knowledge 8 September 2016 |

Could your business be the next ‘Emailgate’?

Clinton’s Emails - hdr22@clintonemail.com

‘Emailgate’ erupted in the early months of 2015 when it became known that, while Secretary of State, Clinton had used an email address, hdr22@clintonemail.com, on a private server for all her electronic correspondence, both work-related and personal. This was despite the fact that the State Department’s policy required employees to generally use department information systems to conduct official business and to obtain approval to conduct official business via a personal email account. In addition the Federal Records Act requires each agency to ensure the appropriate management, including preservation, of records containing adequate and proper documentation of the “organization, functions, policies, decisions, procedures and essential transactions of the agency”. It emerged in the course of the various ‘Emailgate’ investigations that many US government officials used private email accounts for official communications, although Clinton’s use of a private server was unusual.

Lessons from Emailgate

Many Irish businesses lack sufficient visibility over the level of employees’ compliance with their internal data protocols and policies, including how their employees communicate both internally and externally in relation to the business. This is despite widespread awareness of cyber security risks, including the recent growth in ransomware attacks and hacking.

In our experience, individuals habitually circumvent data protocols and policies either due to a lack of awareness of the relevant requirements or because they regard them as unduly cumbersome. This circumvention is not confined to junior employees. In common with Clinton’s Emailgate, in investigations we have found that senior officers or executives are just as likely as junior employees to bypass data protocols and policies for their own convenience.

Employee non-compliance with data protocols and policies raises significant legal and regulatory risks, as well as the potential for a disruption of operations, commercial losses and reputational problems arising out of a data breach.

First and foremost, sophisticated international fraudsters are increasingly targeting a wide range of businesses leading to an upsurge in cases where businesses have been defrauded of significant funds. In particular, we have seen a number of instances where fraudsters impersonating senior executives have successfully directed more junior employees to transfer funds to specific accounts. This may follow a cyber attack, often via personal devices, which fraudsters use to gain information on the whereabouts of senior executives and the identity of relevant employees. The direction to transfer funds is usually then timed for when one or more of the businesses’ senior executives is absent from the office at which point the fraudster contacts a junior employee, claims to be the relevant senior executive and directs an urgent transfer of funds to be made to a specified account, often in breach of the business’s funds transfer protocols. The employee then transfers the funds as requested, believing that he or she has been instructed to do so by a senior executive. While it may be possible to retrieve the funds subsequently, this depends on the jurisdictions involved and how quickly the fraud comes to light.

Secondly, regulators are increasingly focused on the issue of cybersecurity and a failure to ensure that employees comply with internal data protocols and policies may result in regulatory sanctions, including fines. Morgan Stanley Smith Barney LLC recently agreed to pay a $1 million penalty to the US Securities Exchange Commission following a client data breach. Closer to home, the issue of cyber-security remains high on the Central Bank of Ireland’s agenda (see our related briefings here and here) and we expect regulators in all sectors to focus more intensively on data security risk in future, particularly once the NIS Directive is implemented and the General Data Protection Regulation comes into force (see our related briefings here and here).

What business needs to do

Ensuring that your business effectively implements its data and technology use protocols and policies is essential and will equip you in the event of a cyber breach or other event, such as a regulatory review or litigation. Measures your business can take to ensure effective implementation include:

• establishing a “Digital Workplace Working Group” to review and consolidate all the relevant data technology use related policies of the organisation and regularly update them;
• ensuring that your data and technology use protocols and policies are clear, comprehensive, supported by senior management and updated regularly;
• training all employees on your data and technology use protocols and policies;
• ensuring your data and technology use protocols and policies are actively enforced, including through ad-hoc checks and regular audits;
• putting in place effective reporting or whistleblowing mechanisms for suspected breaches; and
• following up on any breaches of your data protocols and policies and imposing appropriate sanctions on those responsible.

It is important for each business to coordinate and consolidate all of its technology use related policies – computer use, email and internet use, remote working, own device usage (eg using one’s own personal smartphone for work) as well as LinkedIn use in the rapidly moving digital world. This involves senior management in the business, In-house counsel, IT, HR, Compliance and Risk coming together to address all the opportunities and risks and threats that the digital world presents to the business.

McCann FitzGerald can assist you in developing effective data and technology use protocols and policies, as well as health checking the policies you have in place. We have a multi-disciplinary team of experts ready to help if you experience a data breach, cyber attack and confidentiality breaches.