In an uncertain and stressful environment, employees are more likely to engage in nefarious and risky behaviours. Here’s how you can safeguard your organisation against the legal risks of remote access.
The global shift in flexible work has been a great step towards building healthy, inclusive workplaces, and ensuring business continuity and employment during the COVID-19 pandemic.
However, it also means many organisations need to quickly and effectively bolster their protection of confidential information.
Having employees and contractors working remotely can present a risk that confidential information could be accessed, read or overheard by people living with them or sitting near them in public places, such as cafes.
Consideration also needs to be given to deliberate misuse, theft and disclosure of confidential information. But how do you determine that? Prior to the pandemic, an employee sending a document to a personal email constituted a smoking gun. Now it’s not so cut and dried.
Who hasn’t forwarded documents to their personal email to print from a home office printer before? Or perhaps you’ve saved things to a separate location to access when the system is down, or uploaded documents to a Google drive for group editing.
It’s much harder to identify information leak risks in your organisation in a remote environment and the uncertainty of the pandemic – and the workplace actions taken as a result of that – is only making it harder.
Disgruntled thieves
In a climate of pay cuts, stand downs, long periods of stress and uncertainty about future employment, we have seen a rise in aggrieved employees engaging in theft of confidential organisational information on their way out of the business.
Why is this the case? An article by the Australian Institute of Criminology describes two themes common in instances of employee theft, including:
- Perceptions of unfairness; and
- Perceptions of ownership over work where “employees, especially those in large organisations, may presume personal ownership or entitlement by virtue of occupation (of a position or space) or through regular use/access. The resource becomes ‘my office,’ ‘my computer,’ and ‘my budget.’ This, in turn, seems to provide moral justification for taking the resource for personal use,” according to the article.
A 2012 study by the Carnegie Mellon University’s Software Engineering Institute analysed hundreds of malicious insider activity cases in the US, including theft of intellectual property for business advantage (i.e. stealing information to take to a new job).
The study found many cases were precipitated by a particular event or opportunity, and motivated by a sense of entitlement and ownership of the stolen information.
“The entitled independent tends to believe that he or she owns the IP,” the study outlines. “This sense of ownership increases with the amount of time and effort the individual spends developing the IP. The insider usually has authorized access to the entire product suite or information. An event or condition in the workplace usually creates dissatisfaction on the part of the individual and increases his or her desire to leave and take information prior to departure.”
So what should you do?
Every organisation faces some level of risk. Even those that go to great lengths to appear fair may appear unfair in the eye of a disgruntled employee.
(Read HRM’s guide on how to manage disgruntled employees).
Organisations need to have clear contractual provisions to protect confidential information and intellectual property. They also need policies and procedures around the use, storage and monitoring of information used by employees and contractors. These policies and their rationale must be clearly communicated to employees, and compliance must be actively promulgated at all times.
What the research, and our experience, also tells us is that leaders need to invest time and energy into remaining connected with their employees – even if the employment comes to an end. Employees need to be treated with dignity and caution on the way out to ensure the protection of information.
It’s also critical to monitor employee activity when working remotely and to provide appropriate notice of termination to employees, as per your state’s legislation.
Beyond that, if difficult conversations are to take place with employees, such as notice of their termination, it’s important to put the wheels in motion to first protect company information and monitor activity before that conversation takes place.
Employers have legal remedies to seek an injunction preventing misuse of information and to recover damages if they have already been suffered, but these remedies often come at a significant cost to the business.
Understanding the ‘why’ of human behaviour and taking proactive steps to manage people risks will allow prudent employers to act before the horse has bolted.
Want to get better at having difficult conversations at work? AHRI’s short course on will equip you with the necessary skills.
Fay Calderone is a partner and Veronica Lee is a lawyer at Hall & Wilcox.
This article originally appeared in the March 2021 edition of HRM magazine.