Risk of Data Theft while Working from Home – What Businesses can do?

Amidst the COVID-19 lockdown, work from home has become the new norm in the present scenario. Though some businesses and corporate are used to having a structure like this for their employees wherein they have implemented working from home as a usual course of things but with the COVID-19 pandemic it has become a necessity for almost all kinds of businesses and organizations to mandatory allow their employees to work from home.

INTRODUCTION

Amidst the COVID-19 lockdown, work from home has become the new norm in the present scenario. Though some businesses and corporates are used to having a structure like this for their employees wherein they have implemented working from home as a usual course of things but with the COVID-19 pandemic it has become a necessity for almost all kinds of businesses and organizations to mandatorily allow their employees to work from home.

Even before the announcement of A complete lockdown, the Ministry of Corporate Affairs came up with an advisory dated 20.03.2020 on preventive measures to contain the spread of COVID19 the Corona Virus wherein the Ministry inter-alia strongly advised all Companies and LLPs to put in place an immediate plan to execute the “Work from home” policy including opting in for meetings through video conference or other electronic/ telephonic/ computerized means.

With the current situation, unprecedented number of people are working from home for the foreseeable future and we're dealing with everything from childcare to simply trying to find a quiet space for a call or to get work done. Our homes have become our offices and in the rush to keep things going, we're using new systems and adhering to security policies in a way that's the least troublesome for our businesses. 

At the same time, the boundaries between work and private life are breaking down: Business is being done over home ISPs, with unmanaged routers and printers, home automation systems in the background and even partners and children listening in on conversations or sharing machines while working for different organizations. 
There’s a big dilemma for businesses/ organizations. On one hand business continuity is the need of the hour in order to survive and thrive despite the unusual circumstances presented this year and on the other hand safety of their data which includes client data mainly, is also a primary concern.

In today’s world, Data is a very valuable asset for any organization. Data which an organization possesses could be anything like personal data of the clients, financial details, confidential data, in-house data generated during the course of business activity, trade secrets, software, etc.

Data in an electronic form is not only easy to be stolen but the quantity in which it can be taken is formidable. Any breach of data could result in serious consequences for an organization.

DATA THEFT

‘DATA THEFT’ in simple terms means an act of illegal/ unauthorized copying, removal or stealing of confidential, valuable or personal data/ information from an organization or business without its knowledge or consent. Data theft could be with respect to stealing or hacking passwords, financial or banking information, personal information of clients/ other employees, information of importance to a body corporate like trade secrets, client database, software, source codes, confidential information, information which the body corporate is bound to protect, hacking into databases and many more in line with these.

Employees are undoubtedly the biggest assets for any organization. However, if the employees are negligent about following the security measures set up to protect the company’s data or if they themselves do something with intent to compromise someone’s privacy or to obtain confidential information, they could become its biggest liability.

Such an act by an employee casts liability not only on the offender employee but also on the body corporate which possesses or deals with any such sensitive personal data or information.

Section 43A of the IT Act provides that whenever a corporate body possesses or deals with any sensitive personal data or information and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.

Further, Section 72A provides for the punishment for disclosure of information in breach of lawful contract and any person may be punished with imprisonment for a term not exceeding three years, or with a fine not exceeding up to five lakh rupees, or with both in case disclosure of information is made in breach of lawful contract.

Now the questions arises as to what an Employer should do, firstly, to prevent the Data theft and secondly, to punish the offenders in case of a data theft.

MAJOR CYBER SECURITY RISKS OF WORKING FROM HOME

The most important element of effective security in a time of change is to realize that while you can do anything, you can’t do everything. The job of security is not to eliminate all risks, because all threats are not equally dangerous or likely, and they won’t all be exploited at once. Discuss risk early and often, and revisit triage on a regular basis. The risks you face today will not be the ones you face next week or the week after.

Thus the major risks businesses shall face with regards to data theft or cyber security are given below:-

Hackers can manipulate VPNs without a view of the whole

The virtual private networks, or VPNs, have become the new lifeline for many businesses, extending encrypted networks into our homes. However, many home networks are already infected with malwares or compromised hardware which can easily be exploited for staging attacks through machines with VPN termini. A compromised identity or a machine, especially when behavioural base-lining on the backend is in flux, can allow hackers to piggyback through the VPN. It’s critical to have endpoint integrity checking and strong authentication in place at this stage once the VPN is in place and active.

There are also vulnerabilities for VPNs that require really understanding and internalizing rather than blindly trusting, and many applications that are becoming the new critical IT infrastructure will see new vulnerabilities. This is not cause for panic, but it does mean you need to talk to vendors and plan for patching and failover. Remember, vendors, too, are going through change and doing triage on their support and escalations, but start the dialogue now. Contact your hardware or software providers to ensure configurations and policies are in order, starting with the VPN, endpoint and identity solutions.

Endpoint first, then mobile

Although there are many endpoint challenges, the first priority is to ensure critical business processes recover. Then, make sure the new enterprise footprint is brought into the fold from a policy and control perspective. Next, focus on mobile, which is the most pervasive and ubiquitous platform in our personal lives. Employees who have to learn new devices and applications will turn to their phones even more than usual because they feel familiar. Most companies have established policies defining what can and can’t be done with mobile phones, but set these policies if you don't already have them. Cyber criminals will start with identity theft and classic machine exploits, but they'll think of new ways to target them before moving on to other devices. Get ahead of mobile threats before dealing with other devices.
 
