Your employees are probably engaging in risky online behaviour while at work. With a view to helping with your cyber-hygiene and legal compliance, we have set out a few reasons we know this and some tips to address it.
We routinely see cyber incidents, big and small, arise from employee behaviour. Sometimes, they are intentional acts of a rogue employee. Often, employees are not being careful enough or are not well trained. Studies confirm that even up to 82% of breaches involved a human element, such as social attacks, errors and misuse; and 43% of employees engage in risky online behaviour to circumvent authentication requirements.
There are many well known and published to-do lists which suggest a holistic approach to managing cyber risk in the workplace. For example, the Canadian Centre for Cyber Security has guidance on how to protect your organization from insider threats. The guidance includes:
- Screening employees who handle sensitive information
- Providing mandatory training and engaging in awareness activities
- Implementing and enforcing access controls to restrict user privileges, including multi-factor authentication (MFA)
- Data loss prevention software, such as those noted below, which use alerts and encryption to help prevent accidental or malicious data sharing and exfiltration
- Audits, including monitoring and logging detailed actions to detect unusual behaviour
We are seeing a shift towards greater expectations on organizations to actively monitor their electronic systems and implement technical security measures that would help detect and evaluate insider threats. See, for example, the BC Supreme Court’s recent decision regarding vicarious liability for an employee’s privacy breach and the OPC’s investigation of Desjardins. The latter case involved the extensive exfiltration of sensitive personal information by an employee over the course of 26 months. The Privacy Commissioner of Canada found, among other issues, that Desjardins’ data loss prevention solutions (DLPs) were insufficient, including that it did not have a user and entity behaviour analytics (UEBA) solution in place, and supported the active surveillance of employees’ use of technology, such as the implementation of extensive DLP solutions to monitor exfiltration risks, such as email, web navigation and copying to USBs etc. and a UEBA solution to monitor unusual behaviour.
Employee electronic monitoring policy – New changes in Ontario
As a compliance reminder, organizations in many jurisdictions in Canada are statutorily obligated (and it is a best practice) to notify their employees about monitoring, including how the information collected is used. Most often, these notices appear in employee privacy policies, handbooks, and systems/acceptable use policies.
Recent amendments to the Ontario Employment Standards Act, 2000 will require employers with 25 or more employees in Ontario to have an employee electronic monitoring policy in place, and to notify their employees about it. Employers are required to have the policy in place by October 11, 2022 and to notify employees within 30 calendar days (e.g. November 10).
Electronic monitoring can include a wide range of activities, such as GPS tracking, UEBA and DLP solutions, email monitoring, web browsing history review, and systems log information. The Ontario provincial government has published some guidance on the policy. The policy must describe:
- How and in what circumstances employers may monitor employees
- How the information collected may be used
- The dates the policy was prepared and when any changes were made
It is also good practice to establish security requirements, such as access limitations to the monitoring solutions and information, as well as retention and destruction parameters.
If your organization has any questions about reducing cyber risks, compliance and electronic monitoring policies, we would be pleased to help you. Please contact a member of our Privacy & Data Management Group.
Ryan Berger is a leading privacy and employment lawyer, with a primary focus on providing strategic advice to businesses and employers.
Ryan leads the firm’s Privacy Group and routinely advises public and private sector ...
Cory Sully is an associate in both the Labour, Employment and Human Rights Group and the Privacy and Data Management Group in Vancouver. Cory provides practical and strategic advice to clients regarding various issues relating to ...
Lawson Lundell's Privacy and Data Management Blog provides updates on the most recent issues emerging in the legal and business communities. We cover a range of issues, legal developments, and new technology as they impact privacy and data management. We will focus on how organizations can protect, manage and innovate with information considering the various risks, regulatory and governance requirements.
Legal Disclaimer: The information made available on this webpage is for information purposes only. It does not constitute legal advice, and should not be relied on as such. Please contact our firm if you need legal advice or have questions about the content of this webpage.