The devil is in the fine print
Monday, February 4, 2019
Print is all about dissemination of information. From Gutenberg to where we are now, printers have always handled sensitive information.
But now, with the development of the web, tiny data storage devices and mobile communications, a leaked market-sensitive annual report and staff data can be on the other side of the planet, put up for sale or abused in milliseconds.
As would be expected, the law is prescriptive in the matter of protecting sensitive information, even if it is perpetually playing catch-up. The Data Protection Act 2018, together with the EU’s General Data Protection Regulations (GDPR), controls how personal information of staff, customers or other individuals is used by organisations, businesses or government.
But when it comes to business information, Philippa Dempster, a commercial and disputes partner at Freeths, says that there are four circumstances in which the disclosure of information gives rise to an obligation of confidence. She outlines them as that which is implied from information given in confidence; an obligation of ‘trust and confidence’ that follows from the relationship between the parties involved - employer/employee relationships are classic example; a contractual obligation such as a non-disclosure agreement or a contract; or specific knowledge that a job is confidential, say the printing of a confidential report.
The best way of ensuring that confidential information is recognised and treated as such is by contract. Here, Dempster explains that “employers should put confidentiality clauses into employment contracts and make employees aware of the extent of the duty of confidentiality owed under that clause.”
And this is echoed by John Warchus, a partner in the Corporate and Commercial group of Moore Blatch. He says that “staff need to be aware that even in the absence of an express confidentiality term, there may be an implied obligation that sensitive business information is to be kept confidential by a recipient.”
Allied to this is physical security – a point made by Jo Haigh, Chartered MCIPD, BPIF HR Adviser (North East): “Data security is a large area – physical storage of electronic and hard copy data is essential, and we would most certainly recommend restricting access to electronic data and having adequate online protection.” But to this she also suggests having policies that clearly instruct those handling data how to protect it... “and the consequences of failing to do so”.
It’s interesting to note that while employees have an implied duty of confidentiality, there is very limited general protection for confidential information on a wider, business to business, level. It’s for this reason that Dempster says businesses “should also use non-disclosure agreements: a contract whereby the parties agree not to disclose anything covered by the agreement such as confidential information or trade secrets”.
To this Warchus recommends printers add terms that cover “not just the employer’s confidential information but also that of any clients.” He often tells organisations to have staff manuals with rules and procedures aimed at protecting confidentiality in a useful context. He says, though, that “in addition to legal protection, employers should also offer practical training... the introduction of the new GDPR rules has seen a lot of training and discussion generally in relation to the area of privacy and security of personal data”.
Two scenarios to look out for
Internal risk is high, and most will have heard stories about disgruntled employees and budding entrepreneurs abusing company systems. Regarding the former, Dempster suggests firms should deploy robust systems that can detect details being copied or removed; ensure employees rotate or take holidays (as most wrongdoing is found when employees are away); educate employees against breaching confidences through training while educating them to spot and report suspicious behaviour – all while taking tough action to deter others.
Consider the supermarket giant, Morrisons. In a milestone case heard in the Court of Appeal late in 2018, the court upheld the judgement that the business was vicariously liable for a data breach caused by an employee, despite the fact that the disgruntled employee decided to deliberately cause business harm by posting customers’ details on the web.
The judge found that Morrisons could not reasonably have done any more to prevent the employee in question when he posted the customer data. Yet Morrisons was still held liable for the data breach, leaving it to satisfy claims from customers made against them because of the data breach. “It is now well established,” says Warchus, “that ‘loss’ does not need to be financial and so individuals can, as in the Morrisons case, claim for distress and inconvenience.”
Looking at the other scenario, the budding entrepreneur, Dempster’s advice is to put in place enforceable restrictions such as confidentiality obligations and non-compete and non-solicitation of business clauses in their employment contracts; place a few little ‘bombs’ – the personal email or home address of a director, for example – in the customer database which may warn of theft of data; remind staff when they leave that they have post termination restrictions and a duty of confidentiality; and again, taking a hard line with anyone who goes rogue to deter others.
And to make the point, Dempster explains that “every few weeks we take a call from a business asking for help because a director has run off with their customer database and is now setting up in competition and attempting to divert business away.” She outlines a study conducted by the Ponemon Institute in the US that found that 59% of employees who either quit or are asked to leave take confidential or sensitive business information upon their departure. In another survey of more than 1,000 UK employees, this time from Cisco, 61% of respondents thought their company had a security policy and 48% claimed they were not concerned about it as it didn’t affect them. Alarmingly 39% said they thought it was their employer’s responsibility to protect data and not theirs.
But let’s not forget the fact that employees are human and do make errors. As Haigh explains, “careless employees can leave client or supplier data hanging around or just simply email the wrong person sensitive data.”
Warchus agrees, and cites data published by the Information Commissioner’s Office (ICO): “The most common example of a security breach is sending emails to the wrong recipient and also letters to out of date addresses. It is also the case that many instances of ‘hacking’ are not the result of sophisticated attacks but caused by low-level carelessness such as sharing passwords with several people and/or failing to implement a secure password or failure to renew it regularly.”
The solution here is clear – education combined with the encryption of sensitive information before it’s emailed and, as Dempster emphasises, “while providing adequate training and support to staff and implementing appropriate systems and security throughout the workplace, employers must also use contracts to ensure that employees do not divulge confidential information.”
And Haigh takes a similar line. She says “company policies, privacy notices and training on data protection are absolutely key. There is the obvious risk of an accidental data breach if employees are not informed about data protection and security that needs to surround their communications.” She adds that this not only can cause friction between the handler and the data subjects, but it can cause damage to the reputation and name of the company who has failed to protect it.
In concert with training and policies, Naomi Greenwood, an employment partner at Moore Blatch, says that employment contracts should also expressly state “serious breaches of confidentiality may well constitute gross misconduct entitling the employer to summarily dismiss the employee.” Practically speaking, she reckons that organisations should always try to ensure that sensitive and/or confidential information “is only disclosed to those employees who really do need to have access to it in order to carry out the organisation’s functions. The more people having access to sensitive information, the greater the risk that security will be breached.”
One idea, espoused by Warchus, is that organisations could “consider hiring ethical hackers who, as well as testing IT system security, can also pay unannounced visits to business premises to check/assess all areas of security.”
So, who is liable?
It’s helpful to know that case law has shown that an original leaker will always be responsible. But as Dempster explains, “more often than not the business will be too, even if the leak was a one-off event and it would have been difficult to protect against it.”
Aside from the claims, Warchus reminds that if there is a breach of rules governing personal data, a printer could also be subject to regulatory investigation and fines by the ICO, in theory up to a maximum of €20m or 4% of its annual global turnover. On top of this is the potential action taken by individuals whose data has been leaked.
“In the Morrisons case,” says Dempster, “it was not fined for the breach because its systems were good. Nonetheless, Morrisons, (as well as the employee) was held responsible to those whose data had been leaked. The company was responsible through the principle of vicarious liability.”
As a reminder, this, according to Acas, the government’s arbitration service, means that in the workplace an employer can be held liable for blunders committed by employees “in the course of their employment”. In other words, even though the employee acted maliciously, without the company instructions, Morrisons was ultimately responsible for ensuring the safety and security of employee data and the employee’s actions did not absolve the employer of that responsibility.
The courts, says Warchus, have stressed that an individual’s motive is not relevant as to whether or not an employer will be vicariously liable.
Here Haigh notes that preventative measures taken by an employer would be scrutinised to assess whether they could reasonably have been expected to do any more. And Warchus believes that those organisations who take no active steps to educate staff or have no proper procedures in place, will find “regulatory fines higher than in a situation where an employer has done all that it reasonably could in the circumstances.”
Remember, the ICO didn’t prosecute Morrisons and the judges suggested that the solution for employers is to insure against such catastrophes and against losses caused by employees.
