This article was written by Sophie Vanhegan, employment solicitor at GQ Employment Law LLP.
Recent years have seen dramatic changes to the use of technology in the workplace, creating new potential avenues for employees to steal sensitive data and, consequently, a growing headache for HR teams. One of the latest challenges is the growth of cloud computing as, according to a 2013 KPMG report, the majority of organisations now use cloud computing in one or more parts of their enterprise.
The High Court recently considered the unique legal challenges arising from cloud-computing in the context of an employee trying to misappropriate confidential information. This article looks at some of those challenges from an HR perspective.
What are cloud-based systems?
Cloud providers manage the infrastructure and platforms on which IT applications run and provide the necessary servers, data storage and back-up facilities, essentially giving clients a “virtual desktop” from which to operate, often at a cost-saving compared to companies building their own IT infrastructure. Indeed, it is the potential for cost-savings that KPMG says is driving the move towards cloud-based systems.
The provider of the cloud system is normally a third party supplier, rather than an entity related to the “client” business which is storing its data in the cloud. It’s the IT equivalent of an off-site storage warehouse operated by a third party.
The risks
In years gone by, employees trying to misappropriate a client list had to physically copy the list and smuggle it off the employer’s premises. Then along came email, and for a while that was the preferred vehicle for disgruntled employees making off with proprietary information – until they realised that deleted emails could be reconstructed by forensic IT specialists.
Now the focus is starting to move to cloud-based systems, which brings new risks for employers and new considerations for HR teams.
Firstly, many cloud-based systems permit documents to be copied and pasted onto a desktop outside the cloud, which, if carried out on an employee’s personal laptop or other device, can enable the employee to easily download documents and use them for their own purposes. So, whilst a business may be monitoring its employees’ email traffic, it may not be monitoring a simple cut-and-paste from within the cloud to outside the cloud and may not be able to trace what documentation has been moved around this way.
Secondly, some cloud-based systems do not routinely record the movement of email traffic inside the cloud and, because the system is operated by a third party, it may not be feasible for a forensic IT specialist to access the cloud-based system to reconstruct the evidence trail.
Thirdly, it can be difficult to trace the web browsing history of employees who view the internet inside the cloud; this can be useful when an employer is concerned that an employee is frequently logging into a web-based email account (such as Hotmail) or a personal cloud-storage account in order to remove company information.
These three hurdles can make the evidence-gathering process for an employer who suspects an employee of misappropriating confidential information almost impossible – and without evidence (rather than just suspicion), courts will be reluctant to issue orders against employees.
Moving documentation around using cloud-based computing systems is made easier if the employee works remotely, or from their own laptop, as the employee’s behaviour cannot necessarily be monitored as closely.
Prevention is always better than cure
There are a number of additional IT security measures companies can take to protect themselves against improper use of cloud-based systems, such as disabling the ability to copy documents from within the cloud to outside the cloud, and ensuring that the cloud provider maintains an accessible archive of all sent, received and deleted emails for a proportionate amount of time (so that illegitimate activity can be uncovered).
Employers may also wish to consider banning the use of personal cloud storage and web-based email for work activity so that documents cannot be copied into them, or otherwise implementing IT measures to prohibit uploading of documents onto web-based applications.
HR teams should also ensure a review of their companies’ IT policies takes place to ensure that they allow company monitoring of employees’ IT activity and work email accounts and expressly prohibit the removal of company documents and information outside the company’s systems. These should be supported by adequate confidential information and company property clauses in employees’ employment contracts.
What to do when things go wrong
When an employer uncovers evidence of such potential wrongdoing by an employee, there are various remedies which are open. It can ask the court to order the employee to preserve all documents (to prevent the employee from hiding his or her wrongdoing) or to order an image to be made of all the employees’ devices. It can also order the employee to deliver up and destroy all material which has been taken and it can even order a search for devices at the employees’ premises (usually done early in the morning without prior warning) so copies can be made and preserved. Evidence is however required of wrongdoing and mere suspicion is not enough. The more draconian the order sought, the higher the level of evidence which is required. This is the practical issue which the employer needs to overcome.
In addition, documents stored on some media can be difficult to retrieve. For example, documents stored on a web-based email account may not be recoverable from the device on which they were viewed and the web-based email company may refuse to give access to an individual’s account without that person’s express consent (despite a court order to do so).
Conclusion
With the ever-changing technological world in which many companies operate, it is important for employers to regularly review their IT policies and security measures to ensure that their information is adequately protected against illegitimate use or theft by employees. This is one area of the law where prevention is most definitely better than cure.
One Response
Cloud encompasses many different setups …
Accordingly there cannot possibly be a one solution fits all approach
The major problems has arisen because of the precise definition of Cloud & to many it is simply regarded as a ‘off-site’ dumping area. However, there is a world of difference between the Dropbox approach and that of an integrated HR/Accounting/Payroll etc. package running in the Cloud
The former is pretty much a ‘free for all’ and providing one has a password anything goes, whereas the latter is a highly structured approach that is far simpler to control (recording last user, dateTime etc.) and in many cases has layered security built in, enabling some to have greater access rights than others
A great deal of this article surrounds a theoretical, slightly abstract view of the Cloud that sometimes has no relevance to things on the ground
However there are practical constraints to some of the solutions suggested and inevitably any restrictions are going to the challenged by people trying to get around them
‘.. So, whilst a business may be monitoring its employees’ email traffic, it may not be monitoring a simple cut-and-paste from within the cloud to outside the cloud and may not be able to trace what documentation has been moved around this way ..’
But what about screen prints etc.
Anyway the means of devices communicating with each other are a legion – from hard wired to Bluetooth etc. Once on the personal device it is out of the organisations domain and can be sent onward from there. So realistically it is almost impossible to prevent data theft, where someone is intent on carrying it out
And as for tracking all this by the organisation – well …. good luck !
Furthermore, the first thing I would do if going to remove data is look over a colleagues shoulder to get their login details (not difficult) and then do everything under their credentials. At which point all your tracking and forensic IT dissemination is then worthless – because it’s the wrong staff member
So realistically – nice ideas – just very difficult to implement if someone has intent and knows how to circumvent the systems. Effectively worthless and as for suggesting some form of ‘Anton Piller’ order – mmm ……