Data gatekeeper: How HR can manage IT security
In the 21st century, digital data is the name of the game. With computers and other tech devices infiltrating every facet of business, data security risks have never been more pressing. According to Robert Half’s recent “CIO Insomnia Report”, 65% of Chief Information Officers (CIOs) estimate their firms suffer three or more IT security breaches annually. Ten per cent gave a more nightmarish scenario of 26 security violations each year.
The biggest risk of IT security breaches is information theft, which is usually the theft of confidential, secret or proprietary data such as contracts, pricing, product plans or state secrets. According to Darren Cerasi, director at e-discovery and digital forensics firm, i-Analysis, this can be done by outsiders such as the current crop of hacking incidents by computer hacker groups, Anonymous and Lulz Security, or by an insider.
“As more and more data is generated, it creates ever-increasing opportunities for people to steal it as most companies pay lip service to information security. Then when something happens, they buy more firewalls!” says Cerasi. “What they should be doing is treating the information as a valuable corporate asset, applying the right technology and processes and training their people.”
Eric Roring Pesik, Associate General Counsel, Seagate Technology International, says any type of information that a company wants to keep confidential can be the target of information theft. “The fact that information is confidential is what makes it valuable to someone who would exploit it,” he says. “For example, confidential information can be exploited by competitors to get an unfair advantage in the marketplace. The same information might be used by hedge funds for insider trading.”
Employers have the right to protect their business and to impose rules and regulations, as long as they are reasonable. Thus, employers can create policies ranging from access to the actual use of information so as to prevent information theft and keep data secure.
Since a new employee’s first official contact with the company is through the HR department, HR is in a unique position to create and enforce measures to prevent information theft from the very beginning of an employee’s tenure.
Pesik says preventing information theft can involve physical and electronic security to stop information from being accessed by unauthorised persons. HR can manage this by issuing unique passes to staff, specific to locations and information vital to their role.
Lam Chung Nian, Partner, WongPartnership LLP says preventive steps should also involve a review of IT policies, including controlling access to portable storage devices, and also to remote storage services. “Security protocols should be reviewed and policies set for password protection, encryption and control of access to data and the ability to remotely wipe sensitive information,” he says. “Bear in mind that the organisation may be required by the courts to particularise the confidential information which has been stolen, hence there must be processes in place to facilitate this.”
HR can also impose terms and conditions to employment, such as confidentiality clauses. According to the Society for Human Resource Management, just over half of employers require their staff to sign nondisclosure agreements.
Reasonable restrictive covenants can also manage risk associated with subsequent use of the information by competitors.
Apart from rules and regulations, Cerasi says HR should ensure that HR policies are aligned to information security policies, and that staff are made aware of this through training in order to mitigate occurrences of information theft.
HR should educate employees on how to treat confidential information so that it does not become at risk of unauthorised access. “I am a strong believer in education and training,” says Pesik. “I believe that most people want to do the right thing – and this is where HR can help. HR can provide guidance to teach employees what is right and wrong. When told the right thing to do, most people will do it.”
Plan of action
Although HR may work tirelessly to prevent information theft from occurring, chances are that they might still happen. “Companies are now more often than not exploring cloud computing or remote storage solutions, but they may not have considered the risks of leakage that these may pose,” Lam says.
If and when data security is breached, there are several things HR can include in its standard operating procedure in order to minimise damage.
According to Neptali B Salvanera, Partner – Labour and Employment, Angara Abello Conception Regala & Cruz Law Offices (ACCRALAW), HR should first identify who is responsible for the theft and subject the person to the disciplinary process established by the employer. This may include preventive dismissal if it is in accordance with the law.
“During preventive suspension, the employer may prevent the employee from gaining access to his computer, files and other company issued property,” says Salvanera. “The employee may even be excluded from local network access. The employer may prevent the employee from gaining access to the company premises in general.”
HR should also immediately attempt to remediate the theft to protect the company against the loss of the information.
“The legal department may be involved if the information is critical and the company needs to take legal action to prevent it from being used or disclosed,” Pesik says. “Another department that is critical for identifying and tracing the source of information theft is the IT department.”
The easiest way to steal information is through email, instant message, or simply copying to an external hard drive or other storage device. IT forensics teams can reveal exactly what confidential information has been copied and sent outside through all of these methods.
HR should also contain further leakage of information but be careful not to tamper with any evidence of unauthorised information theft, secure backup copies of email and other external communications which relate to the affected individuals.
