A number of recent cyber-incidents are a reminder of the risks associated with disgruntled or departing employees, who may be tempted to steal valuable data.
In June, US technology company Tesla revealed that a disgruntled employee hacked its computer systems and stole company secrets, passing them to third parties. Tesla is suing the former employee, although the person in question denies the allegations and says he was a whistleblower. Separately, a former programmer at security firm NSCO was caught selling code he had allegedly stolen from his former employer, while a former Apple employee is accused of downloading and taking sensitive content on driverless car technology.
THE THREAT WITHIN
Such cases illustrate the threat of insiders hacking and stealing data, as well as potentially altering code with malicious intent.
Verizon’s 2018 Data Breach Investigations Report found that 40% of the data breaches it analysed were perpetrated by internal operatives, while a report from PwC shows that current employees are the top source of security incidents – around 30% of incidents are linked to current employees.
Research from cyber security company Clearswift also found that the insider threat is the chief source of cyber security incidents. Direct threats from an employee now represent 38% of all incidents, while threats from former employees make up 13% of incidents, although most incidents are not malicious or intentional.
There are many reasons why an employee may resort to cyber crime. They might want to gain a competitive advantage when moving to a new employer or setting up their own business; they might be looking for data to assist in a criminal or fraudulent act; or they may just want to damage their employer following a dispute, or if threatened with redundancy.
Whatever the motive, a technically savvy employee can cause significant financial and reputational damage; using their access rights or knowledge of systems to steal intellectual property, personal data or to conduct financial crime.
Many aspects of a malicious employee attack are insurable such as; the first party cost of dealing with the breach, third party liabilities and regulatory costs. Incidents where an employee has stolen personal data, on customers or employees, from their employer are not uncommon. Last year, healthcare provider Bupa warned customers that a rogue employee had stolen personal data with the intent to sell it to criminals.
In the US, three employees at the Department of Homeland Security were accused of stealing a computer system that contained data on over 230,000 employees.
This fact has not escaped regulators, who have instigated criminal proceedings against employees that steal personal data, such as taking client contact details with them when moving to a new firm. However, employers would, under the EU’s General Data Protection Regulations (GDPR), be required to notify the regulator of any breach involving personal data.
Last year, victims of a data breach successfully sued UK supermarket group Morrison’s after a disgruntled employee stole and then published personal data belonging to 5,500 fellow employees. The case, the first data breach class action in the UK, saw Morrison’s held vicariously liable for the actions of the former employee, despite having adequate controls in place to protect personal data.
Theft of intellectual property by an employee, however, is very difficult to insure under a cyber insurance policy because the financial impact can be hard to quantify. However, cyber insurance can cover defence costs and settlements where a data breach results in litigation from the loss of third party data, such as client data or intellectual property belonging to a customer or business partner.