Cybersecurity threats can emanate not just from outside sourcesbut from company insiders as well — including employees,executives, directors and contractors.

According to NetDiligence's 2014 Cyber Insurance Claims Study,roughly one-third of the reported events were attributable toinsiders. Just over half of insider events were unintentional —caused predominantly by employee mistakes — and just under halfwere purposeful and originated from malicious inside actors.

When looking at the matter on a global scale, according to PWC'smost recent Global Crime Report, more than half of all peopleseeking to defraud a company are thought to be insiders, withso-called procurement fraud on the rise.

Insider threats pose special legal challenges, including how farcompanies can go in monitoring insider conduct and communications,incentivizing insiders to avoid mistakes as well as maliciousbehavior, investigating and questioning insiders about theiractivities, and disciplining insiders involved in cybersecurityincidents.

The legal disciplines focused on a company's human resources —employment, privacy, employee benefits, and executive compensation— are indispensable to building an effective program to reduce therisk of cybersecurity incidents occurring in the first instance,and to respond effectively once a breach is suspected or hasoccurred, all without running afoul of applicable laws.

It's important to keep in mind that these laws may varyconsiderably from country to country, even within a relativelyhomogenous area such as the European Union. This article focuses onkey areas of human resources law that every in-house counsel shouldconsider when assessing the organization's ability to prevent,prepare for and react to cybersecurity threats from insiders.

1. Welcoming new employees

Organizations that shape the employment environment ahead oftime, rather than in the aftermath of an incident, can help createa corporate culture where employees appreciate the importance ofcybersecurity, not only to the company's success but ultimately totheir own jobs and careers. This begins during new employee“on-boarding.”

From the first days of joining an organization, employers shouldapprise each new employee of the company's expectations regardingprotection of confidential information and critical infrastructurein a one-on-one conversation with a member of management. Theon-boarding should also include in-depth explanations of anypolicies governing the employee's access to such information, andany monitoring or other policies that could implicate an employee'sprivacy. Lastly, on-boarding should include a screening process toensure that no new hire has brought with them any confidentialinformation from another company, thus reinforcing the employer'sposition that it values the protection of confidential informationindependent of its source. Parallel procedures should be put inplace for outside directors and contractors.

2. Defining confidentialinformation

Cybersecurity ultimately involves protecting a company'sconfidential information and the infrastructure used to house andmanage it. Effective protection requires understanding the benefitsthe law offers companies as well as the legal limits on protectiveactivity, often across multiple jurisdictions. Policies shouldreflect the importance of confidential information and the breadthof protected information. Some laws, such as insider tradingprohibitions, are well established in company policies, butcompanies need to confront new ways confidential information may becreated, used and disseminated.

Confidentiality and non-disclosure agreements can provide acompany more protection than the law supplies by default. They can,for example, define confidential information more broadly and offergreater remedies than the law otherwise affords—some of which canbe more swiftly enforced. Confidentiality and non-disclosureagreements therefore are an important source of protection. Theyare, however, only as effective as the policies and procedures putin place to enforce them, which typically will need to be not justin multiple parts of the company but in multiple jurisdictions aswell. Legal niceties matter here — agreements, policies andprocedures that turn out to be unenforceable or that otherwiseviolate the law won't protect a company and can make mattersworse.

3. Incentivizingcompliance

According to the Verizon 2014 Data Breach Investigations Report(DBIR), most data security incidents caused by insiders areperpetrated for financial or personal gain. It is imperative thatcompensation policies and benefit arrangements reinforce andincentivize compliance with cybersecurity procedures and, wherepossible, provide sanctions for breach. Companies should reviewtheir employment agreements, bonus and fringe benefit programs,deferred and equity compensation arrangements and benefit planscarefully.

At a minimum, the relevant documents should restrict insiders,to the extent permissible, from claiming compensation and benefitsfollowing a breach of their cybersecurity and confidentialityobligations to the company, and, where appropriate, provide forclawbacks of compensation and benefits previously paid. Ideally,compliance with company procedures should be taken into account andrewarded in setting compensation and benefits for company insiders.Constructing an effective system of restrictions and rewardsinvolves careful analysis of local law by employment and benefitscounsel familiar with the applicable rules.

4. Monitoring employees

Even with a cybersecurity-aware atmosphere and incentivizedemployees, employers should follow a “trust but verify” approachand actively monitor both the systems and employees that exhibitcertain insider threat characteristics. Policies focused onemployee use of email, mobile devices, the Internet and socialmedia can provide employers with notice of types of monitoring inthe United States, and similar policies should be reviewed forenforcement outside the U.S.

Managers should also work to identify disgruntled employees andassess the level of risk associated with the employee's access toconfidential information and critical infrastructure. Heightenedmonitoring of an employee's electronic footprints — where on thesystem the employee is going; what, if anything, the employee isdownloading, printing or emailing — during key times, such as thefirst and last few weeks of employment and at the time ofperformance reviews, may also allow an employer to identify badconduct. Conducting exit interviews with departing employees mayaid employers in deterring wrongdoing and identifying problememployees.

5. Investigatingemployees

If an insider breach is suspected, an investigation may benecessary. Whether a theft occurred may not be clear initially, andcompanies must determine how extensively to investigate. Insidecounsel should keep in mind that investigation can be costly andbring unwanted attention to the loss or vulnerability.Investigations can range from forensic computer searches tointerviews with employees. A company might need to investigate todetermine whether internal controls (which are sometimes imposed bylaw) are functioning. Many jurisdictions, including the U.K., mayrequire investigation to ensure that subsequent employment actionis procedurally fair and legally compliant. Companies should havein place an advance plan of action to address how to decide whetherto investigate when a breach is suspected and should make suretheir plan of action complies with the laws of the jurisdiction(s)in which it will be implemented, including privacy and employmentlaws.

6. Departing employees

According to the U.S. CERT Insider Threat Center, insiderthreats typically conduct their illicit activity within 30 days ofannouncing their resignation. It is imperative for employers todevelop policies and procedures for “off-boarding” that aredirected at minimizing risks of data leakage. For those employeeswho resign, upon immediate notice the employer must decide whetherto institute a protocol to remove or limit access to confidentialinformation and whether to audit the employee's previous access toensure the employee did not harvest any confidential information.For employees who will be fired, the employer must implement aprotocol to protect the confidential information, which mightinclude reducing the employee's access before or simultaneous withnotifying the employee of the impending dismissal. Employmentagreements and, particularly outside the United States, employmentlaws may limit the actions a company may take. A hasty terminationmay result in losing the ability to collect evidence and verifysuspicions; however, immediate action may be required to preventfurther loss depending on the situation.

Understanding the law that governs dealings with companyinsiders can permit inside counsel to play a critical role inshaping policies to prevent and respond to insider threatseffectively. With almost half of European organizations admittingthat insider threats are now more difficult to detect, creative andmulti-disciplinary solutions are needed to reduce the number ofpotential incidents and further assist in detecting currentthreats.