Problems with Cybersecurity
Most companies that handle personal information are required to maintain security safeguards that protect the security, confidentiality, and integrity of that information. When the pandemic prompted a massive shift to working from home, many companies did not have in place the technological infrastructure to allow most of their staff to work remotely. Therefore, many employees began using personal devices that did not have robust security safeguards. Other companies attempted to keep work-related information confined to the company’s cybersecurity infrastructure by requiring employees to use personal devices to remotely access office computers. However, this access may have posed its own problems, such as being hard to work with and slowing down employee productivity. As a result, employees may have taken shortcuts to complete their work, including transferring company data onto personal devices.
Employees accessing confidential or sensitive information on their personal devices creates several issues:
- Personal computers are not controlled by the company and may lack appropriate cybersecurity safeguards.
- The company may be restricted from accessing company information held in personal email accounts (or on other third-party platforms such as Dropbox) because the third parties hosting the accounts may only allow access to the account owner (i.e. the employee).
- Employees may not be cognizant of the fact that certain actions (such as opening a file) could create a local copy of company data on their personal devices.
- Employees might not securely erase company information from personal devices.
State Laws and Cybersecurity
Many state laws now require companies to protect customer information using reasonable security. For example, New York passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). The act amended sections 899-AA and 899-BB of the New York General Business law by expanding the range of information that is subject to New York’s data breach notification law (including biometric information, usernames and email addresses) and added the requirement that all businesses "develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information.” The act also updated the notification procedure that must be followed by companies in the event that certain personal information about New York state residents is compromised. Under the act, failing to take steps to safeguard against the transfer of company data to personal devices may constitute failing to implement and maintain reasonable safeguards.
In other instances, such a transfer might constitute a data breach. For example, New York defines a “breach of the security system” as “unauthorized access to or acquisition of . . . computerized data that compromises the security, confidentiality, or integrity of private information maintained by a business.” When an employee resigns, the employee no longer has authorization to access the company's information; nevertheless, the employee may still have possession of it. Since the individual is no longer employed, their access to company information may constitute an unauthorized access.
A “Major Security Breach”
In one such situation, a former employee for the Federal Deposit Insurance Corp. (FDIC) left the agency with data connected to over 44,000 FDIC customers stored on a personal storage device. While the FDIC acknowledged that the employee acted “inadvertently and without malicious intent,” they reported the incident to Congress as constituting a “major security breach.” The bright side (if there is one) is that the breach had little impact beyond reputation damage, as three days later when the breach was discovered, the former employee returned the storage device and signed an affidavit saying the data was not used. See: https://federalnewsnetwork.com/wp-content/uploads/2016/04/04-08-16-CLS-to-Gruenberg-FDIC-re-Security-Incident.pdf
However, the above is more of a best-case scenario. If an employee was removed, their resignation was due to a disagreement with the company, or they are amoral or incurring financial hardship, the employee may attempt to use the company's information for their own benefit. In API Americas Inc. v. Miller, an employee who regularly worked from home sent several emails detailing the company’s business information from his business account to his personal account. The employee abruptly left the company to work for a direct competitor and subsequently used the emailed information to win over the company’s biggest client.
Tips for Safeguarding Your Data
Companies seeking to protect themselves from such events can take steps to safeguard against the misuse of their data, such as:
- Implementing technical configurations that prevent employees from transferring company data while connect through to the company's network;
- Implementing data leak monitoring software;
- Providing employees with return to office procedures that detail how employees should delete company information from their personal devices, and having employees certify that they are following the procedure and are aware of the repercussions (both internal and external) if they fail to do so; and/or
- Providing employees with work laptops that have safeguards installed that match those of the company’s cybersecurity infrastructure.