The insider threat – rogue employees and data breaches

When thinking about deliberate data breaches, what usually comes to mind is a faceless external hacker whose identity may remain unknown. But the risk is often far closer to home and can come from employees and former employees.

Deliberate breaches

Employee-led data breaches can be accidental, but they also arise out of situations where an individual exploits access rights to sensitive information, often for financial gain. Disclosure of trade secrets feature prominently, as does the sale of access passwords or other data (including customer personal data). There are also cases where the motivation is not financial, but where an aggrieved former or current employee is trying to cause harm to a business or to another employee.

For personal gain

It is not uncommon for employees to be approached by third parties with offers to pay for (and potentially later be blackmailed into providing) data, their passwords, or to record data that they have access to and pass it on.

Often the information sought by third parties is the personal data of customers. It might be their personal details to allow the third party to pose as a customer when calling financial institutions, or to identify targets for cold calling.

With more businesses moving to a hybrid working model, where employees work from home as well as in the workplace, businesses need to be increasingly vigilant.

It is harder for employers to monitor who has access to company equipment or who is in the room when calls are being taken where their employees are working from home. In the office, it's easy to regulate mobile phone use, but it's another story in a remote working world. Preventing an employee from taking screen shots of work information when working from home is almost impossible although there are technological barriers to such activities including data masking in databases.

It is important not to focus solely on employees, but also to consider who else has access to your business’s data. Consider what access rights outsourced workers have and whether they are subject to appropriate policies and procedures which also cover remote working.

Due to a grievance – the Morrisons case

The most high-profile case of a disgruntled employee releasing personal data involves the supermarket chain, Morrisons. The case came before the Supreme Court in 2020 and involved a deliberate data breach orchestrated by a single employee who had "gone rogue". Driven by what he saw as poor treatment during a disciplinary action, the employee copied the payroll data of Morrisons' entire workforce of 126,000 employees on to a USB stick and uploaded some of it to a file sharing site.

Morrisons was ultimately found not to be vicariously liable for the employee’s actions, because he was not furthering his employer's business or acting in the course of his employment – but that should not lead to complacency. The Supreme Court found that employers could be held liable for data breaches by employees where such activities were within the course of employment. This means the risk of an insider data breach by employees is one which employers need to understand and do everything they can to mitigate.

Although the threat of prison may act as a deterrent – the Morrisons employee was sentenced to eight years’ imprisonment – breaches driven by a grievance or personal vendetta remain a risk for employers. The employer/employee relationship is inherently personal and therefore vulnerable to the fluctuations of human emotion. There is always a possibility that employees will feel aggrieved by actions or decisions taken by their employer. Disciplinary action is an obvious example but employer decisions including in relation to redundancy or promotion can also be a flash point.

Use of systems and controls

The risk of accidental and deliberate employee breaches can be reduced both from a technological standpoint and in terms of the controls put in place by the employer.

Access to data is a function of most employees' roles. The following points are important to consider when implementing robust systems and controls:

• Do employees have access to more data than they actually need to do their role?
• Are there access and monitoring capabilities in place to trace who has accessed information?
• Are IP/geolocation restrictions implemented in relation to remote working?
• Have you implemented dual factor authentication making it harder for third parties to access data?
• Do you regularly review who is accessing data and how frequently to identify patterns of access (time of day, volume of data, type of records etc)?
• Are IT controls strong enough to limit the routes by which data can be taken out of the business? Does your business impose restrictions on internet access and disable USB ports on computers?

Education and policies

In addition to implementing robust systems and control, employers should put in place appropriate policies and procedures to monitor and educate employees including about the personal risks to them if they misuse data.

Education

Employees should be made aware that there are civil and criminal consequences if they steal personal data from their employer. The Information Commissioner's Office (ICO) has the power to bring proceedings in such cases and has increased its enforcement action. There have been targeted criminal prosecutions under the Data Protection Act 2018 against current and former employees who conspired to steal customer information.

Not only is there the threat of action taken by the ICO, each employer can pursue civil proceedings to recover damages or legal costs lost due to its employee’s actions. A word of warning for employees: the potential damages that a wronged employer can claim are likely to exceed by many times any payment received by employees from third parties for stealing the data.

Educating employees about what to do in the event of an approach from a third party is equally important as is education and training on the employer's policies. A policy will only have value if employees are aware of it and regularly implement it when at work.

Policies

So what should an appropriate data protection policy cover? To be effective it should deal with the use of both personal devices and personal email addresses. It should also cover company rules on the use of instant messenger platforms like Skype for Business or Slack. Given the rapid pace of technological change, employers should ensure their policies are kept under regular review and revised when necessary. The rise in home working has seen a surge in the use of new technologies such as Zoom and Microsoft Teams which employers will need to consider.

To be in the best position to detect and react to an employee who goes rogue, it is also helpful to also have appropriate policies in place to deploy covert monitoring of employees' activities.

While a whistleblowing policy is not a legal requirement, it is recommended by the UK government as good practice. Such a policy could enable employees to raise concerns about the actions of fellow employees or notify the employer that they have been approached by a third-party rogue actor.

In addition to effective policies, employment contracts should be drafted to ensure that employers have the right to access and monitor an employee's emails and internet access, to guard against threats like employee-led data breaches.

Taking these pre-emptive measures will help to ensure that employers are best placed to deal with an insider threat. These are some simple things businesses can do to reduce risk, even if it is impossible to eliminate it entirely.

Find out more

To discuss the issues raised in this article in more detail, please reach out to a member of our Data Protection & Cyber or Employment, Pensions & Mobility teams.