United States: Employment Law Commentary February 2006

The truism that "information empowers people" has caused many companies to give their employees broad access to substantial amounts of confidential information. Granting such wide access to confidential information can backfire, however. A recent Wall Street Journal special report entitled "The Dangers Within" opined that "[t]he biggest threats to information security often don’t come from hackers. They come from a company’s own employees."¹

The combination of powerful new devices, wide access to confidential information, and human foibles has resulted in a wave of serious breaches of data security. A decade ago, "identify theft" was virtually unknown. Today, entire industries have arisen offering protection from security breaches.

One of the most important aspects of data security is a well-educated and alert workforce.² This article discusses how businesses may modify their basic employment documents for the purpose of empowering their employees to prevent potential breaches of data security.

In several of our firm’s prior publications we have detailed the ever-growing lists of:
(1) companies that have experienced breaches of data security; and (2) state and federal statutes that have been enacted in response to security breaches.³ The following patterns have emerged as the causes of security breaches:

• Employees who inadvertently disclose private data outside their companies, or who are victims of "social engineering" designed to deceive employees into disclosing data;

• Lost laptops, discs, back-up tapes, or other storage media containing unencrypted private data in electronic form;

• Malicious outsiders who hack into or otherwise gain access to company networks to obtain private data to commit identity theft or other improper acts; and

• Malicious insiders who steal private data for revenge, financial gain, or other improper motives.

• "Phishing" (a seductive e-mail that causes an unsuspecting person to provide private data in response, e.g., "You Have Won the Lottery");

• "Pharming" (setting up impostor websites that purport to be authentic business websites, which ask for private data);

• "Spyware" (software embedded in e-mail messages that enables the sender of the e-mail to gain access to the recipients’ computer and network);

• "Evil Twinning" (setting up a wireless network located close to a legitimate wireless network, for the purpose of capturing private electronic communications); and

• "War Driving" (using mobile antennae to identify locations in which insecure wireless networks may be accessed).⁴

Though the outside threat is real, malicious insiders are one of the largest causes of theft in the workplace according to "The Dangers Within." The increasing number of powerful, small devices enables employee theft or loss of private data as never before. For example, within seconds an employee may download the entire content of a laptop’s hard drive to a "flash drive" the size of a thumb, put the "flash drive" in the employee’s pocket, and walk out of the office with huge amounts of private data. Of course, compact discs or digital versatile discs can easily store vast amounts of private data, and are almost as inconspicuous as "flash drives." Broadband Internet service enables employees to send huge amounts of data as attachments to their personal or other e-mail accounts. PDAs may have tremendous storage capacity as well. Digital camera phones enable people to capture images of data on computer screens.

Just as the past waves of sexual harassment claims caused businesses to modify their employment policies to create cultures in which sexual harassment is discouraged, employers should consider modifying their basic employment documents as tools to create a security-conscious workforce, which may prevent data security breaches. Organizations should revise their Information Security policies and Employee Confidentiality Agreements, and should seriously consider Information Security training for their employees.

• Remind employees that information received from customers, employees or other third parties such as names, addresses, telephone numbers, fax numbers, Social Security numbers, banking information, and health information can be misused to engage in identity theft or other serious harms;

• Advise employees to exercise care in the handling, use, and disposal of personally identifiable information;

• Suggest to employees that they be careful when writing weblogs (or "blogs") or other communications outside the workplace not to disclose personally identifiable information;

• Require employees to follow company security policies with respect to documents in paper or electronic form, including encryption of electronic data when appropriate;

• Educate employees about accessing and collecting personally identifiable information outside the U.S. so as not to violate privacy laws in other countries such as Canada, the European Union, Japan, Australia, Argentina and Hong Kong; and

• Alert employees about phishing, pharming, spyware and other improper activities.

Many employers require new hires to sign Employee Confidentiality Agreements and to review and acknowledge manuals containing employment policies. By revising Employee Confidentiality Agreements and employment policies, companies may emphasize information security from the first day of employment. Existing employees may also be required to review and acknowledge revised employment policies.

Of course, most employees are trustworthy, and many would be appalled by inadvertent or intentional data security breaches committed by other employees. Companies may wish to take advantage of the proliferation of Codes of Conduct implemented after the Sarbanes-Oxley Act of 2002 to encourage employees to report to management any potential data security breaches. Publicly-traded companies are required by the national stock exchanges to have Codes of Conduct that contain anti-retaliation provisions prohibiting adverse employment action against employees who raise concerns about potential violations of the Codes. Many privately-held companies also have adopted such Codes of Conduct. To encourage employees to report to management potential data security breaches, companies may wish to advise their employees that they will be protected from retaliation for raising data security issues.

Any revised employment documents should be carefully tailored to comply with federal and state labor and employment laws such as the National Labor Relations Act ("NLRA"), or California Labor Code Section 96(k) which prohibits retaliation against employees for engaging in lawful off-duty conduct. For example, while information about compensation or other terms of employment may be considered by employers as secret and private as to individual employees, the NLRA, the California statute, or other laws may protect an employee who shares such information with co-workers or union organizers for legally protected purposes. Employment documents should be tailored so as not to unduly restrict communications or activities that are protected under these or similar laws.

Particular care should be used if businesses wish to implement revised employment documents outside the U.S. to ensure compliance with privacy laws in other parts of the world including Japan, Australia, Hong Kong, Canada, Argentina, and the European Union.

It is often said that employees are any company’s greatest asset. If true, then empowering employees to spot and prevent data security breaches is essential. But, employees cannot be expected to do so until they are provided with basic information on ever-changing technologies and creative outsider and insider threats to information security. One important step in that process should be revising the key employment documents that employees read and sign.

Footnotes:

1: Wall Street Journal, February 13, 2006, Section R.

2: Employment Law Commentary dated July 2004, "Your Employees: The Most Overlooked Component of Data Security."

3: See, e.g., MoFo Legal Updates dated July 2005, Data Security: The Time is Now;" and May 2005, "Business Required to Dispose of Consumer Information."

4: See, e.g., Anti-Phishing Work Group, www.antiphishing.org.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved