The recent loss of a Canadian government hard drive containing personal information of receivers of student loans and the ensuing class action lawsuit are a stark reminder of how easy it is to be exposed to the pitfalls of data security breaches. In this day and age, when company data is stored on small, mobile devices, all it takes is an absent-minded employee leaving their USB key or smarthpone on the subway.
To avoid the legal liability that might arise from such loss of data (not to mention the embarrassment), proper policies and procedures need to be put into place by employers regarding the handling of company data outside of the office. In addition, all portable devices containing company data should be passworded and the passwords must be kept separate from the device.
Unfortunately, there are so many other ways in which companies may be exposed to the loss of sensitive electronic information is lost or stolen. Here are a few examples:
The removal of employer’s data by rogue employees
A disgruntled employee removes sensitive information from the company’s computer and provides it to a competitor, then tenders his resignation. An employee decides to go off on her own and, before she resigns, emails herself client or customer data belonging to her employer. These are some examples of cases I have dealt with, where sensitive company data was stolen by former employees.
Although it is difficult to protect against such cases, there are some peremptory measures that can be put into place. For example, the employment contract should be drafted to include a clause regarding prohibition against removal of employer’s data at termination (this may not stop the employee from doing so, but it may be of assistance in a potential lawsuit arising out of such activity). Further, if an employee is terminated or resigns, they should be denied immediate access to any sensitive and proprietary information. Employers should also preserve any computers, hard drives and electronic devices that the employees had used prior to their termination.
An employer whose electronic information was stolen by a former employee has immediate recourse to the courts for a special injunction, sometimes referred to as an “Anton Pillar order”. Similar to “search and seizure” orders in the criminal context, these orders allow the employer (through third-party lawyers) to access the home computers of the former employee and search and seize the stolen information. These orders are granted when the court has strong evidence that shows that proprietary and sensitive information was stolen by the former employee, causing irreparable harm to the employer.
If you suspect that you may be a victim of such activity, you should immediately contact a lawyer specializing in the field for assistance.
The eager hacker
There are many reasons why hackers might want to target your company’s electronic data. Some hackers are interested in using particular information stored on your system, such as in cases of corporate espionage. Other hackers may have a grievance with your company, or with a particular employee, and are doing so to harm your company or that individual. Others, such as the online group “Anonymous”, do it for the purpose of exposing information which they believe should be publicly available.
Then there are the hackers that are doing it for profit. They might use the information they obtain to commit a fraud, or they might sell it to the highest bidder. In some cases, hackers have tried to blackmail the target company by asking for money in exchange for not publicizing the information.
Whatever their motivation, hackers pose a significant threat to companies and individuals. The exposure of sensitive information, particularly if that information belongs to third parties (clients, customers etc.) can be legally and financially devastating to a company. The company may face multiple lawsuits from those whose information was lost. It may also be a target of an investigation and prosecution by the Office of the Privacy Commissioner.
To avoid these risks, it is important to put into place proper and up-to-date security software to ensure that your system is protected from hackers. In addition, there should be policies and procedures regarding proper and secure use of company computers by employees (for example, not opening emails and attachments from unknown or suspicious senders). It is important to consult with computer security experts on a regular basis to ensure that your security system and policies are keeping up with the most recent threats.
And if you happen to be the unfortunate victim of hacking, contact a lawyer specializing in the field, as you will need immediate legal assistance. In some cases, the police may be of assistance as well.
Maanit Zemel, Partner
Miller Thomson LLP
- The new privacy tort – Another victory for victims of cyberbullying - February 16, 2016
- Canadian cyberbullying laws – Where are they now? - January 18, 2016
- My website allows users to post comments – can I be liable for defamation? - November 18, 2015