Employment Matters

Stopping data theft: effective workplace policy covering personal mobile devices

Stopping data theft: effective workplace policy covering personal mobile devices

A recruitment company’s business depends on exploiting information about candidates and trade connections to broker placements. That confidential information can be a tempting target to the data thief, such as a departing employee setting up in competition. Protecting it is vital, but often more difficult where the company’s computer network extends beyond the office to encompass smartphones and tablets. Having effective policies to manage the use of such devices in the workplace is crucial, although often overlooked.    

When the iPad was first launched, just over 5 years ago, it was aimed squarely at the living room not the board room; a toy for the tech-savvy twenty-something browsing the web from a sofa. And yet a host of business apps are now available for tablets and smartphones which have become commonplace in the office, where they are used to manage contacts, diaries and business networks, as well as for dealing with emails on the go.

If the uptake of smartphones and tablets in the workplace has been relatively swift, the implementation of corporate policies to properly manage their use has been slow. This is especially true for devices that enter the workplace via the ‘back door’, with employees bringing their own device to work and being given access to corporate databases, calendars and emails.

This is an issue for almost all businesses, but is particularly prominent in the recruitment industry, because confidential contact information is likely to be central to the recruitment company’s market position and because this is precisely the kind of information these devices are used to manage and store.

Monitoring is a particular problem with regard to employees using their own devices.  Without a clear policy, employees will be surprised if an employer starts looking through their private photos, text messages and other data on 'their' device.  It may even be necessary to wipe the device on termination of employment to safeguard the employer's information – something that could prove difficult without a clear policy in place.  It is also worth remembering that implementing adequate security policies to prevent confidential contact information being stolen is required under the Data Protection Act.  This stipulates that appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data.  

Effective policies will vary from one business to another, as they should be tailored to individual needs.  As a minimum, they should clearly set out how contacts made in the course of the company’s business are to be managed. If an employee is accessing corporate information on their own phone, issues like ‘syncing’ with home computers should be addressed, as should whether the employer will contribute to any costs relating to the device. Policies need to be effectively and clearly communicated to staff and such communications documented so that they can be relied on in future.  

A well thought out and properly communicated policy won’t necessarily prevent the theft and misuse of confidential information. However, where a breach occurs, it can be crucial in bringing about a quick and satisfactory resolution. There are a range of options for companies seeking to recover stolen data and prevent its misuse. If the damage to the victim is potentially very serious, an injunction preventing the misuse of the data may be appropriate. In some cases, the threat of civil litigation alone can be enough to force a satisfactory settlement.  Data theft can even give rise to criminal sanctions.

Whatever the appropriate approach in the circumstances, acting promptly and decisively can help to avoid becoming embroiled in protracted litigation, and help the company  protect what rightfully belongs to it.

Please contact Oli Gepfert or Egon Penzhorn, Solicitors in Dispute Resolution, to find out more.