Security Incident Dilemma: What Should Be Done About the Employee's Mistake?

An employee has uploaded some data into the company mail ID. The data consists of some standard templates. It was just saved in the drafts. However, the data was not sent to any external mail IDs or even downloaded. It was permanently deleted from Outlook. The backend team is working on this security incident.

Possible Actions for Security Incident

- What action can the company take for this security incident?
- Will the employee be terminated and blacklisted in this company?
- Is there any effect on his/her relieving letter?
- Can he/she work for another company in the future with this experience?

Please reply to this.

At this stage, the company may conduct an inquiry to investigate the motive of the employee for uploading some templates and saving them in the draft folder. Since the data transfer did not cross the boundaries of the employee's company, no breach of security has happened per se. However, the quantum of punishment would depend on the outcome of the inquiry or the employee's motive.

Authorization and Access Concerns

Have the authorizations for these templates been defined? Was the employee authorized to access those templates? If not, then why was access provided? Apart from punitive measures against the defaulting employee, the incident may call for an overhaul of the data security guidelines.

Are you the one involved in this and have referred to yourself as a third person in this post? Your queries in the post create doubt in the mind. Anyway, that is a different matter.

Thanks,

Dinesh Divekar

Hi Dinesh,

Thanks for your reply. It seems employees have access to the templates for project purposes, and some of the templates are confidential as per the company. One of my colleagues is involved in this security incident.

Please let me know if you need any further information or assistance.

Thank you.

Consequences of Sending Sensitive Information

The question will depend on whom your friend was sending the email to and why. I assume that it was not for internal purposes. If he/she was trying to send the templates to a friend at a competitor company, the company can definitely terminate him/her after giving an appropriate opportunity to defend himself/herself in a domestic inquiry.

If they are convinced it was an inadvertent error, they may only issue a warning. If termination occurs, it will naturally be stated in the relieving letter, making it difficult for her to secure another job in a large company for some time.

Regards

Clarification on Termination and Relieving Letters

What you have written is just a possibility. It is not the norm per se. If the employee is charged with any misconduct and is terminated, then termination itself is the highest form of punishment. Subsequently, issuing a relieving letter with negative comments about the separation is nothing but the destruction of the employee's career. This is a far more serious punishment than termination itself. Therefore, even after termination, many companies remain neutral and issue the relieving letter without positive or negative remarks. Nevertheless, a separate list of such ex-employees is maintained for their internal record purposes.

I have written this clarifying post for the benefit of the originator of this post, i.e., Sm312860. As he/she has been concerned about the career of his/her friend, let him/her not worry further.

Thanks,

Dinesh Divekar

Your Queries Paraphrased

i) An employee uploaded some data into the company mail ID;
ii) Data, which were standard templates, were saved in drafts;
iii) The data saved was not shared nor downloaded;
iv) Data was deleted from Outlook;
v) The back-end team is ascertaining a security incident;
vi) What disciplinary action can be taken for this security incident?
vii) Will the employee be terminated from the company and blacklisted?
viii) Is there any endorsement in his/her Relieving Letter?
ix) Can he/she be eligible for employment elsewhere in the future?

Guidance from Team Kritarth

1. Please adhere to the Service Rules adopted by your company (Commercial Establishment or Industrial Establishment as the case may be) and applicable to employees and others. In case no Service Rules (codified or otherwise exist), then refer to the Model Orders set in the Acts applicable to your establishment.

2. The Honorable Supreme Court of India has pronounced "Misconduct" as any act unworthy of employment. That is an eye-opener. You may act accordingly. Holding a properly conducted Preliminary Inquiry to ascertain prima facie facts will certainly help.

3. Any employee ought to be discharged from the Muster Roll of an establishment only after he/she is informed of the act of misconduct alleged against him/her and on the receipt of an explanation. Only after conducting a proper inquiry in accordance with the Principles of Natural Justice and then based on the Inquiry Report submitted with the findings to the effect that the allegation was established, his/her employment may be terminated. Keep in view that the punishment should be proportionate and not arbitrary.

4. It is the employer's privilege/prerogative to enter in the Relieving Letter whether service during employment was satisfactory or not satisfactory. To err is human, and the sole aim of any law in our land is correction, not mutilation. Scruple should be the guiding light.

5. Eligibility for employment consists of multiple factors such as academic achievements, hands-on relevant work experience, and other suitability. Let compassion perpetuate.

Team Kritarth welcomes all those who seek and wish to secure serenity.

Regards, Team Kritarth

Bengaluru Knowledge & Know-How Sharing Center,
25 March 2016

What are your company's security policies regarding data? Have they been published in a formal manner, and have employees been required to read, understand, and sign to acknowledge their awareness of company policies?

The investigation needs to determine why the employee did what they did, and if it was unintentional, the company can decide on the appropriate course of action. If the action was intentional, the company will proceed according to the company code of conduct.

I gave the possibility, not what will necessarily happen. You have provided alternate scenarios. Neither of us can be sure what the company will do as we don't know who they are, what exactly the work is, or why the incident happened. There are a lot of unknown factors hidden by the post. If this is a high-security financial BPO or similar, then they are likely very concerned about security. One such American company was just fined US$ 3 million yesterday for failing to stop an employee from sharing certain confidential information. This may also be a case of industrial espionage or whistleblowing (from the company's point of view, at least). If any of these cases are true, the company will definitely include these issues in the relieving letter. They might even damage the career of such a person. Thinking about it, HR in most companies often look for ways to damage the career of a person who is leaving. It seems they derive vicarious pleasure from such activities.

Regards

It was not sent. True. But why was it put in the mail in the first place? If the intent was to send it internally for official purposes, then I don't think you would be asking this question. And I don't think your company or its security team thinks that was the purpose. Companies with sensitive data will not wait for a breach to take place. They have systems that are designed for preventing a breach, and they would take very tight steps with anyone who even looks like they are thinking of a breach, forget planning one.

As I said in the previous post to Divekar, we are not privy to a lot of aspects of the investigation. So we can speculate about what possible outcomes will be. Maybe the company will find nothing wrong happened, give a warning, and let things go. If so, good for your friend.

Quote: "Hi Saswata Banerjee, Thanks for your reply. It's clearly mentioned in the first post that data is neither sent to anyone nor downloaded. It was uploaded in the drafts and has been deleted permanently."

Regards

Assessing Security Breach and Employee Consequences

Very useful inputs were given by the seniors above. However, you need to make a prudent decision since there is a breach of security. Find out whether you have a security/privacy policy in place, which you must have, and what acts are defined by it as a breach of security.

Though the information is not shared with any outsider, investigate the motives for uploading the details to find out whether it is a mere act of ignorance, an act of excessive jealousy, or a deliberate one, so as to ascertain the breach of trust. If so, how serious would the security breach have been in terms of financial loss, business implications, reputation, and the image of the organization?

A breach of security may be incidental or intentional. The latter involves a breach of trust which has a considerable bearing on the retention of employees in the organization. You need to take into consideration all these factors when an act of an employee warrants extreme termination to balance the individual interests, i.e., career and livelihood, and that of the organization, i.e., probable financial and business risks.

Regards, B. Saikumar

Navi Mumbai