This article was originally published in the Union Leader and can be found here.
NH Legal Perspective: Insider Threats – The Risk You May Never See Coming
By: Brian Bouchard
November 16, 2019
Let’s say you own a company. As the company owner, think of the troves of confidential information that you and the company have. Nearly every company is a repository of confidential, private information. Every employer has (or should by law) years of employee records with dates of birth, social security numbers, banking information, and often medical information. Some other employers are medical providers, who have specific obligations to safeguard patient medical records—say hello to HIPAA. Other companies still have valuable trade secrets, which are valuable, in large part, because of their secretive nature. If everyone knew the recipe of Coke, the Coca-Cola Company probably wouldn’t be purchasing Super Bowl ads each year.
Now think about who has access to all this information. Your employees do. Employees pose one of the most significant data security threats to companies today. In 2019, the Verizon Insider Threat Report found that 57% of all data breaches came from inside a company and from employees. Some of these breaches occur by accident while other are malicious, involving the deliberate siphoning of secret, valuable information from an organization. The Verizon Report additionally found that “financial gain” was the primary motivation behind these insider threats.
More recently, the Office of Civil Rights (OCR) published a cybersecurity newsletter warning of the dangers posed by insider threats in the medical field where employees had exposed confidential medical information for financial gain or as retribution.
Managing insider threat risk is critical for any employer. This article provides insight on steps employers should consider for beginning to manage that risk.
Identify data
To protect data from insider threats, employers first need to understand what sensitive information they have and who has access to it. Do they have medical information? Trade secrets? Personally identifiable information? Where is the information stored? Who has access to the information? Why do those particular employees have access? Employers should carefully evaluate whether individual employees need access to sensitive information in order to perform their jobs.
Restrict access. Restricting access to sensitive information is another vital step. Not all employees need access to all information. There is little reason, for example, for non-HR employees to have access to the personally identifiable information of other employees, just as there is little reason for HR employees to have access to company trade secrets (depending on the trade secret, of course). Employers should also monitor what information is given to independent contractors and consultants, who, by their very work, are external to the company and may not have strong allegiances to the company.
Limiting access to information can be accomplished in many ways, including locked cabinets for physical files, password protection, network access controls, and limits on mobile device use. Any employer concerned about limiting electronic access to files and information should consult with a security professional in the information technology field.
Enhance vigilance
Employers would be well served to increase their vigilance over employee activity, particularly when very sensitive or valuable information is involved. Such steps may include periodically auditing log-ins, access reports, and file transfers. Software is also available to provide full visibility into user activity and to provide alerts about unauthorized USB use, impermissible access, file downloads, and the printing of sensitive documents.
Extra care should be taken for disgruntled employees or employees soon to be involuntarily separated. Even allowing an employee to work a two-week notice period prior to resigning carries risk, as it invites opportunity for the employee to misappropriate information.
Develop and enforce policies
Companies should develop and enforce policies concerning the appropriate use of electronic devices and data systems; mobile devices; email, internet, and computer monitoring; and background checks. Employees need to understand, preferably in writing, that they have no expectation of privacy concerning company emails, devices, and systems and that any such information belongs to the employer. Before monitoring employee activity, employers should ensure compliance with local, state, and federal privacy laws.
Develop and enforce agreements
Protecting against insider threats will also include a symphony of employment agreements, including nondisclosure agreements, noncompetition agreements, and non-solicitation agreements. These agreements are intended to protect the company’s information and to hedge against the unauthorized use of that information. Employees must understand that the company’s know-how, client lists, data, and confidential information are off-limits outside of the company.
While these agreements are important, they are not failsafe. Regulation in this area, particularly in New England, is trending towards the restricted enforceability of non-competes. Many states have enacted laws that favor individual interests over the business interests of protecting client bases and goodwill. A robust employment agreement may nevertheless act as a deterrent against insider data breaches.
Have a plan
Finally, companies should develop a response plan for insider threats. An ideal response plan will neutralize the insider threat and contain any fallout from the data breach.
Your response team should involve company officers, human resources, legal counsel, compliance partners (especially for HIPAA and GDPR), insurance, and technical personnel or consultants. Many cyber security insurance policies provide coverage for insider threat breaches, but not all policies are created equal. Employers should carefully examine their policy and have it reviewed by an insurance professional.
Also, it’s important to note that some industries, such as the medical industry, require companies to perform a risk assessment for potential data breaches, document the results, and address vulnerabilities. Companies in those industries should work with legal counsel and compliance consultants about what may be required.
Employees are both an asset and a risk. Every company must carefully guard against insider threats as it only takes one disgruntled employee to create a data breach crisis or to undo a trade secret. To protect against insider threats, employers should consult with security professionals and legal counsel about the risks posed by insider threats, how best to prevent them, and what to do when an insider threat becomes more than just a threat.