A Brief Guide to Fighting Employee Cybercrime
Experts estimate that each internal breach of an organization compromises an average of 10,000 individual pieces of sensitive information. Fortunately, employers have a variety of tools at their disposal to take a proactive approach to cybercrime committed by current or former employees.
By Spencer Hamer
Employers are under siege from cybercrime, and the problem is getting more severe every year. In 2012, even the White House was subject to a "spear-fishing" hack attack. In 2011, a single hacking incident cost Sony more than $170 million. Richard Power, director of the Computer Security Institute, estimates that single instances of hacking may cost as much as $600,000 to $7 million per day for online businesses. In addition, with the slumping economy, ex-employees are hacking at unprecedented rates. Wireless provider Verizon even attributed 20 percent of recent breaches to insider misconduct.
Experts estimate that each internal breach compromises, on average, 10,000 individual pieces of sensitive information, at least 60,000 more than external attacks. Sensitive client information, proprietary trade secrets and employee data are all at risk. Fortunately, employers have a variety of tools at their disposal to take a proactive approach to cybercrime committed by current or former employees.
Conduct Thorough Screening: It is critical to identify potential problem employees before they are hired. Examine applications for work history gaps and reasons given for leaving jobs. Check references, going beyond those provided if possible. Consider using background checks and pre-employment testing, but only to the extent permitted by applicable law, including the EEOC's recent guidance memorandum on the use of background checks.
Use the "Broken Windows" Approach: In the 1990s, New York City crime rates dropped dramatically after the NYPD implemented the "broken windows" theory of preventing crime: cracking down on little offenses prevents big ones. Have a zero-tolerance policy prohibiting misconduct, including theft, and consistently apply it. If a popular supervisor takes office supplies home, overnight security is lax, and no computer monitoring policy exists, employees may perceive that the company turns a blind eye to security issues, and act accordingly.
Consider Monitoring Options: Information technology provides employers with a host of options to detect misconduct. For example, computer screens can be monitored remotely. In addition, employees often forget that email communications can be retrieved, even after they have been deleted. And, by setting computer backup systems to preserve information, employers can often obtain "smoking gun" evidence. Work with an IT professional to develop procedures that make sense for your environment. But consult legal counsel first to evaluate potential restrictions under applicable law. Numerous legal issues arise from monitoring, and lawsuits are being filed on a class action basis for actions such as alleged improper monitoring of telephone calls.
If You Monitor, Give Clear Notice: The employee handbook should make it clear that, to the extent permitted by applicable law, the employer reserves the right to inspect property, including computers, emails and voicemails on the employer's system, for any legitimate business purpose, without notice or employee consent. It should also indicate that employees have no expectation of privacy in the workplace, and that passwords and login devices do not create a privacy right. In addition, the policy should make clear that all information pertaining to the employer and its clients is strictly confidential. Employees should also be cautioned about disclosing information online, including on social networking websites, so having a robust social media policy is also important.
Conduct a Thorough IT Audit: Security experts can be retained to thoroughly audit cyber security. One expert we have worked with recently related how, after being retained by a high-priced Los Angeles hotel with frequent celebrity guests to audit the hotel's new security system, she was able to hack into the system in less than 30 minutes and access reams of confidential information. Given the speed at which hacking and other cybercrime techniques evolve, such audits should be conducted at frequent intervals.
Develop Investigation Protocol: A protocol for prompt and thorough workplace investigations into potential theft issues must be established. Among other things, it should identify the persons responsible for investigating and explain the steps in the investigation process. Managers should be regularly trained on the protocol.
Encourage Reporting: Employers should encourage reports of misconduct. Employees, however, are often reluctant to report misconduct, especially when they lack hard evidence. The employee handbook should set forth guidelines on how to report suspected impropriety. Consider using an anonymous reporting service, such as an (800) hotline, and designating an ombudsperson to receive complaints confidentially. Assure employees, through a written policy, that the employer will not retaliate against them for good faith reports of misconduct, regardless of the outcome of the investigation. Consult legal counsel regarding applicable whistleblower protection laws.
Prepare for Public Communications: The public may learn about matters the employer would like to keep confidential. If a cyber-theft issue becomes public, employers can exacerbate the problem by appearing defensive, secretive, confused or uncaring. Moreover, they risk defamation suits if communications are not vetted. Management needs to present a clear, consistent message, and using the proper tone is critical. Designate and train a spokesperson. And, for particularly sensitive situations -- or if media scrutiny is an issue -- consider retaining a consulting firm that specializes in crisis management.
Consider Cyber Insurance: Many insurance carriers are now issuing cyber insurance policies. Consult your broker to determine whether such a policy makes sense for your business.
Taking practical steps to prevent cyber theft raises a variety of legal issues under federal and local laws, and legal counsel should be consulted in advance. Nevertheless, employers that take the initiative with preventative tactics will be in a better position than those that wait for a crisis to occur.
Spencer Hamer is a partner at Michelman & Robinson, LLP's Los Angeles office, where he is a member of the firm's labor and employment law department. He can be reached at firstname.lastname@example.org.