One in four employees 'have intentionally leaked confidential data'

HR has a responsibility to ensure workplaces are sensitive to data issues, say experts

One in four (24 per cent) UK employees have intentionally leaked confidential business information to individuals outside their organisations, surprising new research has revealed.

In a survey of 2,000 UK workers, data privacy and risk management company Egress Software Technologies suggested that employees who leaked information were most likely to share data with competitors, or new or former employers. It pointed to bank details and customer information as some of the most potentially damaging material that was being leaked.

Half of all survey respondents said they had deleted, or would delete, emails from their sent folder if they had sent information somewhere they shouldn’t.

“As with many organisational behaviours, HR has a role to play in ensuring the workplace culture is aware of issues around data. One thing HR could do to minimise the malicious leaking of information is ensure concerns are both raised and dealt with in a fair way that does not compromise the overall employee experience,” said David D’Souza, the CIPD’s head of London.

“There will always be a minority of people who are opportunistic, so there should be a shared responsibility between HR and IT on how to deal with such incidents, depending on their severity. Steps that can be taken to minimise the risk could be as simple as reminding people at the point they resign about rules on data protection around other organisations and information.”

Simon Rice-Birchall, partner at Eversheds Sutherland, added that employers should be conscious of data protection clauses in employee contracts, and aware of the data risks former employees could pose if guidelines are not explicitly included. 

“If an employee is still employed within their organisation, even if nothing is written in a contract of employment, they are under a legal obligation to not disclose confidential information,” he told People Management.

“However, once employment has ended, if there is no clause in the contract, only highly trade-secret, quality information would be protected – and there is no long-term obligation to keep company information confidential. Well-drafted contracts are therefore vital, because they protect employers once a contract has ended, and draw employees’ attention to the necessary obligations on their part.”

Even without malicious data leaks, the research suggests organisations are being put at risk by slapdash email behaviours, with more than a third (37 per cent) of respondents reporting that they do not always check emails before sending them. The biggest human factor in sending emails by mistake was ‘rushing’ (68 per cent), with almost one in 10 (nine per cent) employees admitting to accidentally sending sensitive attachments such as bank details or customer information in error.

“A broader problem for HR to consider could be high-pressure workplace cultures that result in employees sending emails without thinking, or when they are too tired to concentrate properly,” D’Souza said. “This is something HR needs to deal with not only from a wellbeing view, but from a productivity view.”

Almost half (46 per cent) of UK workers said they had received a panicked email ‘recall’ request during their careers, and 35 per cent admitted to sending a ‘fat fingered’ email themselves. Almost half (40 per cent) of accidental emails were reported to contain an insult about the recipient, rude jokes or swearing.

“Email is frequently misused by the UK workforce,” said Tony Pepper, CEO and co-founder of Egress. “While offending an accidental recipient may cause red faces, leaking confidential information can amount to a data breach. As we move towards the EU General Data Protection Regulation, it has never been more important to get a grip on any possible risk points within the organisation and, as this research shows, email needs serious attention.”

Under the General Data Protection Regulation, due to come into force in May 2018, organisations will need to disclose data breaches to the appropriate authorities within 72 hours. If the breach poses a high degree of risk to the rights of the individuals concerned, the business will need to inform the people affected as well.