This article was written by Sophie Vanhegan, employment solicitor at GQ Employment Law LLP.
Recent years have seen dramatic changes to the use of technology in the workplace, creating new potential avenues for employees to steal sensitive data and, consequently, a growing headache for HR teams. One of the latest challenges is the growth of cloud computing as, according to a 2013 KPMG report, the majority of organisations now use cloud computing in one or more parts of their enterprise.
The High Court recently considered the unique legal challenges arising from cloud-computing in the context of an employee trying to misappropriate confidential information. This article looks at some of those challenges from an HR perspective.
What are cloud-based systems?
Cloud providers manage the infrastructure and platforms on which IT applications run and provide the necessary servers, data storage and back-up facilities, essentially giving clients a “virtual desktop” from which to operate, often at a cost-saving compared to companies building their own IT infrastructure. Indeed, it is the potential for cost-savings that KPMG says is driving the move towards cloud-based systems.
The provider of the cloud system is normally a third party supplier, rather than an entity related to the “client” business which is storing its data in the cloud. It’s the IT equivalent of an off-site storage warehouse operated by a third party.
In years gone by, employees trying to misappropriate a client list had to physically copy the list and smuggle it off the employer’s premises. Then along came email, and for a while that was the preferred vehicle for disgruntled employees making off with proprietary information – until they realised that deleted emails could be reconstructed by forensic IT specialists.
Now the focus is starting to move to cloud-based systems, which brings new risks for employers and new considerations for HR teams.
Firstly, many cloud-based systems permit documents to be copied and pasted onto a desktop outside the cloud, which, if carried out on an employee’s personal laptop or other device, can enable the employee to easily download documents and use them for their own purposes. So, whilst a business may be monitoring its employees’ email traffic, it may not be monitoring a simple cut-and-paste from within the cloud to outside the cloud and may not be able to trace what documentation has been moved around this way.
Secondly, some cloud-based systems do not routinely record the movement of email traffic inside the cloud and, because the system is operated by a third party, it may not be feasible for a forensic IT specialist to access the cloud-based system to reconstruct the evidence trail.
Thirdly, it can be difficult to trace the web browsing history of employees who view the internet inside the cloud; this can be useful when an employer is concerned that an employee is frequently logging into a web-based email account (such as Hotmail) or a personal cloud-storage account in order to remove company information.
These three hurdles can make the evidence-gathering process for an employer who suspects an employee of misappropriating confidential information almost impossible – and without evidence (rather than just suspicion), courts will be reluctant to issue orders against employees.
Moving documentation around using cloud-based computing systems is made easier if the employee works remotely, or from their own laptop, as the employee’s behaviour cannot necessarily be monitored as closely.
Prevention is always better than cure
There are a number of additional IT security measures companies can take to protect themselves against improper use of cloud-based systems, such as disabling the ability to copy documents from within the cloud to outside the cloud, and ensuring that the cloud provider maintains an accessible archive of all sent, received and deleted emails for a proportionate amount of time (so that illegitimate activity can be uncovered).
Employers may also wish to consider banning the use of personal cloud storage and web-based email for work activity so that documents cannot be copied into them, or otherwise implementing IT measures to prohibit uploading of documents onto web-based applications.
HR teams should also ensure a review of their companies’ IT policies takes place to ensure that they allow company monitoring of employees’ IT activity and work email accounts and expressly prohibit the removal of company documents and information outside the company’s systems. These should be supported by adequate confidential information and company property clauses in employees’ employment contracts.
What to do when things go wrong
When an employer uncovers evidence of such potential wrongdoing by an employee, there are various remedies which are open. It can ask the court to order the employee to preserve all documents (to prevent the employee from hiding his or her wrongdoing) or to order an image to be made of all the employees’ devices. It can also order the employee to deliver up and destroy all material which has been taken and it can even order a search for devices at the employees’ premises (usually done early in the morning without prior warning) so copies can be made and preserved. Evidence is however required of wrongdoing and mere suspicion is not enough. The more draconian the order sought, the higher the level of evidence which is required. This is the practical issue which the employer needs to overcome.
In addition, documents stored on some media can be difficult to retrieve. For example, documents stored on a web-based email account may not be recoverable from the device on which they were viewed and the web-based email company may refuse to give access to an individual’s account without that person’s express consent (despite a court order to do so).
With the ever-changing technological world in which many companies operate, it is important for employers to regularly review their IT policies and security measures to ensure that their information is adequately protected against illegitimate use or theft by employees. This is one area of the law where prevention is most definitely better than cure.