Prevention is better than cure. This old adage is particularly true when it comes to misuse of confidential information. There often isn’t a complete cure when information is taken and the victim is left looking back with the benefit of hindsight thinking that the risk was obvious (and avoidable).
Asking the following questions will help identify small practical changes that you can make now to reduce the risk to your business.
1. What is it? (and where is it?)
It might sound obvious, but before you can begin improving your safeguards you need to know what you want to protect and where it is stored.
Attempting to answer this question often throws up a number of practical issues that need to be addressed (and are addressed below).
For example, a database of customer information, including pricing structures etc., is likely to be core information that a business wants to protect from competitors, but:
- Is the list saved to the network?
- Can it be printed? If so, where are the hard copies?
- Is it sent by email? If so, is it password protected? Has it been forwarded to others in the business?
- Has it been sent outside your organisation for any reason? If so, did the receiving party sign a confidentiality agreement?
Almost inevitably these questions will identify areas where controls can be improved.
2. Can it be protected?
In the UK confidential information can be split into three categories:
A trade secret is often what gives a business its competitive edge. It isn’t generally known and among people within the circles that deal with that subject, steps have been taken to keep it secret. It has commercial value as a result.
Trade secrets can be protected without the need for express confidentiality clauses and employees (and former employees) have a duty to keep it confidential indefinitely.
Other confidential information
If information falls short of a trade secret, it can still be protected. This category covers information that has some confidential element. It is information that employees need to keep confidential for the duration of their employment, but also becomes part of their skill and knowledge. This means that if they move to a competitor they are free to use it.
This creates obvious concern for businesses. They can work around this by building confidentiality clauses and restrictive covenants into the employee’s contract.
Any publicly available information, industry custom and practice or the “trivia” of the business will fall short of the standard needed to qualify for legal protection.
This is important because if confidential information is disclosed (intentionally or accidentally) and becomes public, then it may lose the “necessary quality of confidence” and lose protection.
3. What are the main threats?
Human error or process failure
When it comes to data breaches, the overwhelming number of cases where the Information Commissioner’s Office has taken action involve human error and process failure.
Simple changes like restricting hard copies of confidential information, limiting who has access and checking the intended recipients of an email before it is sent help to reduce this risk.
In 2013 the Centre for Protection of National Infrastructure conducted a detailed study into known insider activity. It found that the most common type of insider activity was the disclosure of sensitive information (47%).
The study also looked at the demographic of those who engage in this activity. It found that:
- participants were overwhelmingly:
- permanent staff (88%);
- male (82%); and
- self-initiated (76%).
- in almost half of cases the main motivation was financial gain.
The results of the study reflect what we see in practice. Where confidential information is deliberately targeted it is normally a crime of opportunity carried out by someone already in the business. This emphasises the importance of the practical steps that you put in place to prevent access to all information within the business. Things to think about are:
- Password protecting sensitive information.
- Thinking about who needs to be involved in a project and limiting distribution lists and emails.
- Maintaining an audit trail for all documents on your network.
These days there are countless high profile examples of hackers targeting data. Last year it emerged that Uber had paid hackers $100,000 to delete stolen personal data relating to 57 million customers and drivers.
Hackers are increasingly moving away from high volume attacks and instead invest in sophisticated spear phishing and ransomware attacks.
It is crucial that an organisation provides employees with an overview of the risks and how to spot them.
4. What protection do I have in place?
The bad news is that breaches are most commonly the result of human error or from someone already in your organisation. The good news is that small changes can reduce the risk. Think about:
- Restricting access to confidential information, and labelling truly confidential documents “Confidential”.
- Limiting access to areas where confidential processes take place.
- Advising employees how to keep information confidential, for example not discussing company business in public places and taking care when using laptops and tablets in public.
- Ensuring appropriate IT policies and security protections are in place, especially if your company operates a Bring Your Own Device scheme. This might seem obvious but demonstrating that you have policies in place and that they are being enforced is helpful evidence if action has to be taken to respond to a breach.
- Keeping audit logs and records to show what projects each employee or consultant has worked on.
5. Can I respond quickly to a breach?
If action needs to be taken to recover and preserve evidence then this has to be done quickly to prevent the trail from going cold. Equally, the most effective remedies are often interim orders from the court that prevent use or further distribution of the information because quantifying and recovering damages is notoriously challenging in this type of case.
When you discover a breach you need to move fast. If the information contains personal data then GDPR requires a breach to be reported within 72 hours. Even if the information is purely commercial data then delay often creates problems further down the line.
Where there has been a deliberate breach there can be delay because it falls between the cracks in the legal, HR and IT functions of the business. Having a process in place for responding effectively to the breach that clearly explains who will lead the investigation can prevent this.