First Reference company logo

First Reference Talks

News and Discussions on Payroll, HR & Employment Law

decorative image

Employee caused data breaches: What’s an organization to do?

cyber breach

Data and privacy breaches caused by hacking and social engineering fraud are here to stay. Once considered an emerging risk, “cyber” is now a reality facing every organization.

Cyber is not just techno-wizardry committed by hackers using high-tech code to break into a system. Phishing, spoofing, pretexting, tailgating, and others are all ways third parties can use an organization’s employees to cause a breach. The vast majority of breaches result from the actions (or inaction) taken by an organization’s employees. In 2018, 64% of all successful “cyber attacks” resulted from user negligence, with another 24% being caused by malicious insiders. More likely than not, your organization will suffer a privacy or cyber breach and one of your employees will be the cause. For the sake of this post, when we talk about “cyber”, we are discussing true cyber breaches as well as social engineering fraud. While these two categories have distinct implications on insurance coverage, the implications from a human resources standpoint are largely similar.

When dealing with a breach, there are significant legal implications for an organization not only in how it responds from a data privacy standpoint but also from a human resources standpoint. While there has been significant attention paid to various cases involving employees terminated for scandalous social media posts in the past few years, there has been relatively little coverage of what happens to employees when they are the cause of a cyber breach.

Like all things legal, the answer is, “it depends.” Events move quickly in the aftermath of a breach. While an organization may be able to contain and reverse the technical damage caused by a breach, poorly handled human resource management may create its own exposure.

After an employee-caused breach, an organization will have to make a decision. What do you do with the at fault employee? In the case of the malicious insider, termination seems obvious. However, what of the “innocent” but negligent employee? Dismissal may not always be the most appropriate result. Additional training, supervision and guidance may be the more effective approach.

The two main forms of dismissal in Ontario are “without cause” and “for cause.” Of these, “without cause” is the most common. An employer is entitled to terminate an employee’s contract of employment for any good business reason, as long as they give sufficient notice of the termination or paid in lieu of notice. In the case of a senior employee or specialist, the period of notice can be lengthy and expensive.

In contrast, the bar in “for cause” dismissal is generally high. It is reserved for particularly egregious conduct that effectively destroys the employer/employee relationship. A classic example is assaulting coworkers or customers. It can also be the result of a series of progressive discipline culminating in dismissal. In a “for cause” dismissal, an employee is not entitled to notice of termination or pay in lieu of notice. A “for cause” dismissal avoids the need to provide potentially significant pay in lieu of notice but invariably opens an organization to the risk of litigation by the dismissed employee.

Regardless whether a dismissal is with or without cause, how the organization implements that dismissal may have an impact on future risk. Employers have an obligation of good faith and fair dealing in the manner of dismissal. Frog marching a negligent employee out the door in full view of the office on the same day of the breach may not be advisable. It certainly risks opening the door to future litigation. Additionally, employees who are dismissed in a summary manner are less likely to be cooperative with the organization if (and when) a third party lawsuit comes knocking. Given the rise of privacy and cyber litigation, the appropriate response to an employee-caused breach requires a certain degree of forward thinking. When considering the appropriate response, an organization may want to consider some of the following factors:         

  1. How did the breach happen?
  2. Were there policies and procedures in place to deal with this?
  3. Did the employee follow these procedures?
  4. How serious was the breach?
  5. How senior or critical is the at fault employee to the organization?
  6. What is the employee’s track record within the organization?
  7. What are the risks of “cutting them loose” if there is future litigation?

Ultimately, there is no one size fits all answer in the current climate. A decision to dismiss should only be made after a review of all the relevant facts and ideally, a once over from legal.

Devan Marr

Devan Marr is a lawyer at Strigberger Brown Armstrong LLP. With two offices located in Toronto and Kitchener/Waterloo, the firm offers a full range of legal services to our industry partners in insurance and risk management. The firm aims to provide its clients with focused, practical, and cost efficient legal advice. Devan primarily defends insurance claims with a particular interest in the intersection of the contractual, statutory and common law obligations of parties in long-term disability and employment practice liability claims. His practice also includes providing employment related legal advice to both employers and employees in the context of contract negotiations, evaluation of termination clauses, workplace investigations, and assessment of exposure to wrongful dismissal claims.

, , ,

Leave a Reply

Your email address will not be published. Required fields are marked *