Data and privacy breaches caused by hacking and social engineering fraud are here to stay. Once considered an emerging risk, “cyber” is now a reality facing every organization.
Cyber is not just techno-wizardry committed by hackers using high-tech code to break into a system. Phishing, spoofing, pretexting, tailgating, and others are all ways third parties can use an organization’s employees to cause a breach. The vast majority of breaches result from the actions (or inaction) taken by an organization’s employees. In 2018, 64% of all successful “cyber attacks” resulted from user negligence, with another 24% being caused by malicious insiders. More likely than not, your organization will suffer a privacy or cyber breach and one of your employees will be the cause. For the sake of this post, when we talk about “cyber”, we are discussing true cyber breaches as well as social engineering fraud. While these two categories have distinct implications on insurance coverage, the implications from a human resources standpoint are largely similar.
When dealing with a breach, there are significant legal implications for an organization not only in how it responds from a data privacy standpoint but also from a human resources standpoint. While there has been significant attention paid to various cases involving employees terminated for scandalous social media posts in the past few years, there has been relatively little coverage of what happens to employees when they are the cause of a cyber breach.
Like all things legal, the answer is, “it depends.” Events move quickly in the aftermath of a breach. While an organization may be able to contain and reverse the technical damage caused by a breach, poorly handled human resource management may create its own exposure.
After an employee-caused breach, an organization will have to make a decision. What do you do with the at fault employee? In the case of the malicious insider, termination seems obvious. However, what of the “innocent” but negligent employee? Dismissal may not always be the most appropriate result. Additional training, supervision and guidance may be the more effective approach.
The two main forms of dismissal in Ontario are “without cause” and “for cause.” Of these, “without cause” is the most common. An employer is entitled to terminate an employee’s contract of employment for any good business reason, as long as they give sufficient notice of the termination or paid in lieu of notice. In the case of a senior employee or specialist, the period of notice can be lengthy and expensive.
In contrast, the bar in “for cause” dismissal is generally high. It is reserved for particularly egregious conduct that effectively destroys the employer/employee relationship. A classic example is assaulting coworkers or customers. It can also be the result of a series of progressive discipline culminating in dismissal. In a “for cause” dismissal, an employee is not entitled to notice of termination or pay in lieu of notice. A “for cause” dismissal avoids the need to provide potentially significant pay in lieu of notice but invariably opens an organization to the risk of litigation by the dismissed employee.
Regardless whether a dismissal is with or without cause, how the organization implements that dismissal may have an impact on future risk. Employers have an obligation of good faith and fair dealing in the manner of dismissal. Frog marching a negligent employee out the door in full view of the office on the same day of the breach may not be advisable. It certainly risks opening the door to future litigation. Additionally, employees who are dismissed in a summary manner are less likely to be cooperative with the organization if (and when) a third party lawsuit comes knocking. Given the rise of privacy and cyber litigation, the appropriate response to an employee-caused breach requires a certain degree of forward thinking. When considering the appropriate response, an organization may want to consider some of the following factors:
- How did the breach happen?
- Were there policies and procedures in place to deal with this?
- Did the employee follow these procedures?
- How serious was the breach?
- How senior or critical is the at fault employee to the organization?
- What is the employee’s track record within the organization?
- What are the risks of “cutting them loose” if there is future litigation?
Ultimately, there is no one size fits all answer in the current climate. A decision to dismiss should only be made after a review of all the relevant facts and ideally, a once over from legal.
- Don’t forget the “precedented” business risks: liability claims - May 20, 2020
- PHIPA & privacy: Beware the rogue departing employee - April 17, 2020
- Constructive dismissal in the time of COVID-19 - March 20, 2020