Q&A: What to do when you are leaking data

Q&A: What to do when you are leaking data

Q: I think some of my employees are leaking confidential information. What should I do?

A: Confidential data can be a company’s most valuable assets, whether customer data, trade secrets or future developments.

Data leaks, however small, can affect a company’s bottom line and reduce customer confidence in the security of the business. 

Additionally, under the recent data protection changes, a leak of personal data can result in a costly penalty for the organisation. Employees are legally obliged to not share their employer’s confidential data, even if this obligation is not expressly included within the employee’s contractual documentation.

It is often useful to include such an express term so that employees are reminded of this obligation when they join the company, and this term can be referred to when necessary.

Confidentiality clauses are also important to include as post-termination covenants because, after employment ends, the confidentiality duty only applies to information that could be classed as a trade secret.

Therefore, post-termination restrictions will need to be included in contracts to protect a broader range of information after employment ends.

Data leaks can be taking place in your business through a variety of methods, for example, data may be intentionally leaked by staff or leaked through careless behaviour. 

To reduce the likelihood of leaks all members of staff should receive training on handling company data. This training should cover areas such as careless talk, email use, data protection obligations and confidentiality outside of the workplace. 

Monitoring of areas such as workplace email accounts and internet use will help identify where leaks are taking place. To avoid breaching privacy rights, employees will need to be informed of how monitoring will take place, in advance of this occurring.

Where the business is aware there is an unidentified data leak, it may wish to consider whether a confidential reporting line can be introduced to encourage internal reporting.

Where careless data leaks are identified, usually through email errors, employers should consider how to address this. It may be the case that employees are working without paying attention, and a reminder of the importance of securely emailing data will help address this. 

Should it be identified that an employee is intentionally leaking data this needs to be addressed, without delay, through the formal disciplinary policy. 

Once a formal disciplinary hearing has been conducted, a disciplinary sanction, which is reasonable in all the circumstances, can be imposed. 

Not only will this help prevent the particular employee leaking data, it will deter others from carrying out a similar action.

Peter Done is managing director of Peninsula