Data theft by departing employees is not a new trend. Although insider threat is less reported than data breaches carried out by external threat actors, a quick look at news headlines shows that it is very much real—and a growing problem. According to ObserveIT, since 2018, the number of cybersecurity incidents caused by insiders has grown by almost 50%.
However, companies today have to deal with more than just the possibility of unhappy former employees’ leaking confidential company data. With existing and pending privacy legislation that gives employees rights to access their own data after departure, organizations must now take a host of new risks into account when collecting and processing what may constitute employee “personal data.”
Employees Today Have a Lot More Rights to Access the Data Collected About Them
Even though in most states there are already preexisting laws that require employers to share certain information, like payroll records, with workers, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA), as well as similar legislation pending in other states, will take this mandatory disclosure of information a step further.
Under the GDPR, for example, employees residing in the European Union have the right to ask their employer for access to their personal data, which must be granted within 30 days. Personal data can include employment contracts, job interviews, performance reviews, CCTV footage, and potentially even e-mails that refer to the employees in question. For companies, deleting any personal information to avoid disclosure after an individual makes his or her request could even result in criminal sanctions.
Similarly, under the CCPA and its extension, the CPRA, from January 1, 2023, employees will have the right to access their “employment-related information,” as well as request for it to be deleted or opt out of it being shared with third parties. Under the CCPA, “employment-related information” means all employee personal data, including information about them logging on to computers, swiping security badges, and being captured by security cameras. The CCPA also stipulates that employers have the duty to tell employees the kind of information they are collecting about them, and employees can sue their employer for data breaches. In the event that a data breach affects employees, any organization that is found to have failed to maintain “reasonable security procedures” could be liable for up to $750 per employee per incident.
Employment Information May Be a Goldmine for Disgruntled Workers
Although tighter protection of employee data is not necessarily a negative development, data privacy legislation also creates new risks for organizations from disgruntled employees.
For one, employee data privacy legislation could make wrongful termination claims more complex. Because more employees may soon have the legal right to access data collected about them during employment, they can potentially use it as evidence against their employer in the context of discrimination, whistleblowing claims, or employment status litigation.
Data privacy legislation also creates the possibility that disgruntled employees could conduct a DDoS-esque attack on their employer’s HR department. Given the short turnaround time companies have to provide access to personal files and the need to redact other employees’ information when responding to access requests, a group of unhappy ex-employees could potentially decide to file multiple requests simultaneously, consuming resources and disrupting operations.
Privacy legislation also opens up the potential for employees to take former employers to court over data misuse—an increasingly common occurrence in areas where legislation is in place. Taking advantage of this possibility, disgruntled employees may also choose to file internal and external complaints against their workplace as a result of improper collection or processing of their or their company’s consumers’ information. Even when these claims are baseless, allegations of data misuse can still cause collateral damage to an organization’s reputation and stretch corporate resources.
Amount of Data Collected Is Increasing
Complicating matters further is that, regardless of whether employees work remotely or on-site, workforce surveillance is growing. Today, companies are collecting much more information about their workers than they did in the past, but only 56% of organizations have a formal policy describing their employee monitoring practices—something employees are not happy about.
Crucially, though they may soon be required to do so by law, many organizations may not be prepared to make their data collection processes transparent to workers.
Practical Steps to Mitigate Risk of Data Misuse After Employee Departure
Most companies already have processes for off-boarding workers that are designed to mitigate the potential for data theft and/or posttermination litigation issues. For example, more than a third of workers are currently bound by nondisclosure agreements (NDAs). However, NDA provisions may be made void by some of the requirements of new privacy laws, which may give employees the right of ownership/access to data about them even after being terminated.
In this respect, the only real way for organizations to reduce the risk of data misuse following employee departure is to review their employee data collection procedures. Employers need to make sure that how they collect and use data is appropriate and not in breach of current and pending data privacy laws.
Legislation Will Not Stand Still
Even for organizations that are currently not affected by data privacy legislation, it’s vital to understand that privacy legislation is a fast-moving space and may soon be in place for consumers within most of the world’s largest markets.
Looking at how the GDPR continues to evolve, it is also evident that any similar legislation elsewhere will continue to change, too. With this in mind, when collecting employee personal information, employers should be aware that employees could, in the future, have the right to access it and potentially use it against them.
Creating a Culture of Transparency and Privacy Is Vital
When it comes to data use, as in any other part of strong employer-employee relationships, transparency is key. Being clear and open about what employee information is collected and what employers may use it for can go a long way in alleviating workers’ concerns and reducing the likelihood of problems later down the line.
However, with more and more employees voicing their concerns about data privacy, organizations that want to future-proof their business should consider going the extra mile by building a “culture of privacy.” In addition to the steps above, companies should also educate staff on the importance of data privacy in general, going so far as to give them tips on how to keep their online identities safe and offering online data removal tools. For both employers and employees, data privacy should be seen as a benefit, not a burden.
Rob Shavell is CEO of Abine/DeleteMe, an online privacy company. Shavell has been quoted as a privacy expert in The Wall Street Journal, The New York Times, The Telegraph, NPR, ABC, NBC, and Fox. He is also a vocal proponent of privacy legislation reform, including the CPRA.