By BrightHR Chief Technological Officer Alastair Brown
This week, Amazon has said it is investigating suspected internal leaks of confidential data by its employees for bribes to remove fake reviews and other seller scams from its website.
Confidential data can be a company’s most valuable asset, whether this is customer data, trade secrets or future developments which will bring significant updates once introduced. Data leaks, however small, can affect a company’s bottom line and reduce customer confidence in the security of the business. Additionally, under the recent data protection changes, a leak of personal data can result in a costly penalty for the organisation.
Employees are legally obliged to not share their employer’s confidential data, even if this obligation isn’t expressly included within the employee’s contractual documentation. It is often useful to include such an express term so that employees are reminded of this obligation when they join the company, and this term can be referred back to when necessary. Confidentiality clauses are also important to include as post-termination covenants because, after employment ends, the confidentiality duty only applies to information which could be classed as a trade secret. Therefore, post-termination restrictions will need to be expressly included in contracts to protect a broader range of information after employment ends.
Data leaks can be taking place in your business through a variety of methods, for example, data may be intentionally leaked by staff or leaked through careless behaviour. In order to reduce the likelihood of employees leaking confidential data, all members of staff should receive training on handling company data. This training should cover areas such as careless talk, email use, data protection obligations and confidentiality outside of the workplace. Monitoring of areas such as workplace email accounts and internet use will help identify where leaks are taking place. To avoid breaching privacy rights, employees will need to be informed of how monitoring will take place, in advance of this occurring. Where the business is aware there is an unidentified data leak, they may wish to consider whether a confidential reporting line can be introduced to encourage internal reporting.
Where careless data leaks are identified, usually through email errors such as attaching the wrong document or emailing an unintended recipient, employers should consider how they can address this. It may be the case that employees are working without paying attention, and a reminder of the importance of securely emailing data will help address this. Alternatively, employees may require training on email software systems to ensure they understand how to use these properly.
Should it be identified that an employee is intentionally leaking data this needs to be addressed, without delay, through the formal disciplinary policy. Dependent on the circumstances, intentionally leaking data may be considered serious or gross misconduct by the employer. A reasonable investigation into the allegations will need to be conducted, with further consideration as to whether suspension of the employee is necessary to prevent further data leaks or if other measures to temporarily restrict access can be introduced. Once a formal disciplinary hearing has been conducted, a disciplinary sanction which is reasonable in all the circumstances can be imposed. Not only will this help prevent the particular employee leaking data in the future, it will also deter others from carrying out a similar action.