October 12, 2019 by Dr. Dexter Morse, Director, Insurance & Risk Management, International Air Transport Association (IATA)
When it comes to risk, the greatest threat to your clients’ companies and networks does not come from external hackers trying to break in, but from their own internal employees who cause either mischief or inadvertent damage, according to research by security firm AlgoSec, SANS Institute and Krall. Employees can be a company’s own worst enemy, potentially causing many different types of damage losses. (See below for a survey of potential risk exposures.)
Rogue Employees: A typology
Background literature reveals at least five different character profiles of rogue employees:
Ambitious, resourceful employees
These kinds of rogue employees are resourceful and independent individuals who might stay up all night to find ways around rules and procedures. They are intelligent, cunning and motivated and are especially dangerous to an organization because they are so capable and resourceful.
These employees hold a grudge and wish to harm the organization. When they quit or are fired, they may steal proprietary information and leak it. Or they might try to damage the organization’s reputation by widely circulating false or malicious information; they could do this by contacting suppliers, shareholders, authorities, regulators, etc.
Negligent employees disobey rules and protocols, either by accident or on purpose.
Unintentional rogue activities are more frequent. For example, negligent employees may leave their login IDs and passwords on sticky notes posted to their computer monitor, share sensitive information in emails, leave client lists or confidential presentations on whiteboards in meeting rooms, or forget company laptops, phones or documents on public transport. Particularly alarming is the fact that many ex-employees often still have access to “confidential” or “highly confidential” data at their previous employer.
Employees with secret political affiliations and loyalties
Any employee can have a rogue political affiliation, ranging from a sophisticated art expert employed by the British royal family (Anthony Blunt) to the nice, 87-year old lady next door (Melitta Norwood – inspiration for the new film “Red Joan”), or women used as honeytraps (Anna Chapman).
Employees with mental health issues
These employees can cause harm to themselves, their colleagues, and the organization. Research by Business in the Community (U.K.) found that 66% of employees in the financial service industry experienced a mental health condition as a result of work in the past year. One in four of us will be affected by mental health issues of some kind during our lifetime.
How to advise your clients
What can your business clients do to prevent or mitigate potential damage from rogue employees?
Here are five things you can advise your clients to do, for starters:
1 Establish clear written expectations related to employee departures. Draft policies and incorporate specific terms into employment contracts about the obligations of departing employees – e.g. confidentiality, fidelity, mutual trust, return of company property such as office keys, hardware, passwords etc., as well as non-solicitation of employees/customers.
2 Have a clear exit strategy that reflects the employee’s role in the business, the information and systems to which they have access, and whether that access has been permanently severed. It may be appropriate to restrict or change the employee’s duties when they are leaving. For example, allocate to them more administrative tasks, with limited access to useful confidential information that they might use at their next employer.
It may be appropriate to place the employee on paid “garden leave” – e.g. the terminated employee is instructed to stay away from work during the notice period while still remaining on the payroll. Such a strategy may be particularly effective when the disgruntled employee might be disruptive in the workplace or jeopardize customer relationships.
If the business has any concerns about the potential actions of a departing employee during their notice period, invoking a payment in lieu of notice (PILON) clause would be the preferred option to terminate the relationship immediately and protect the business. Prevention is better than cure: it is easier and more cost-effective for employers to prevent damage or loss by ensuring that their employment contracts contain provisions to manage the exit effectively.
The appropriate steps to take will vary depending on each employee and the scenario.
3 Examine company computers, mobile phones and email accounts to find evidence of improper conduct. This should be done when the employee has departed under dubious circumstances. Under these circumstances, your clients should work with their IT providers to secure data and prevent data theft or sabotage. Employers should ensure they have policies in place giving them the right to monitor and examine the use of the company’s electronic equipment.
4 Employers should gather evidence proving any unlawful conduct by terminated employees and the harm caused to the business before engaging in expensive and protracted lawsuits. Lawsuits involving employees gone rogue frequently lack evidence.
5 Employers should act swiftly when they discover that a departed employee has retained confidential information or company property. This is to limit the potential damage and to ensure that your clients do not waive their legal rights. Time is of the essence.
Dexter Morse is co-author of Tackling Insurance Fraud: Law & Practice, and a contributing author to A Guide to Reinsurance Law.