Statistics compiled by the Information Commissioner’s Office (ICO) have indicated that four of the five most common causes of data breaches involved human error or process failures. 

In October 2018, the supermarket chain Morrisons was found vicariously liable by the High Court for the actions of a rogue employee, and in the same month the Financial Conduct Authority (FCA) issued a staggering £16.4 million fine to Tesco Bank for a 2016 cyber incident. Such cases illustrate that employers are becoming increasingly accountable for their employees’ actions and highlight that it is more important than ever to tackle cyber breaches swiftly and effectively. 

What can you do to minimise data breaches?

Employees are often the weakest link in the cyber security chain, either through negligent actions or with an intent to cause harm either to the employer or some other party. It can be notoriously difficult to stop a rogue employee from acting dishonestly. It is impossible to completely eradicate a cyber threat. However, there are a number of things that need to be considered from a HR and employment law perspective to help prevent breaches occurring, including:

• Training employees on all aspects of data protection from induction stage onwards. A well-trained employee is more likely to be able to identify a threat or know what action to take if a breach occurs. Regular refresher training is recommended.

• To ensure that employees have taken on board the training, and are putting it into practice, they can be tested from time to time. For example, an IT business can generate a bogus but harmless email with a suspect internet link within it. This can be sent, without warning, to employees, and a record kept of those who clicked on the suspect link. 

• There are often obvious warning signs that an employee may pose a threat e.g. an aggrieved employee or an employee working their notice and leaving to join a competitor. Identifying issues early can help prevent a data breach from occurring. 

• Practise a culture of security throughout your organisation. For example, distribute to employees a list of the top 10 cyber security risks, and update and redistribute this regularly to keep cyber security “front of mind.” 

• Ensure your data protection policy is communicated to all employees and that it clearly defines responsibilities and the consequences of non-compliance.

• Ensure your employment contracts have up to date terms to give you recourse if an employee is guilty of causing a cyber breach. The importance of the subject can be reinforced in the minds of employees by making negligent actions with regard to cyber security a specified disciplinary offence.

Ultimately, organisations need to tackle cyber breaches from all angles, including security software as well as policies, incident plans and clear and ongoing staff education and training.  

If you require legal advice, please contact the team on 01273 834120 or visit www.sherrardslaw.com