One in four employees have intentionally leaked confidential business information to people outside their organisation.
In a survey of 2,000 UK workers, data privacy and risk management company Egress Software Technologies suggested that those who leak data are more likely to share information with competitors, or new or former employers. This included bank details and confidential customer information.
Half of all survey respondents said they had deleted, or would delete, emails from their sent folder if they had sent information somewhere they shouldn’t.
“As with many organisational behaviours, HR has a role to play in ensuring the workplace culture is aware of issues around data. One thing HR could do to minimise the malicious leaking of information is ensure concerns are both raised and dealt with in a fair way that does not compromise the overall employee experience,” said David D’Souza, the CIPD’s head of London.
There will always be a minority of people who are opportunistic, so there should be a shared responsibility between HR and IT on how to deal with such incidents, depending on their severity. Steps that can be taken to minimise the risk could be as simple as reminding people at the point they resign about rules on data protection around other organisations and information.
If an employee is still employed within their organisation, even if nothing is written in a contract of employment, they are under a legal obligation to not disclose confidential information. Prevention is often better than cure so, employers should be conscious of data protection clauses in their employment contracts, and be aware of the risks former employees could pose.
Once someone has left, if there is no clause in the contract, only your trade-secrets will be protected. Well-drafted contracts are vital, because they protect employers once a contract has ended, and draw an employee’s attention to their obligations.
Even without malicious data leaks, the research suggests organisations are being put at risk by slapdash email behaviours, with more than a third (37 per cent) of respondents reporting that they do not always check emails before sending them. The biggest human factor in sending emails by mistake was ‘rushing’ (68 per cent), with almost one in 10 (nine per cent) employees admitting to accidentally sending sensitive attachments such as bank details or customer information in error.
High-pressure workplace cultures don’t help. Employees send emails without thinking, or when they are too tired to concentrate properly. Almost half (46 per cent) of UK workers said they had received a panicked email ‘recall’ request during their careers, and 35 per cent admitted to sending a ‘fat fingered’ email themselves. Almost half of accidental emails were reported to contain an insult about the recipient, rude jokes or swearing.
While offending an accidental recipient may cause red faces, leaking confidential information can amount to a data breach. As we move towards the General Data Protection Regulation, it has never been more important to reduce the risk of a breach occurring.
Under the General Data Protection Regulation, due to come into force in May 2018, organisations will need to disclose data breaches to the appropriate authorities within 72 hours. If the breach poses a high degree of risk to the rights of the individuals concerned, the business will need to inform the people affected as well.