“Seek legal advice as quickly as possible to see if any steps can be taken to secure injunctions or other court orders against the further dissemination or use of the information,” Lam advises.
Lam also encourages consideration of whether there are notification obligations to regulators (for instance, the Monetary Authority of Singapore which requires prompt disclosure of such incidents by financial institutions). Law enforcement agencies should also be notified if there is an offence disclosed.
“Consider also informing recipients of the information that the information they have received is confidential,” Lam adds.
In most cases of data security breach, an employee’s computer becomes the epicentre of investigation procedures. “Employers have the right to sweep an employee’s computer if necessary,” says Cerasi.
While this is a privacy issue, Cerasi says privacy laws in most of Asia are rare. “Only Japan and Hong Kong as far as I am aware have such legislation; I am told that Singapore is enacting a privacy act in 2012 so we’ll see what happens,” he says. “As there is no law against it, most companies just grab the computers and scan them. Most staff are told that their computers are for business purposes only and that they reserve the right to monitor them.”
In the Philippines, although there are laws protecting the privacy of persons, there are no specific privacy laws which govern the use of computers in the workplace. “We are of the opinion that the employer shall have such right to search the computer of the employee when it owns the computer assigned to the employee for official use,” says Salvanera. “Nevertheless, since Philippine laws inherently lean in favour of labour, it is important that rules and regulations pertaining to the monitoring and searching of computers and other devices, even if they are company property, should be clearly communicated by the employer to the employee.”
In Vietnam on the other hand, while the labour laws do not have specific provisions regarding employees’ privacy and employers’ monitoring rights, ownership of all computer software and data collections developed or made by an employee during his or her course of employment are retained by the employer. Such computer software and data collections are the sole property of the employer, while the employee is generally obliged to keep the findings confidential.
According to the general principle for data protection stated under the Civil Code, technically the employer may monitor communications if such communications are related to the business of the employer, if the collective labour agreement or the internal labour regulations so provides.
“To improve the enforceability, the labour contracts, collective labour agreements or the internal labour regulations should specify the confidentiality of the information and the intellectual property of the employer,” says Dang The Duc, Managing Partner, Indochine Counsel.
In February this year, the US Securities and Exchange Commission brought charges against several hedge funds and individual managers and analysts who used confidential information in a $30m insider-trading scheme. The information allegedly came from several companies in the high-tech industry, including Seagate, its competitors and its customers. The information was used to buy and sell stock in the relevant companies, and included confidential sales forecasts, earnings numbers, performance data, revenues, and other non-public information.
“This is an interesting case, because it involves so-called ’expert networks’ – people working within the high-tech industry who learn confidential information about other companies as part of their jobs,” says Pesik. “In this case, they did not reveal their own company’s confidential information, but revealed what they learned about other companies.”
For example, when Seagate needs to disclose its product roadmap to a key customer so that the customer will understand what products will be available to them in the next fiscal year, the information is disclosed when protected by a nondisclosure agreement. The problem occurs if one of the customer’s employees works as a consultant or expert for a hedge fund. “The fund may pay the employee to disclose our confidential information. The hedge fund might not trade the customer’s stock, but instead trades our stock, illegally using our confidential information to gain an unfair advantage,” says Pesik.
Seagate has since developed specific training for employees whose jobs involve discussing the organisation’s information with other companies – particularly sales staff. “We want our employees to be advocates for protecting our confidential information along with that of other companies,” Pesik explains.
Protecting trade secrets
According to the, most businesses engage in the following to protect their data:
Source: Society for Human Resource Management
Lam Chung Nian, Partner, WongPartnership LLP says there is no specific legal definition of ’information theft’ in Singapore. “However, broadly speaking, the law provides remedies where there has been the unauthorised access, use, disclosure or removal of business or proprietary information of an employer, and this can extend to subject matter such as trade secrets, confidential information, customer databases and so forth.”
Most commonly, contractual undertakings in an employment agreement or a specific confidentiality undertaking typically define an employee’s obligations in relation to employer information.
Employee are expected to maintain confidentiality of trade secrets. The law also imposes a duty of confidentiality which prohibits disclosure of information that is confidential to third parties.
According to The Computer Misuse Act, it is an offence to have unauthorised access to computer systems and data. “Government sector employees should also bear in mind statutes such as the Official Secrets Act and the Statutory Bodies and Government Companies (Protection of Secrecy) Act,” says Lam. “Certain sectors also have special rules relating to preserving the confidentiality of customer information (e.g. banks, telecommunications companies, etc…), which can expose the organisation to prosecution if there should be a breach of these requirements.”