 2012. The ex-employee, who worked in IT for the organization, allegedly engaged in a series of fraudulent electronic transactions which included placing and using personal data which was collected and stored by the organization, on his personal computer drives.
While the employer was successful in obtaining an order allowing it to search and take possession of the ex-employee’s electronic data, this did nothing to address the problem that was created by the ex-employee mining and storing personal information of others in the possession of the organization. How can an employer protect itself from the risk of employees misusing information in the possession of the employer? This challenging case highlights steps employers may take to manage this risk and limit the company’s exposure to employer-electronic data misappropriation. IT departments are particularly difficult to monitor as IT employees are often charged with monitoring and managing the information system.
Employers should adopt systems which cover all employees and should ensure that they have well drafted and current IT (internet, email, mobile, social media etc.) monitoring policies that are communicated and accepted by employees that:
- Confirm ownership of IT systems
- Delineate purposes for which IT systems may be used
- Clearly explain the rules and limits on employees’ use of personal electronic devices
- Identify the limits on downloading and disseminating employer data
- Confirm the extent and purpose of the monitoring
- Confirm the potential range of disciplinary responses for a breach
In terms of the monitoring IT-related conduct, employers should consider the following:
- Powers of access to IT systems should be shared and not vested in a single individual
- IT systems can be developed to ensure that downloads and uploads of information from employer systems trigger notifications to senior administrative personnel (particularly where the information comes from an employee file)
- IT professionals may be made subject to audits or independent reviews on an irregular basis
- IT functions should be separated from authority to approve of financial expenditures
Another organizational concept that works hand-in-glove with monitoring is the separation of employee responsibilities, which enables better monitoring of employee activity and may help employers identify misappropriation, if it occurring. The chance of an employee misusing information diminishes when that employee knows another set of eyes is monitoring the system. Having employees execute confidentiality agreements provides legal protection and guidance to employees with regards to the care required in handling of employee and other sensitive information.
At times the trust employers have in their employees can lull the employer in to a sense of security and the employer may become lax at monitoring trusted employees. Even if trust is required of any employee (particularly those with access to sensitive information), trust does not prevent employee misuse of electronic data. Systems are required to properly monitor and protect personal information. These systems also assist in managing the exposure to risk of claims.