Why It Matters: The Threat Faced by Companies Today of Employee Misuse of Sensitive Company Data
In today's highly digital and technological age, employees are commonly utilizing company networks and systems to communicate, conduct business, and access data. While productivity has increased exponentially with the advancement of technology, so too has the risk of misuse and theft of sensitive, confidential company data by employees. Importantly, the biggest threat of a data breach today comes not from malicious outsiders, but from inside the company in the form of the organization’s own employees. To make matters worse, the severity of the impact felt by companies who experience data leakage has proliferated exponentially in recent years. In addition to the catastrophic financial consequences caused by a data leakage incident, the reputational hit that a company customarily takes in the wake of an incident can also have dire consequences on the long-term viability of an organization. Combined, it is imperative that companies large and small ensure that they are protected against employee misuse and theft of company data. Fortunately, there are several proactive steps that organizations can take to minimize the risk of falling victim to inappropriate data utilization by company insiders.
The Problem: Employer Liability Stemming From Misuse or Theft of Company Data
When an employee is found to have misused or misappropriated company data that results in injury or damage to third parties, two primary theories of liability are pursued against the worker's employer. First, as is common with most torts committed by employees, an injured party will seek to establish liability against the employer under a theory of respondeat superior or vicarious liability. Respondeat superior liability provides that an employer is liable for an employee's acts that were performed within the scope of and course of the individual's employment or in furtherance of the employer's interest. Liability under respondeat superior is not predicated upon fault of the employer; instead, it results from liability for acts committed by those individuals for whom the employer is responsible. Importantly, for the employer to be liable under a theory of respondeat superior liability, the employee's tort must be committed within the scope of employment. For the act to be within the scope of employment, the behavior giving rise to the tort must have been “calculated to facilitate or promote the business for which the employee was employed.” Conversely, employers are not liable for independent, self-serving acts of its employees that do not facilitate or promote the company's business interests.
In addition, negligent employment theories—which are distinct from the doctrine of respondeat superior—may also impose direct liability on employers for the misconduct of their employees. Under the torts of negligent hiring, retention, and supervision, if an employer, without exercising reasonable care, employs an incompetent person in a job that brings him into contact with others, then the employer is subject to liability for any harm the employee's incompetency causes. Here, an employer is subject to direct liability for harm to a third party caused by its employee’s conduct if the harm was caused by the employer's negligence in selecting, training, retaining, supervising, or otherwise controlling the employee. Foreseeability is a key issue in connection with claims of negligent hiring, retention, or supervision, and liability often hinges on the scope of the original foreseeable risk that the employee created through his or her acts and/or omissions. It is only where the misconduct was to be anticipated, and taking the risk of it was unreasonable, then liability will be imposed.
The Solution: Employer Strategies to Minimize the Risk of Liability in Connection With Rogue Employees
There are several pivotal steps that employers can take to minimize the risk of being held responsible for the misuse or theft of company data by members of the company’s workforce.
As a starting point, due to the prevalence of technology both at work and outside of the workplace today, the first layer of protection an employer should have in place is a detailed, stringent set of company policies and procedures to guard against employee data misuse. As a general matter, these policies should define expectations for employees or anyone with access to firm data regarding issues such as the use of personal email and devices, file-sharing programs, the copying of data to personal devices, and the use of company systems from remote locations. Doing so will significantly limit the risks associated with online activity by employees and limit the risks of both respondeat superior and negligent retention/supervision liability. Importantly, these policies serve dual purposes: proactively deterring employees from engaging in the improper use or dissemination of company data, and serving as a robust defense to liability in the event the employee wrongly handles or transmits sensitive company information.
Critically, however, it is not sufficient simply to have the proper policies and procedures in place; rather, employers must also expend the time and effort necessary to properly train their workers on proper data security measures—regardless of their position—as most technology-oriented data security measures are easily defeated by workers who inadvertently or carelessly open the door to data leakage events. As such, employers should train all new hires on the company's data-oriented policies, as well as proper practices and methods for the handling and transmission of company data as part of the onboarding process. Beyond that, employers should also conduct regular interim training sessions to refresh employees’ knowledge on the company’s data handling standards and what does—and does not— constitute proper employee use of company data.
Another important step that companies can take to further mitigate the risk of data theft is to tailor employees' access to electronic data to the worker's specific job duties. Strategically tailoring access is an effective way to prevent or limit internal employee data theft. Accordingly, companies must ensure that employees only have access to information and data that is essential to the duties and responsibilities of their position within the company. Similarly, companies should also regularly review workers’ data access rights and terminate any access to accounts that are no longer in use or no longer needed for the employee to carry out his or her job responsibilities.
In addition to limiting what data is accessible, companies should also monitor what data is being accessed on the company's network. Data monitoring can not only detect leaks when they happen, but can also discourage employees from taking unnecessary risks by sharing firm data. In particular, employers should monitor electronic usage to identify any early warnings of potential vulnerabilities with an eye toward unusual activity, particularly if information is being pulled off of a company's network. In addition, it is also advisable to monitor employees’ email communications, as company data is often misused or stolen by employees who use company email systems to send large chunks of company information either to their personal email addresses or to third parties over very short periods of time.
Similarly, companies should also monitor employees for potential data security threats as well. As a starting point, companies should conduct thorough background reviews of all candidates for employment before the time they are hired. Background checks are extremely useful because they can identify any prior fraudulent or dishonest activity on the part of the potential new hire, which is a clear red flag that the individual may pose a data security threat if employed by the organization and—more importantly—would serve as the basis for a cognizable negligent hiring claim. In addition, protective monitoring of current employees is also necessary to reduce opportunistic or counterproductive behavior by workers. Things such as being hostile to managers and fellow employees and severe dips in performance are tell-tale signs that an employee might pose a threat of compromising company information and data. After a high-risk employee is identified, the organization should guard against the increased threat of data leakage or theft by engaging in increased data monitoring of the employee. Importantly, however, it is imperative that all background reviews and employee monitoring activities are carried out by the company in accordance with all legal requirements and regulations.
Finally, anytime an employee leaves a company, the organization must implement proper offboarding procedures to limit the potential for data leakage. As a starting point, long before an employee ever leaves the company, employers must require all workers to sign non-disclosure agreements prohibiting them from taking any intellectual property, company data, or customer data when the worker departs the organization. In addition, the company should utilize exit interviews as an opportunity to repossess company data from all of the departing employee’s electronic devices and to reaffirm and reemphasize the employee’s ongoing data protection obligations which continue even after the employee severs his relationship with the organization. the company should immediately remove an employee’s access to the company systems and data, and change all passwords, as soon as a worker departs the company. In the event the employer decides to terminate an employee, it is imperative that this is done prior to the time the worker is notified of his or her termination.
The Final Word
In the workplace today, the threat posed by rogue employees misusing or misappropriating company data continues to expand at break-neck speed. Combined with the ever-increasing costs of litigation, employers must be proactive in implementing strategies to minimize the risk of being on the hook for the misuse or theft of company data by members of their workforce. However, by adhering to best practices geared towards avoiding employee data leakage, employers can put themselves in the best position to proactively limit instances of data loss and set themselves up with stringent defenses to allegations of respondeat superior or negligent hiring/retention/supervision liability in the event they ever find themselves on the receiving end of an insider-triggered data breach event.
