Home and hybrid working – the data security risks
Various media outlets recently reported the unfortunate case of a BP employee whose husband (working 20 feet away) overheard her talking on the phone while she was home working, learning about a proposed acquisition by BP of a company called TravelCentres of America. This was price sensitive inside information which allowed the husband, Mr Loudon, to make £1.3M in unlawful profits by investing in the target company before the acquisition was announced.
Mr Loudon has pled guilty to criminal charges of insider trading, his unfortunate wife has been sacked by BP (despite, it seems, being unaware of the husband’s actions), and divorce proceedings have commenced.
This may be an extreme example, but it highlights the need for employers to think about information security when staff are working from home. Research suggests that the increase in home and hybrid working has coincided with a vast increase in the number of phishing attacks, fraudulent emails, and other cyber attacks on employees. Staff who are working in their own home may be more relaxed and less on their guard at home; employers might also fail to give the same consideration to information security at home, compared to the office environment.
The risks include:
- The eavesdropper. If the employee will be using a telephone, who else in the home will be able to hear what is being discussed? It may not be price sensitive information about a listed company, but there could be commercially sensitive information as well as personal data and other confidential information. An employer will want to be satisfied that this information will not be overheard by those who have no right to hear it (and over whose actions the employer has no control).
- For those using IT equipment, who else will be able to see what is on the screen? Employers should insist that IT equipment is locked and password protected when not being used, and that the employee is working in privacy.
- If employees are going to have hard copy documents at home, appropriate arrangements should be put in place for the security of those documents. If the employee shares their home with others, documents should be kept in a locked safe when not in use.
- How will documents be disposed of? Anything containing confidential or sensitive information needs to be disposed of securely – if that cannot be done at home, the employee should use facilities at the employer’s place of work.
- Home workers’ networks may be comparatively poorly secured. Employers should consider what steps could be taken to mitigate the risks of insecure networks leading to a cyber attack or data breach.
- If employees are working in a café or other public location, any connection may well have significant weaknesses or insecurities which could be exploited if the employee’s IT equipment is not properly protected. Employers should consider banning employees from working in such locations, which also create significant risks in terms of phone calls being overheard, or “shoulder snooping” – other patrons viewing what is on the employee’s screen.
- Research has suggested that the distractions of home working may make employees less vigilant in spotting phishing attacks or other cyber security issues. Employers will want to ensure that workers have a safe secure and private working environment, free of unnecessary distractions.
- If home/hybrid workers are travelling between home and office locations, with their IT equipment, it needs to be made clear that the utmost care should be taken not to misplace any equipment containing confidential information. Laptops and other devices should be encrypted so that only authorised personnel can access the information stored on them. Carrying out work while travelling poses considerable risks given the likely insecure connections, and the ability of other passengers to overhear or oversee information which should be kept confidential.
The risks of data breaches of commercially sensitive or personal information are clear and significant. Failure to have appropriate measures in place to maintain the “integrity and confidentiality” of personal data is a breach of UK GDPR and can result in serious sanctions for employers. The Information Commissioner’s Office has the power to issue significant fines for data breaches – up to £17.5 million or 4% of annual worldwide turnover, whichever is higher. Individuals who have been affected by data breaches are entitled to claim compensation for losses suffered, including distress caused and, of course, the reputational damage caused by a breach can also be significant.
Attacks on work systems are becoming more sophisticated, particularly those which involve social engineering and phishing links in emails, and with more organisations using portals and cloud based systems for sharing information, it is becoming increasingly difficult to distinguish fraudulent emails from genuine ones. However, steps can be taken to reduce the risk, many of which are practical and relatively low cost.
The ICO has guidance for employers in addressing the security risks arising from remote working and this should be carefully considered and implemented: Working from home – security checklists for employers | ICO
Employers should consider a range of other steps including:
- Having clear policies and procedures, making clear what steps staff should take to ensure data security
- Training staff in relation to these procedures
- Ensure staff use complex and unique passwords, consider 2-Factor authentication
- Ensure that software and security measures are kept up to date
- A clear desk policy for home workers in relation to any documents they are using
- Don’t allow home working if the employer is not satisfied that appropriate safeguards are in place
While a growing number of businesses are requiring staff to return to the office on a more frequent basis, it seems clear that home working is here to stay. Employers and employees should be mindful of the challenges this presents and the steps they need to take to ensure the risks are minimised. The good news is that with proper consideration and planning, those challenges can be overcome. If you have any questions on these matters, please do not hesitate to contact a member of our specialist employment Team.
This update contains general information only and does not constitute legal or other professional advice.
Douglas Strang, Senior Associate: dst@bto.co.uk / 0141 221 8012 / Connect with Douglas on LinkedIn
Lynn Richmond, Partner (Data Protection Team): lyr@bto.co.uk / 0131 222 2939 / Connect with Lynn on LinkedIn