But employees should also be on notice that they too can become personally responsible. The ICO’s prosecution of a former Nationwide Accident Repair Services (NARS) employee, Mustafa Kasim, under the Computer Misuse Act has demonstrated this. Kasim was charged with securing unauthorised access to personal data of NARS through the use of fellow employees’ login details. As in this case, when an employee acts in a malicious manner by using someone else’s log in details, so as to make a gain from the company’s private information, they will be held responsible ahead of the employer.
A breach has occurred
But how should firms react if a breach has taken place? Dempster’s advice is to “secure the breach first and undertake any remedial action to prevent further breaches of that personal data.” She adds that the company should then consider whether any notification need to be made to the ICO within 72 hours, or to individual data subjects. It depends upon the seriousness of the leak and the risk. Police intervention through the ICO may be required too. Part of the process, reckons Haigh, is an “investigation which needs to examine the custody chain of data to identify where the breach happened – was it a human error or a procedural oversight?”
There’s also the matter of discipline says Haigh: “Depending on actions of individuals and whether laws have been broken – disciplinary action should be taken promptly and in line with company policy.”
In this situation Greenwood says employers need to carefully collate relevant facts which would indicate that a breach has taken place. She says they may well be able to carry out part of the investigation by the monitoring of emails sent and received by an employee – “there will be no legal issue in relation to checking employees’ emails where the employer has clearly set out in its internal manuals that it reserves the right to do so.” Next would come a fair and transparent investigation with the employee having the right to know the main allegations made and the right to give their side of events, accompanied by a colleague or trade union representative.
She adds: “It may be sensible – even necessary – to ask an employee to stay away from work whilst an investigation is underway, particularly if there is a real danger of collusion between various employees. Failure to follow a proper procedure may leave the employer vulnerable to an unfair dismissal claim.”
An employer’s response clearly needs to be proportionate to any wrongful behaviour that has taken place. Here Greenwood advises that for very minor, technical breaches of security procedures, it may be sufficient for a formal warning to be given, “whereas in the case of deliberate serious breaches, the employee may well have committed a material breach of their employment contract which would entitle the employer to dismiss that employee without any further warnings.”
Criminal sanctions are potentially available under data protection legislation where there has been a serious security breach and, for example, where sensitive information is being used either to blackmail someone or being used for personal financial gain, such as insider dealing. If there is reasonable suspicion of such activity, the police should be consulted.
Dempster says firms can further use the law to limit the risk of damage following a breach. Where it’s suspected that an employee wants to use confidential information to set up a business in competition the options include a Search Order which allows a search of the individual’s premises (business or home) and seize any relevant evidence.
But as Dempster describes, “due to their draconian nature, a Search Order can be difficult to obtain from the court so it is important to have a well-prepared case”. Alternatively, a Delivery Up Order forces the opponent to immediately give back all stolen information (hard copy or electronic). Disobeying an Order may lead to contempt of court, which can mean a fine or jail; or a Freezing Order, where there is a risk of the individual dissipating their assets in the face of a legal claim. Here assets are frozen to help recover any damages awarded by a court. “In our experience,” says Dempster, “such action really does focus the mind of the recipient and often a deal can be done quickly thereafter.”
Financially speaking, Warchus says that employers can, “in the event of a breach… and misconduct which causes loss to the employer, follow a straightforward contractual claim for damages.” He suggests that employers may also have a claim for negligence.
However, in practice, it is relatively rare for employers to actually insist upon this – “partly because it may be seen as being vindictive in some way and because in practical terms, if the employer has suffered serious financial loss, it is often the case that the employee will simply not have sufficient resources to meet the damages in any event.”
The risk of an employee breaching confidentiality is very real and quite present as the recent cases have shown. Print firms need, precisely because they handle sensitive information from clients and also hold data on staff (and others), to be very careful in how they approach the subject. It cannot be swept under the carpet.
The protective process should clearly involve the carrot and stick approach with education preferred over disciplinary and police involvement.
But no matter the driver, commercial survival depends on getting the process right. Once a printer is known to have a leak its days could be numbered. eminars