Information can be weaponized

In the past few weeks, attackers have started taking advantage of human weaknesses. For example, hackers developed a malicious mobile application posing as a legitimate one developed by the World Health Organization. A vulnerable person could easily mistake this malicious app for a real WHO app. Once installed, the application downloads the Cerberus banking trojan to steal sensitive data. These types of attacks essentially weaponize tools and information, because they can easily be done with applications that provide legitimate benefits, too. Before, attackers had to plan their cons for diverse interests and lures, but right now the entire world has a shared crisis. COVID-19 has become our common watering hole, but with the right awareness and education, we will be able to defend ourselves.
 
Physical location matters again

When employees take their machines home or use their home machines for work, those machines now sit in a physical and digital space unlike any within the office. Between routers, printers, foreign machines, devices, gaming consoles and home automation, the average home has a more complex and diverse communication and processing system than some small companies.

Employees might be taking conference calls within earshot of family members or even employees of other companies. Nothing should be taken for granted when it comes to the privacy of employee homes. Simple policies are important — these are relevant not only to security but also to privacy in general. Should employees have cameras on or off for meetings?  Should they wear earphones? Should they take notes on paper or digital applications? How should they handle viewed or created IP or PII? What communications applications are acceptable? What happens when others intrude, see notes or overhear discussions? These questions might seem trivial, but you need to address them up front. Above all, listen and adapt when things aren't working.
 
These four areas are far from a complete list of the cyber security concerns you need to address. If you’ve got these under control, enumerate the risks that remain, sort them by order of importance and deal with them methodically.

Security is never "finished" because the opponent is never finished; cyber criminals are endlessly innovative and adaptive. In the words of Winston Churchill, "Never let a good crisis go to waste." Use this as the chance to start a new, ongoing security dialogue within your business.

“PREVENTION IS ALWAYS BETTER THAN CURE”

Some of the preventive measures that an organization can take, notwithstanding the size of an organization, are as follows:
  • Work from Home and Data Protection Policy for Employees: A detailed and well drafted WFH/ data protection policy is very important for any organization. Especially the corporate bodies who ‘possess, deal or handle’ any ‘sensitive personal data’, as leak of such personal data gives a cause of action in favour of the concerned person which could land the organization into a legal battle. Such policy should clearly define the types of data like ‘personal data’, ‘confidential data’, ‘trade secrets’, etc. It should also identify all data that an employee is permitted to access, and that data created by the employee in the scope of their employment is property of the company. It should contain dos and don’ts so as to enable employees to understand their rights and limitations. Organizations may also choose to put the policy on their website which will build confidence of their clients.
  • Consent from employees and educating employees of the WFH policy: Merely having a policy in place is not going to help the organizations much till the time they have consent of the employees to such policy. Organizations may also take steps towards implementing the policy by way of educating their employees about the policy and let them know the risks associated in case of breach.
  • Non-disclosure and confidentially clauses in the Employment contract: It is very important that the non-disclosure and confidentiality clauses in an employment contract are clearly defined and drafted in such a manner which could be enforced in a court of law and not hit by Section 27 of the Indian Contract Act as void. Such clear clauses binds an employee not to disclose data and other confidential information of the companies to third parties outside the course of business.
  • Use of Better technology: As far as possible, companies should provide their own encrypted or protected computers, devices, and systems to its employees so as to prevent the employees from installing any software or hardware. Proper firewalls should be enabled so as to prevent outsiders from entering into the company network. Companies should not allow employees to create CDs/DVDs or copy data to USB drives unless there is a business need. Use of good anti-virus software and anti-spyware.
 
CORRECTIVE MEASURES

Once theft occurs, the employer can take following legal actions against the culprit employees:
  • Civil suit for breach of contract: A civil suit may be filed against the culprit employees for violating the WFH/ data protection policy and breaching the terms of the employment contract like non-disclosure, confidentiality.
 
  • Information Technology Act, 2000: In India, Cyber laws are majorly governed by the IT Act and Rules framed there under. Provisions of IT Act such as Section 43 (Penalty and compensation for damage to computer, computer system, etc); Section 65 (Tampering with computer source documents); Section 66 (Computer related offences); Section 72 (Penalty for breach of confidentiality and privacy); Section 76 (Confiscation) can be taken recourse to depending upon the nature of theft.
 
  • Indian Penal Code: Section 403, 405 and 408 – Dishonest misappropriation of property & Criminal Breach of Trust: As the employees are entrusted with the data/ information by the employer during the course of their employment and if an employee dishonestly misappropriates or converts to his own use or dishonestly uses or disposes of that that data/ information, he/she may be charged under this section.;
 
Section 378 – Theft: Although this section deals with the theft of movable properties and the law at present is not clear whether ‘data/ information’ in its virtual form can be termed as movable property or not, but if the data/ information is stored in a hard disk, pendrive, computer, CD/ DVD, floppy, etc so such things act like a medium and medium is a movable property and if that medium is stolen, the person can be made liable for such act under this section.
 
  • Copyright infringement under the provisions of the Copyright Act.
 
  • In addition to the above, if the stolen data is shared with other parties (such as competitors), the victim can bring an action of criminal conspiracy, collusion, and furtherance of common intention, which makes such other parties an accomplice in the commission of the stealing of data.
CONCLUSION:

Considering the value, quantum and at the same time vulnerability of the data, it is imperative for any organization/ corporate body to take abovementioned preventive measures. Since Indian Law on this issue as it stands today is not clear and remedies are scattered, the best strategies to prevent or minimize loss includes: (1) Development of a comprehensive set of policies and procedure, (2) Deployment and verification of IT security controls and if necessary, (3) seek legal redress.