A Brisbane-based intellectual property and information security lawyer has warned Australians could unwittingly be compromising confidential business or personal information.
Nicole Murdoch of Bennett and Philp Lawyers said employers should be wary of allowing their staff to use their own laptops or portable devices for work, as this poses a high risk of confidential information being compromised.
“Confidential business information or personal information innocently loaded on a staff member’s mobile phone, laptop or tablet is vulnerable and may not be protected by a business’s security measures,” she said.
“If the employee has malicious intent, that information could then be shopped to business rivals or put on the dark web.”
According to Ms Murdoch, employers should be taking risks associated with technology seriously, noting they could be putting confidential information in jeopardy without knowingly doing so.
“Portable storage devices are prevalent and it would easy for someone to download an employers’ customer database or source codes onto an external hard drive or even a USB stick drive,” she said.
“Almost 40 per cent of data breaches occur through user devices. If an employee resigns or is dismissed, they could effectively walk away with the employer’s company secrets and personal information of its customers.”
Ms Murdoch added: “In the world of protecting your personal information, trade and business secrets, employers need to become harder toward the line between work and private computers and assorted data devices.
“If someone has your entire client list, marketing strategy and pricing on their private laptop, your business has become very vulnerable because your crucial business data and the personal information of your customers is now outside your control.”
The issue of data security will become more sharply defined in 2018, Ms Murdoch said, with new mandatory data breach notifications coming into effect in February under the provisions of the Privacy Act.
These provisions will require companies, subject to the Privacy Act, to notify the Information Commissioner and affected individuals when personal data held by that company is compromised and there is a risk of serious harm from the breach.
“Thus in terms of laptops, if the person holds personal data on the laptop and it is lost, or otherwise compromised then the company may need to make that notification. That will cause reputational damage to that company and the loss itself may harm the individuals concerned,” said Ms Murdoch.
“The issue for businesses is that they may have a lax attitude to BYO devices. The business must ensure that it protects the security of the laptop and other devices – even though the company does not own the device. There will be conflict between the company who wants to control the laptop and the employee who wants to control its own laptop.”
Another change looms in May, Ms Murdoch noted, with the General Data Protection Regulation (GDPR) – an EU regulation.
“That regulation also has a data breach requirement and puts very strict regulations on traders regarding the information which must be given to consumers regarding their data, relationships the trader may have with those who process the data, the level of consent by consumers and how data is to be secured,” she said.
Ultimately, however, Ms Murdoch said her warning is not about distrusting employees, but rather a caution for businesses to keep control of their business secrets and the personal information they hold in an age of sophisticated data storage systems.
“In the old days, a firm’s business secrets stayed within the walls of its bricks and mortar building,” she said.
“In the digital age now the rules have been changed and employers need to realise the risks of allowing business information and personal information to be shared around outside the formal work environment.”