Managing the risk of rogue employees
A number of cases illustrate the risk to businesses posed by rogue employees.
In June 2019 Canadian financial institution Desjardins announced that an ill-intentioned employee—a long-time, trusted manager in the IT department—shared the information of 2.7 million individuals and 173,000 businesses. The leaked information included the names, addresses, birth dates, social insurance numbers, email addresses and information about transaction habits.
It took several months for Desjardins to learn the scope of the data-gathering scheme, after it referred suspicious transactions to the Laval Police Service in Quebec as part of routine monitoring in December 2018. In May police informed the company that the personal information of some of its members had been leaked and the employee was eventually identified and suspended, and his access to information systems frozen and the transfer of information ceased.
“Prior to engaging in expensive and protracted lawsuits, employers should gather evidence proving the unlawful conduct and the harm caused to the business.”
In late July 2019 Capital One, the US’s third largest credit card issuer, announced it had been hacked. The hacker began tapping into the large amount of information from Amazon servers, which the bank was using. Authorities arrested and charged Paige Thompson, a 33-year-old former Amazon Web Services employee, with computer fraud and abuse.
In a complaint filed in Seattle, prosecutors said that Thompson exploited an improperly configured firewall and accessed the data at various times between March 12 and July 17, 2019. Capital One said it fixed the problem as soon as it was discovered, but estimated the cost of the incident to be $100 to 150 million, mostly expenses related to providing credit-monitoring and legal support.
A determined “rogue” employee can severely harm an employer and inflict substantial damage by:
- Vandalising company property
- Destroying computer files
- Embezzling money
- Starting a social media campaign to defame the company
- Ruining the company’s reputation
- Shredding important records and documents
- Reporting the company to the authorities/regulators
- Calling emergency services to report suspicious package to disrupt business
- Stealing trade secrets such as client information or codes, and sharing them with rivals
- Causing the company to incur expenses, liability or fines
There are five basic types of rogue employees:
- Ambitious, resourceful and independent individuals
These employees work hard to find ways around the rules and procedures. They are intelligent, cunning and motivated, and are especially dangerous to an organisation because they are so capable and resourceful.
- Disgruntled employees/revenge-seekers
They hold a grudge and wish to harm the organisation. When they quit or are fired they may steal proprietary information and leak it or cause damage to the organisation by contacting suppliers, shareholders, authorities, regulators, etc.
- Negligent employees
These employees disobey rules and protocols. They leave their login IDs and passwords on sticky notes posted to their computer monitor, share sensitive information in emails, leave client lists or confidential presentations on whiteboards in meeting rooms or leave company laptops, phones or documents on public transport.
Unintentional rogue activities are random, difficult to plan for and therefore a greater risk and more common than intentional ones. Particularly alarming is the fact that ex-employees often still have access to “confidential” or “highly confidential” data belonging to their previous employer.
- Employees with secret political affiliations and loyalties
Any employee can have a rogue political affiliation. Russian spies who have been exposed range from a sophisticated art historian employed by the British royal family (Anthony Blunt) to the nice 87-year-old woman next door (Melita Norwood, inspiration for the film Red Joan) and women used as honeytraps (Anna Chapman, who was arrested in 2010).
- Employees with mental health issues
These employees can cause harm to themselves, their colleagues and their organisations.
Research by Business in the Community (UK) found that 66 percent of employees in the financial service industry experienced a mental health condition as a result of work in the past year. One in four people will be affected by mental health issues of some kind during their lifetimes.
How to prevent or mitigate harm from rogue employees
- Establish clear written expectations relating to employee departures. Draft policies and incorporate specific terms into employment contracts about the obligations of departing employees (confidentiality, fidelity, mutual trust and return of company property [office keys, hardware, passwords, etc]) and non-solicitation of employees/customers.
- Have a clear exit strategy which reflects the employee’s role in the business, the information/systems they have access to and whether that access has been permanently severed. It may be appropriate to restrict or change the employee’s duties when they are leaving, such as allocating them more administrative tasks with limited access to useful confidential information which could be of interest to their next employer.
It may be appropriate to place the employee on paid “garden leave”, especially where the disgruntled employee could be disruptive in the workplace or jeopardise customer relationships. If the business has any concerns about the potential actions of a departing employee during their notice period, invoking a Payment in Lieu of Notice clause would be the preferred option to terminate the relationship immediately and protect the business.
Prevention is better than cure: it is easier and more cost-effective for employers to prevent damage or loss by ensuring their employment contracts contain the provisions they can rely on to manage the exit effectively.
The appropriate steps to take will vary depending on each employee and the scenario.
- Examine company computers, mobile phones and email accounts to find evidence of improper conduct where the employee has departed under dubious circumstances and work with IT providers to secure data and prevent data theft or sabotage. Employers should ensure they have policies in place giving them the right to monitor and examine the use of the company’s electronic equipment.
- Lawsuits involving employees gone rogue frequently lack evidence. Prior to engaging in expensive and protracted lawsuits, employers should gather evidence proving the unlawful conduct and the harm caused to the business.
- Time is of the essence—employers should act swiftly when they discover a departed employee has retained confidential information or company property to ensure they do not waive their legal rights and to limit the potential damage.
Can insurance help?
Most property insurance policies contain an exclusion for “dishonest or criminal acts by partners, officers, managers, employees (including leased, employees), directors, trustees, etc” because traditional insurance is intended to provide protection for unintentional and unforeseen acts and events.
Fidelity and commercial crime insurance is designed to help address losses stemming from employee dishonesty, forgery, robbery, computer and wire transfer fraud, and other criminal acts.
Traditional insurance policies such as commercial liability and commercial crime usually do not cover privacy breaches or cybersecurity incidents because of the narrow policy language or express exclusions.
Cyber liability insurance can be an effective way to help manage the risk of privacy breaches and other cybersecurity incidents caused by insiders. However, often they specifically exclude actions committed where the rogue employee is an executive officer of the company, such as a CIO, CTO, risk manager or general counsel.
For coverage that does not have these kinds of exclusions, businesses may consider writing coverage through their captive, ensuring they have proper protection if one of their employees goes rogue.
Dexter Morse is director of industry risk management and insurance at International Air Transport Association (IATA). He can be contacted at: firstname.lastname@example.org