Employee Data Theft: A Burgeoning Dilemma for Employers

As people become more reliant on electronic data, data theft—also called data exfiltration, data extrusion, data exportation, and unauthorized transfer of data—has become a common risk for organizations across industries. It happens when someone copies or duplicates data without authorization and also uses it for unauthorized purposes. While it is mostly committed by outsiders, there have also been many cases where an organization’s employee ended up committing this act.

A prominent example of employee data theft is the AT&T data breach in 2015 that compromised the names and social security numbers of around 280,000 of the company’s US customers. According to reports, employees of call centers used by AT&T in Mexico, Colombia, and the Philippines accessed client data and sold it to criminals, who then attempted to use such data to unlock stolen mobile phones. There was also that case of Small Business Administration, a US government agency, whose former employee stole client information from the agency’s database and used it to purchase a luxury vehicle, apply for personal loans, and even take over the client’s credit card.

It really isn’t that much of a surprise. Employees know all the ins and outs of a company’s infrastructure and are generally trusted to handle its data. This puts those harboring malicious intent in an ideal spot to steal company data. Now that remote access and data transfer through online services and digital devices can be achieved with great ease, it is essentially a piece of cake for many of them to siphon off data and use it for personal gain.

Why do they do it? Usually foremost among their reasons is financial gain. One can earn a lot from selling personal data to a third party or using it for identity theft, especially if one targets credit card details or bank account information. Resigning employees can also gain a competitive advantage if they are planning to transfer to a competitor or set up their own rival company. Other reasons may be more personal in nature, like revenge. Some rogue or disgruntled employees commit data theft for the specific purpose of sabotaging their company’s business or operations.

Within the context of the Data Privacy Act of 2012 (DPA), a Personal Information Controller (PIC) is liable for all unauthorized processing of personal data committed by its employees, regardless of whether it was done intentionally or through negligence. As PIC, an organization must implement reasonable security measures to protect the personal data it processes. This includes taking appropriate steps to prevent unauthorized access or any unlawful processing by its employees. The obligation extends to third parties processing personal data on its behalf. In such instances, the DPA does not exempt an organization from its obligations as PIC. It remains accountable even if it was its service provider’s employee who accessed the personal data without authorization and used it unlawfully.

The consequences can be severe. Employee data theft may result in a serious data breach that could lead to lawsuits being filed against the organization for failing to perform its duty under the DPA to protect the personal data under its control. If found liable, the organization may face criminal charges and be required to pay fines and damages. To make matters worse, data theft can also ruin an organization’s reputation and cause the loss of customer trust. In the process, it consumes much of the organization’s time and resources and can lead to more financial losses down the road.

What organizations can do is shield their assets from being stolen by implementing a stringent data security plan. They should be aware of what personal data they process and make sure to always scale it down to what is only necessary for them to function or operate. They should likewise ensure that employees, including third-party service providers, understand and fulfill their own responsibilities. This can be done via contractual agreements such as the Terms and Conditions governing a person’s employment and Non-Disclosure Agreements. There should also be policies in place that will limit access to information and information processing facilities. Organizations should employ information transfer policies and procedures to regulate and protect the sharing, transfer, or disclosure of information within and outside the organization. Such procedures must make sure that controls such as encryption or password use, access logs and monitoring, restrictions on the use of external drives, or the installation of unsupported software are properly observed when processing data. Of course, organizations should also provide training to ensure that all employees are familiar with the organization’s policies and data handling protocols.

Even with all these, the blame for employee data theft will almost always still fall on the employer for not being diligent enough in employing adequate security measures. Just the same, by being proactive and adopting dedicated information security policies and programs, it can significantly reduce the risks it poses and those by other related threats.

Enforcing a comprehensive security plan can definitely be hard. But employers should prefer facing this problem rather than confront the graver ramifications of employee data theft. Those tend to be more difficult to manage and leave buried in the past. As a consolation, companies should remind themselves that investing in security it is not only a risk reduction effort but also a competitive advantage customers and clients will find hard to miss in the long run.