Prevention is better than cure as they say! And that is certainly the case with cyber security and data protection. This has implications for employment law.
The WannaCry ransomware attack that crippled the IT systems of many organisations, including those of the NHS, once again highlights the importance of cyber security and data protection. Furthermore, the disruption that can be caused when there is a breach, only goes to illustrate that the best approach to adopt when addressing cyber security and data protection is prevention. Cures are also extremely important, but they only alleviate the business disruption after a period of time. Prevention, quite obviously, stops the breaches from occurring in the first place, and the disruption is therefore avoided altogether.
Cyber Security & Data Protection: The Employment Law Implications
The reliance upon computers and IT systems nowadays is such that a breach can cause widespread disruption to businesses. Given this, it is essential that employers ensure that their employment contracts, and employment law practices and procedures, incorporate the necessary preventative measures that are essential in terms of cyber security and data protection.
Preventative measures that employers should consider adopting include:-
- Confidentiality clauses and post termination restrictive covenants in employment contracts, to prevent employees and former employees from disseminating confidential information about the company, its business partners, and its client’s.
- Monitoring employees use of IT. The right of the employer to do this should be clearly set out in the employment contract.
- Providing cyber security and data protection training to educate employees about risks. A very basic example of this for instance, is making employees aware of the fact that they should not open emails and their attachments unless they know for certain who sent them. Employees should also receive training in what to do when a breach does occur, and what steps to take to limit the damage.
- Employers should have a clearly set out cyber security and data protection policy. This can be included in the staff handbook, or in a separate document. All employees should be made aware of the policies when training is provided. The policies should be regularly updated, and updated training provided
- Employers should clearly convey in their staff handbook that any deliberate breach, or a breach that has been brought about via the employees reckless conduct, would constitute gross misconduct and that they will be subject to disciplinary sanctions
- Employees should be encouraged to speak out internally about any concerns that they have. This not only allows them to bring problems to the employer’s attention that need addressing, but by ensuring that problems are resolved internally in an appropriate manner, it prevents confidential information about the company from becoming public knowledge. For example, when an employee is unable to resolve a problem internally, and then brings an employment tribunal claim, then details a business would prefer to keep private and confidential becomes public knowledge. This can be prevented by having robust internal procedures for resolving issues. Hence, employers should ensure that their whistleblowing policies are conducive to facilitating internal disclosure, and that they have effective grievance procedures for resolving employee’s problems.