On June 20, 2019, the Desjardins Group, the largest federation of credit unions in North America, announced that information from approximately 2.7 million individuals and 173,000 business clients, representing almost 40% of Desjardins’ members, had been leaked outside the organization.

More than six months earlier, Desjardins flagged a suspicious internal transaction for police, who then commenced an investigation. It took several months before Desjardins learned about the full scope of the data breach, at which point millions had already been affected. The leaked information included names, addresses, birth dates, social insurance numbers, email addresses and transactional history.

Financial institutions such as Desjardins invest considerable resources in protecting customer information from external cyberattacks (though not always successfully, as Capital One users can attest).  In addition, they ask employees to sign agreements, attend training and consent to monitoring to prevent misuse and improper disclosure.

In this case, however, a single employee was responsible for the entirety of the data breach, carrying out an internal attack right under Desjardins’ nose.  What more can (and should) an employer do?

How the Rogue Employee Did It

While the details are limited on how exactly the Desjardins employee managed to execute this mass privacy breach, reports indicate that he gained and then manipulated the trust of his colleagues, acquiring their passwords and using them to access prohibited information. Desjardins likely provided training and had policies regarding sharing passwords and the importance of client confidentiality, but multiple instances of human error and lack of judgment combined to allow this employee to access and divulge highly confidential data.

Balancing Employee Rights and Employer/Customer Interests

When considering how to properly protect against privacy breaches in the workplace, a central tension is that employees have a right to know how their information is being used and collected, while employers have the right to collect necessary information to manage the business, including information about employees and what they do.

Effective privacy management policies that consider employee rights helps businesses ensure their data is protected and that they maintain a positive public image. Employers can achieve the proper balance by ensuring that they obtain employee consent before collecting any personal information, and by clearly outlining the purpose for which the information is being collected. Employers should implement data collection practices that are proportionate to their business, as well as specific employees. For example, IT professionals should be subject to more extensive monitoring than clerical workers, given their greater access to sensitive information.

Stepping Up the Response to Potential Privacy Breaches by Employees

While it may be tempting for employers to place the blame solely on a bad apple employee, finger-pointing will be meaningless if employers cannot show that they have done their due diligence.  Prevention and early detection are critical.  Employers must adopt practices to deter and thwart even the most motivated bad apple, but without violating all employees’ reasonable expectations of privacy in the workplace.

Basic workplace policies are only a starting point in preventing such breaches, such as those mandating pre-employment background checks or stipulating confidentiality obligations. With the increasing sophistication of hackers and the technology and methods they use, however, more elaborate measures are necessary. Examples of such measures include:

• Running mock privacy “drills” (i.e. sending an email that appears suspicious to all employees and assessing how they respond to it).

• Protecting company devices with encryption and strong passwords, that employees must regularly change.

• Conducting audits to assess which employees are accessing company information, and for what purpose.

• Requiring regular, mandatory employee reports about confidentiality concerns or lapses.

These practices will not be appropriate in every workplace. Before enacting such measures, employers must consider whether they retain sensitive private information that could harm the business or customers if divulged. For example, a restaurant or retail store will not have much use for such in-depth measures as they do not retain sensitive customer information. They may wish to consider more basic employee monitoring practices, such as installing surveillance cameras.

PH Takeaways

Preventative measures are costly, but less so than dealing with the fallout – Undoubtedly, Desjardins will be focused on preventing such breaches going forward, but they must deal with the immediate impact first. Extensive damage control is not cheap, however, as Desjardins reported it has already spent $70 million this fiscal quarter in response to the privacy breach. Despite swiftly implementing costly measures, it is too early to tell whether lasting damage has been done to Desjardins’ reputation. Current and potential members may be understandably disappointed that such a large-scale privacy breach could take place without Desjardins taking notice.  The cost of increased preventative measures will be dwarfed by the immediate and long-term costs to repair the harm from this breach.

Beyond policies, employers must ensure a range of specific practices are adopted to protect against privacy breaches – While the headlines are dominated by the possibility of external, international cyberattacks, employers should consider the worst-case scenario – i.e. how their own employees could compromise their data. Employers must ensure they have extensive measures in place to spot and protect against a privacy breach despite human and technological errors, even if there is no apparent threat on the horizon.

Employers must balance their need to collect information with the privacy expectations of employees – While high-profile privacy breaches may push employers to adopt sweeping privacy reforms in the workplace, they must ensure that they are not overstepping their bounds with respect to employees. If personal information is collected from an employee (including keystroke data, internet traffic, and data volume), the employee must consent and be made aware of the reason for collecting such information. It would be impractical to obtain consent at the time of each collection.  Practically, employers can obtain consent through policies and protocols discussed at the time of hiring and addressed in annual reviews or meetings.

Swift and certain punishment is key – Employers must be consistent and timely in imposing discipline with respect to privacy breaches. If there is any hint that an employer tolerates privacy breaches in the workplace, it may limit their ability to impose discipline going forward. For example, employers cannot rely upon a privacy policy to justify terminating an employee for cause if they did not previously enforce the policy in similar circumstances. Further, swift punishment will demonstrate to other employees the potential severity of committing a privacy breach.

This blog was written by Chetan Muram, who is no longer with Piccolo Heath LLP.