Written by Michelle Last, Partner at Punter Southall Law
The announcement in March last year that employees should work from home in response to the pandemic markedly changed the working environment.
In response, many companies hurriedly put in place arrangements to enable staff to work from home where possible, in order to save lives (and rightly so).
However, in providing unfettered home access to confidential clients lists and other “crown jewels”, many employers have found themselves inadvertently exposed to an epidemic of other sorts; theft of confidential information and trade secrets by employees working from home.
Lawyers and forensic IT investigators have noted a significant and ongoing trend of increasing numbers of workers stealing this kind of material while working from home.
I believe this is driven by a combination of four key factors:
1. A Change in Employee Expectations
There has been a notable change in employees’ expectations and feelings of entitlement. Many employees now want to be able to work when they want and how they want. If their role no longer suits them or does not provide the flexibility to which they have become accustomed in the last 18 months, they will go elsewhere.
But it is more than this. There is a feeling amongst some that, somehow, they are entitled to take clients’ lists, financial data and the like, because they have worked on this or helped develop a client relationship.
In reality, the law is clear and that theft of confidential information may amount to gross misconduct and give rise to civil and criminal claims. One senior barrister told me he had never lost a case against a former employee who had stolen confidential information. Simply because they are not entitled to do it.
2. Booming Jobs Market
The jobs market is buoyant – with the highest number of vacancies in the UK for 20 years, at 1.1 million as of September. Workers armed with sensitive information may find themselves highly sought after and seek to secure a role by unfairly using this data.
3. Undefined Policies and Procedures
Many businesses simply have no IT processes and policies in place to prevent or identify confidential information or data breaches or set out the consequences for such conduct.
4. A less formal working environment
Workers may feel safer sending on what belongs to their employer from the safety of their own home, rather than a formal office environment, where there may be a greater sense of being watched.
The steps employers need to take
As a minimum, companies should have in place comprehensive contracts of employment that protect confidential information, require employees to return any such material on request and in any event on termination and require employees to comply with the IT security policy. This policy should be signed by the employee and should include important prohibitions on things like sending documents and data to a personal email address or downloading it to a USB.
The current most popular method of theft seems to be sending to a personal email. This seems such an obvious and clear breach but many employers simply do not prohibit this or communicate the fact that this is prohibited.
Firms which implement robust IT security measures are much better placed to respond to potential breaches. One client has a system in place which immediately alerts IT in the event an email is sent to a personal email address or if information is downloaded to a USB. Other clients ensure the screen saver flags a warning which makes clear that unlawful downloading, misuse or retention of confidential information is forbidden.
Ultimately, it can be costly and time consuming to deal with breaches of confidence and can require reporting to the Information Commissioner. Employers who have evaluated the risks and taken appropriate measures, will be much better placed to face this particular epidemic.