What Action Can Company Take On Employee For Security Breach Incident ? - CiteHR
Dinesh Divekar
Business Mentor, Consultant And Trainer
Saswatabanerjee
Partner - Risk Management
Kritarth Consulting
Spl Educators Posh Programs; Hr & Ir
Nathrao
Insolvency N Gst Professional
+1 Other

Cite.Co is a repository of information created by your industry peers and experienced seniors sharing their experience and insights.
Join Us and help by adding your inputs. Contributions From Other Members Follow Below...
An employee have uploaded some data into company mail id. Data is some kind of standard templates. It was just saved in the drafts. However data is not sent to any external mail ids / not even downloaded. It was permanently deleted from outlook. Backend team is working on this security incident..!!
 - So, What action can company take for this security incident ??
 - Will the employee get terminated and  blacklisted in this company ?
 - Any effect in his/her relieving letter ??
 - Can he/she work for another company in future with this experience ?
Please reply on this...
Community Prime Sponsors
FactoHR.com - Payroll Software with GPS Enabled Attendance, Travel, Performance Management, HRMS.
Talentedge.com "Interactive Anywhere Learning". Executive courses from top reputed institutes like IIM, XLRI, MICA.
Dear Sm312860,

At this stage, the company may conduct the enquiry to investigate the motive of the employee to upload some templates and save these in the draft folder. Since the data transfer did not cross the boundaries of the employee's company, no breach of security has happened per se. However, quantum of punishment would depend on the outcome of the enquiry or the employee's motive.

Secondly, has the authorisation of these templates been defined? Was the employee authorised to access those templates? If not, then why was he provided the access? Punitive measures against the defaulting employee apart, the incident may call for overhaul of the data security guidelines.

Are you the one who is involved in doing this and have referred yourself as third person in this post? Your queries in the post create a doubt in the mind. Anyway, that is a different matter.

Thanks,

Dinesh Divekar


Hi Dinesh,
Thanks for your reply. It seems employee have access to the templates for project purpose and some of the templates are confidential as per the company.
And one of my colleague have invloved in this security incident.
The question will depend on whom your friend was sending the mail to, and why.
I assume that it was not for internal purposes. He / she was trying to send the templates to a friend of a competition company
The company can, definitely, terminate her after giving aappropriate opportunity to her to defend him / her self in a domestic inquiry.
If they are convinced she was making an inadvertent error, they will only giver her a warning.
If they terminate her, then naturally it will be stated in her relieving letter and it will be difficult for her to get another job in a large company for some time.
Hi Saswata Banerjee,
Thanks for your reply.
Its clearly mentioned in the first post that data is neither sent to any anyone nor downloaded..! It was uploaded in the drafts, and have deleted permanently..!
Dear Mr Saswata Banerjee,

You have written that "If they terminate her, then naturally it will be stated in her relieving letter and it will be difficult for her to get another job in a large company for some time."

What you have written is just a possibility. It is not norm per se. If the employee is charged for any misconduct and if he/she is terminated then termination itself is the punishment of the highest kind. Thereafter, issuing relieving letter with negative comments about separation is nothing but destruction of the career of the employee. This is far more serious punishment than termination itself. Therefore, even after termination also, many companies remain neutral and issue the relieving letter without positive or negative remarks. Nevertheless, a separate list of such ex-employees is maintained for their internal record purposes.

I have written this clarifying post for the benefit of the originator of this post i.e. Sm312860. As such he/she has been niggling about the career of his/her friend. Let him/her not niggle still further.

Thanks,

Dinesh Divekar
Dear Guidance Seeker,

Your Queries Paraphrased:- i) An employee uploaded some data into company mail id; ii) Data -standard templates- was saved in drafts; iii) Data so saved was not shared nor even downloaded; iv) Data deleted from outlook; v) Back end team is ascertaining security incident; vi) What Disciplinary action can be taken for this security incident; vii) Will the employee get terminated from the Company and blacklisted; viii) Any endorsement in his / her Relieving Letter; and ix) Can he / she be eligible for employment elsewhere in future.

Guidance from Team Kritarth:-

1. Please adhere to the Service Rules adopted by your Company (Commercial Establishment or Industrial Establishment as the case may be) and applicable to Employees & others; In case No Service Rules (codified or otherwise exist) then refer to the Models Orders set in the Acts applicable to your Establishment.

2. The Honorable Supreme Court of India has pronounced "Misconduct" as Any Act Unworthy of Employment. That is an Eye-Opener. You may act accordingly. Holding a properly conducted Preliminary Inquiry to ascertain prima facie facts will certainly help;



3. Any Employee ought to be discharged from the Muster Roll of an Establishment only after he /she is informed of the Act of Misconduct alleged against him /her and on the receipt of Explanation, only after conducting a proper Inquiry in accordance with the Principles of Natural Justice and then based on the Inquiry Report submitted with the Findings to the effect that the allegation was Established, his/her Employment may be terminated keeping in view that the Punishment be proportionate and Not Arbitrary.

4. It is Employer's Privilege /prerogative to enter in the Relieving Letter whether Service during Employment was Satisfactory or Not Satisfactory. To err is Human and the Sole Aim of any Law in our Land is Correction Not Mutilation. Scruple be the Guiding Light.

5. Eligibility for Employment consists of Multiple Factors such as Academic Achievements, Hands-On Relevant Work Experience and Other Suitability. Let Compassion perpetuate.

Team Kritarth Welcomes all those who seek and wish to Secure Serenity

Team Kritarth

/ /

Bengaluru Knowledge & Know-How Sharing Center,

25 March 2016
What are your company security policies with regard to data?
Have they been published in some formal fashion and employees made to read,understand and sign in token of having been made aware of company policies.?
The investigation has to pinpoint why and what for did the employee do whatever he/she did and if inadvertant then company can take a call.
Otherwise if intentional then action as per company code of conduct.
Dear Divekar,
I gave the possibility, not what will necessarily happen.
You have given the alternate scenarios.
Neither of,us can be sure what the company will do as we don't know who they are, what exactly the work is or why the incident happened. There is a lot of unknown factors hidden by the post. If this is a high security financial bpo or similar, then they are paranoid about security. One such American company just got fined us$ 3 million yesterday for failure to stop employee from sharing certain confidential information. This also may be a case of industrial espionage or whistle blowing (from company point of view, at least). If any of these cases are true, the company will definitely put these things in the relieving letter. They will happily destroy the career of such a person.
Coming to think of it, HR in most companies look for ways to destroy the career of a person who,is,leaving. I think they derive vicarious pleasure from such activities.
Dear Poster,

It was not sent.

True

But why was it put in the mail in the first place ?

If the intent was to send it internally for official purposes then I don't think you would be asking this question.

And I don't think your company or its security team thinks that was the purpose.

Companies with sensitive data will not wait for a breach to take place. They have systems that are designed for preventing a breach. And they would take very tight steps to anyone who even looks like they are thinking of a breach, forget planning one.

As I said in the previous post to,Divekar, we are not privy to a lot of aspects of the investigation. So we can speculate about what possible outcomes will be. May be the company will find nothing wrong happened, give a warning and let things go. If so, good for your friend.

Quote :

Hi Saswata Banerjee,

Thanks for your reply.

Its clearly mentioned in the first post that data is neither sent to any anyone nor downloaded..! It was uploaded in the drafts, and have deleted permanently..!

Posted Yesterday

This discussion thread is closed. If you want to continue this discussion or have a follow up question, please post it on the network.
Add the url of this thread if you want to cite this discussion.






About Us Advertise Contact Us
Privacy Policy Disclaimer Terms Of Service



All rights reserved @ 2019 Cite.Co