A Brisbane-based intellectual property and information security lawyer has issued a warning to Australian professionals, saying they could be compromising confidential business or personal information without knowing.
Bennett and Philp Lawyers' Nicole Murdoch said employers should be wary of allowing their staff to use their own laptops or portable devices for work, as confidential information could easily be compromised.
“Confidential business information or personal information innocently loaded on a staff member’s mobile phone, laptop or tablet is vulnerable and may not be protected by a business's security measures," she said.
"If the employee has malicious intent that information could then be shopped to business rivals or put on the dark web."
Ms Murdoch said employers need to be taking risks associated with technology seriously, noting they could be putting confidential information in jeopardy without knowingly doing so.
“Portable storage devices are prevalent and it would easy for someone to download an employers’ customer database or source codes onto an external hard drive or even a USB stick drive," she said.
“Almost 40 per cent of data breaches occur through user devices. If an employee resigns or is dismissed they could effectively walk away with the employer’s company secrets and personal information of its customers.
“In the world of protecting your personal information, trade and business secrets, employers need to become harder toward the line between work and private computers and assorted data devices. If someone has your entire client list, marketing strategy and pricing on their private laptop, your business has become very vulnerable because your crucial business data and the personal information of your customers is now outside your control."
Ms Murdoch said the issue will become more sharply defined in 2018, with mandatory data breach notifications applying from February under the provisions of the Privacy Act. The provisions will require companies, subject to the Privacy Act, to notify the Information Commissioner and affected individuals when personal data held by that company is compromised and there is a risk of serious harm from the breach, she explained.
“Thus in terms of laptops, if the person holds personal data on the laptop and it is lost, or otherwise compromised then the company may need to make that notification. That will cause reputational damage to that company and the loss itself may harm the individuals concerned," Ms Murdoch said.
“The issues for businesses is that they may have a lax attitude to BYOD devices. The business must ensure that it protects the security of the laptop and other devices – even though the company does not own the device. There will be conflict between the company who wants to control the laptop and the employee who wants to control its own laptop.
“Another change looms in May with the General Data Protection Regulation (GDPR) – an EU regulation. That regulation also has a data breach requirement and puts very strict regulations on traders regarding the information which must be given to consumers regarding their data, relationships the trader may have with those who process the data, the level of consent by consumers and how data is to be secured.”
Ultimately, however, Ms Murdoch said her warning is not about distrusting employees but rather a caution for businesses to keep control of their business secrets and the personal information they hold in an age of sophisticated data storage systems.
“In the old days, a firm’s business secrets stayed within the walls of its bricks and mortar building. In the digital age now the rules have been changed and employers need to realise the risks of allowing business information and personal information to be shared around outside the formal work environment,” she concluded.