Cyber and Employment Law

Published 14 November 2022

We have seen an increase in the number and sophistication of threat actors carrying out ransomware attacks against companies. Frequently these involve exfiltration of employee personal data, such as the content of HR personnel files, with a threat to post sensitive employee details on the dark web unless the ransom is paid. HR data can be particularly vulnerable, sensitive and appealing to attackers.

During our Data Protection & Cyber Conference on 10 November 2022, we talked through some of the key practical and legal issues which arise from an HR perspective in relation to cyber breaches as follows:

Pre-breach

• Staff training and awareness: The workforce plays a key role in preventing and identifying attacks. John Edwards, the UK Information Commissioner, has recently stated “the biggest cyber risk businesses face is not from hackers outside of their company but from complacency within their company”. The most important step that an employer can take in relation to its workforce is to train staff to be vigilant to cyber risks and to identify and report cyber breaches promptly.
• Mapping HR data: Understanding the company’s framework for storing and processing employee data is vital. A central part of this analysis is how long HR records are retained and whether these periods are appropriate based on the employer’s processing purposes.
• Monitoring: Tools that involve the monitoring of employee activity must comply with applicable laws and related guidance for monitoring, including proportionality. Systematic, routine monitoring for the purpose of identifying cyber risks is likely to be justified from a proportionality perspective.

Post-breach

• Triaging HR issues: Although the immediate priority will be to recover, preserve and protect the lost or stolen data, if the breach was caused by an employee (whether maliciously or otherwise), the employer may need to take decisive action regarding the ongoing relationship.
• Managing communications with employees: The timing and wording of communications to staff is critical. Employers may be required to issue a formal notification of the breach to staff under Article 34 of the UK GDPR. Regardless of Article 34, an employer may choose to communicate the details of the incident to staff in any event when taking into account the duty of mutual trust and confidence between an employer and employee.
• Dealing with data subject requests: It is possible that disgruntled current or former employees may exercise some of their data subject rights following a cyber incident (commonly DSARs and erasure requests), not least as there is no cost to them attached to this exercise.
• Employee redress: In rare cases, where an individual is unsatisfied with the company’s handling of the breach and/or response to their data subject request, they may raise a complaint with the ICO and/or bring a privacy claim against the employer.