Cybersecurity threats can emanate not just from outside sources but from company insiders as well — including employees, executives, directors and contractors.
According to NetDiligence's 2014 Cyber Insurance Claims Study, roughly one-third of the reported events were attributable to insiders. Just over half of insider events were unintentional — caused predominantly by employee mistakes — and just under half were purposeful and originated from malicious inside actors.
When looking at the matter on a global scale, according to PWC's most recent Global Crime Report, more than half of all people seeking to defraud a company are thought to be insiders, with so-called procurement fraud on the rise.
Insider threats pose special legal challenges, including how far companies can go in monitoring insider conduct and communications, incentivizing insiders to avoid mistakes as well as malicious behavior, investigating and questioning insiders about their activities, and disciplining insiders involved in cybersecurity incidents.
The legal disciplines focused on a company's human resources — employment, privacy, employee benefits, and executive compensation — are indispensable to building an effective program to reduce the risk of cybersecurity incidents occurring in the first instance, and to respond effectively once a breach is suspected or has occurred, all without running afoul of applicable laws.
It's important to keep in mind that these laws may vary considerably from country to country, even within a relatively homogenous area such as the European Union. This article focuses on key areas of human resources law that every in-house counsel should consider when assessing the organization's ability to prevent, prepare for and react to cybersecurity threats from insiders.
1. Welcoming new employees
Organizations that shape the employment environment ahead of time, rather than in the aftermath of an incident, can help create a corporate culture where employees appreciate the importance of cybersecurity, not only to the company's success but ultimately to their own jobs and careers. This begins during new employee “on-boarding.”
From the first days of joining an organization, employers should apprise each new employee of the company's expectations regarding protection of confidential information and critical infrastructure in a one-on-one conversation with a member of management. The on-boarding should also include in-depth explanations of any policies governing the employee's access to such information, and any monitoring or other policies that could implicate an employee's privacy. Lastly, on-boarding should include a screening process to ensure that no new hire has brought with them any confidential information from another company, thus reinforcing the employer's position that it values the protection of confidential information independent of its source. Parallel procedures should be put in place for outside directors and contractors.
2. Defining confidential information
Cybersecurity ultimately involves protecting a company's confidential information and the infrastructure used to house and manage it. Effective protection requires understanding the benefits the law offers companies as well as the legal limits on protective activity, often across multiple jurisdictions. Policies should reflect the importance of confidential information and the breadth of protected information. Some laws, such as insider trading prohibitions, are well established in company policies, but companies need to confront new ways confidential information may be created, used and disseminated.
Confidentiality and non-disclosure agreements can provide a company more protection than the law supplies by default. They can, for example, define confidential information more broadly and offer greater remedies than the law otherwise affords—some of which can be more swiftly enforced. Confidentiality and non-disclosure agreements therefore are an important source of protection. They are, however, only as effective as the policies and procedures put in place to enforce them, which typically will need to be not just in multiple parts of the company but in multiple jurisdictions as well. Legal niceties matter here — agreements, policies and procedures that turn out to be unenforceable or that otherwise violate the law won't protect a company and can make matters worse.
3. Incentivizing compliance
According to the Verizon 2014 Data Breach Investigations Report (DBIR), most data security incidents caused by insiders are perpetrated for financial or personal gain. It is imperative that compensation policies and benefit arrangements reinforce and incentivize compliance with cybersecurity procedures and, where possible, provide sanctions for breach. Companies should review their employment agreements, bonus and fringe benefit programs, deferred and equity compensation arrangements and benefit plans carefully.
At a minimum, the relevant documents should restrict insiders, to the extent permissible, from claiming compensation and benefits following a breach of their cybersecurity and confidentiality obligations to the company, and, where appropriate, provide for clawbacks of compensation and benefits previously paid. Ideally, compliance with company procedures should be taken into account and rewarded in setting compensation and benefits for company insiders. Constructing an effective system of restrictions and rewards involves careful analysis of local law by employment and benefits counsel familiar with the applicable rules.
4. Monitoring employees
Even with a cybersecurity-aware atmosphere and incentivized employees, employers should follow a “trust but verify” approach and actively monitor both the systems and employees that exhibit certain insider threat characteristics. Policies focused on employee use of email, mobile devices, the Internet and social media can provide employers with notice of types of monitoring in the United States, and similar policies should be reviewed for enforcement outside the U.S.
Managers should also work to identify disgruntled employees and assess the level of risk associated with the employee's access to confidential information and critical infrastructure. Heightened monitoring of an employee's electronic footprints — where on the system the employee is going; what, if anything, the employee is downloading, printing or emailing — during key times, such as the first and last few weeks of employment and at the time of performance reviews, may also allow an employer to identify bad conduct. Conducting exit interviews with departing employees may aid employers in deterring wrongdoing and identifying problem employees.
5. Investigating employees
If an insider breach is suspected, an investigation may be necessary. Whether a theft occurred may not be clear initially, and companies must determine how extensively to investigate. Inside counsel should keep in mind that investigation can be costly and bring unwanted attention to the loss or vulnerability. Investigations can range from forensic computer searches to interviews with employees. A company might need to investigate to determine whether internal controls (which are sometimes imposed by law) are functioning. Many jurisdictions, including the U.K., may require investigation to ensure that subsequent employment action is procedurally fair and legally compliant. Companies should have in place an advance plan of action to address how to decide whether to investigate when a breach is suspected and should make sure their plan of action complies with the laws of the jurisdiction(s) in which it will be implemented, including privacy and employment laws.
6. Departing employees
According to the U.S. CERT Insider Threat Center, insider threats typically conduct their illicit activity within 30 days of announcing their resignation. It is imperative for employers to develop policies and procedures for “off-boarding” that are directed at minimizing risks of data leakage. For those employees who resign, upon immediate notice the employer must decide whether to institute a protocol to remove or limit access to confidential information and whether to audit the employee's previous access to ensure the employee did not harvest any confidential information. For employees who will be fired, the employer must implement a protocol to protect the confidential information, which might include reducing the employee's access before or simultaneous with notifying the employee of the impending dismissal. Employment agreements and, particularly outside the United States, employment laws may limit the actions a company may take. A hasty termination may result in losing the ability to collect evidence and verify suspicions; however, immediate action may be required to prevent further loss depending on the situation.
Understanding the law that governs dealings with company insiders can permit inside counsel to play a critical role in shaping policies to prevent and respond to insider threats effectively. With almost half of European organizations admitting that insider threats are now more difficult to detect, creative and multi-disciplinary solutions are needed to reduce the number of potential incidents and further assist in detecting current threats.
Continue Reading for Free
Register and gain access to:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.