Today, one of the most critical risks a company can face is the cyber risks associated with its own employees or contractors.  Companies are confronting an increasingly complex series of cybersecurity challenges with employees in the workplace, including employees failing to comply with established cybersecurity policies, accidentally downloading an attachment containing malware or providing their credentials in response to a phishing scam, or intentionally stealing company information for the benefit of themselves or the company’s competitors by simply copying information to their email or a thumb drive and leaving the company.  Contractors or consultants with access to company systems can pose these same challenges. To guard against these risks, companies can implement various policies and procedures to address an employee’s tenure, from pre-hiring to post-employment, and can implement many of these same precautions with respect to contractors, consultants, or any other third parties with access to company systems.

Before hiring employees or contractors, companies can ensure they have in place policies and procedures to protect themselves.  Particularly important policies include:  acceptable use of electronic devices and systems; mobile device; data collection and retention; notice and consents for monitoring and collection of information on company systems; and background check policies that permit pre-employment and ongoing vetting of all employees.  Companies should enact enhanced screening and background checks for new hires who will have access to the company’s “crown jewels” and systems that can connect to or access the same, and should require third parties that provide contractors to demonstrate that they are doing the same.

When drafting policies, companies should ensure all important stakeholders are coordinated—including Human Resources, Information Technology, and Legal—and that all employee-related policies are aligned with other company policies, particularly the incident response plan, data security, and cybersecurity policies.

When onboarding employees, companies should use procedures including training, policy review, and key acknowledgements and consents to establish a culture of awareness and compliance.  It is particularly important for companies to complete the following tasks during employee onboarding:  apprise new employees of the company’s expectations regarding protection of confidential information and critical infrastructure (including ensuring that no new employee has brought any confidential information from another company with them); provide a briefing of policies governing employee access to information and those that could implicate employees’ privacy; notify employees that they have no expectation privacy if using personal devices for business purposes; and obtain employee consent to any applicable monitoring. Employees should be asked to execute a non-disclosure agreement and other documents that protect the company’s information, and the executed copies of these documents should be safely stored in the company’s personnel file or human resources system.

Companies can and should also implement parallel procedures for outside directors, vendors, contractors, and third parties with access to company networks and systems.

After employees begin work, companies should regularly assess indicators of any potential issues, including any unusual systems accessed by employees; what documents and information employees are downloading, printing, or emailing; when employees are performing actions on company systems; and any efforts by employees to exceed access privileges or records of failed log-in attempts.  Conducting real-time monitoring of employees has significant privacy implications, particularly outside the United States.  As a result, a company will typically want to notify employees of the monitoring and obtain prior consent or acknowledgement that an employee’s use of the system constitutes consent to the interception of their communications and the results of such monitoring may be disclosed to others, including law enforcement.

Companies should conduct regular, required training with employees concerning cyber risks, including the risks associated with phishing attacks and fraudulent email solicitations.  In addition, companies should make sure that compliance with security policies is included as a metric in performance evaluations for employees, particularly those employees with access to business critical information.

These same procedures should be in place for contractors, consultants, or any other third parties who have access to company systems and information.  If necessary, companies should review the contracts they have in place with vendors or staffing agencies to ensure that proper procedures and consents are in place.

If a company believes an employee is potentially disgruntled or an insider threat, the employee’s manager should coordinate with other departments—including Legal, Human Resources, and Information Technology—to obtain additional information and plan a course of action.  Investigations can include forensic computer or network searches, preservation of affected systems, and interviews with employees.  While developing the facts, a company should consider when or how to suspend or revoke a suspected insider threat’s access or take additional action against the insider—though beware that taking action against a suspected employee is likely to implicate employment laws in the United States or elsewhere.

When off-boarding employees, companies should take steps to protect themselves.  It is imperative for companies to develop policies and procedures for off-boarding employees that are directed at minimizing risks of data leakage.  Exit interviews should be conducted wherever possible; they will allow companies to spot potential problems or identify red flags.

When an employee resigns, a company should decide whether to institute a protocol to remove or limit the employee’s access to confidential information even before an employee’s last day at work. HR should work with IT to audit the employee’s most recent network access and email activity to ensure the employee has not harvested any confidential information.

When the company is preparing to terminate an employee, the company should implement a protocol to protect company confidential information, including reducing employee’s access to networks and systems before or simultaneously with notifying the employee of the impending dismissal.  The same should be done when a contract with a consultant, vendor, or contractor is nearing its end.

All employees who leave the company and all contractors whose contracts end should be reminded of ongoing obligations to protect the confidential information of the company and should be asked to return all company information, documents, and electronic equipment before their last day at work.

Employees can present a significant threat to a company’s business critical information, as can contractors or consultants with access to company systems.  Companies should ensure that relevant departments within the company, such as the legal, human resources, and information technology departments, are coordinating to take steps to protect the company against such threats, including those set forth above.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsay Burke Lindsay Burke

Lindsay Burke co-chairs the firm’s Employment Practice Group and regularly advises U.S., international, and multinational employers on employee management and culture issues and international HR compliance. She is a key member of the firm’s Institutional Culture and Social Responsibility practice, working together with…

Lindsay Burke co-chairs the firm’s Employment Practice Group and regularly advises U.S., international, and multinational employers on employee management and culture issues and international HR compliance. She is a key member of the firm’s Institutional Culture and Social Responsibility practice, working together with white collar colleagues to conduct culture assessments, internal investigations of executive misconduct, and civil rights and racial equity audits and assessments. Lindsay has been at the forefront of the changing workplace issues impacting employers in the U.S. in the last decade, including #MeToo, Covid-19, and the renewed focus on diversity, equity, and inclusion. She frequently advises employers in relation to their processes and procedures for investigating complaints of discrimination, harassment, and retaliation and trains executive teams and board members on culture risk and the lawful implementation of DEI programs.

Lindsay also guides employers through the process of hiring and terminating employees and managing their performance, including the drafting and review of employment agreements, restrictive covenant agreements, separation agreements, performance plans, and key employee policies and handbooks. She provides practical advice against the backdrop of the web of state and federal employment laws, such as Title VII of the Civil Rights Act of 1964, the Americans with Disabilities Act, the Equal Pay Act, the Family and Medical Leave Act, the Fair Labor Standards Act, and the False Claims Act, with the objective of minimizing the risk of employee litigation. When litigation looms, Lindsay relies on her experience as an employment litigator to offer employers strategic advice and assistance in responding to demand letters and agency charges.

Lindsay works frequently with the firm’s privacy, employee benefits and executive compensation, corporate, government contracts, and cybersecurity practice groups to ensure that all potential employment issues are addressed in matters handled by these groups. She also regularly provides U.S. employment law training, support, and assistance to start-ups, non-profits, and foreign parent companies opening affiliates in the U.S.

Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.