The legal risks and unintended consequences of remote working returned to the headlines last month when it was reported that the husband of a BP employee had pleaded guilty to insider trading. The husband made illegal share purchases after overhearing his wife talking about a deal whilst working from home.
Tyler Loudon admitted to making more than $1.7million in illegal profits from buying shares in a company called TravelCenters of America, which he purchased ahead of the company’s acquisition by BP – a fact he was aware of having overheard his wife’s work-related conversations. Mr Loudon faces up to five years in prison and a fine of up to $250,000.
Although there are many upsides to remote working, this case serves as a reminder to the risks and challenges that are opened up to the employer.
In this article, we explore some of the biggest risks to working remotely and the steps employers can take to ensure that these are appropriately managed;
- Breach of confidentiality risk to remote working
- Unethical and illegal employee behaviour
- Risks of departing employees who work remotely
- Key steps for employers in minimising the risks associated with remote working
Breach of confidentiality
One of the most immediate risks of home working from a business confidentiality perspective is the potential for sensitive conversations to be overheard.
Unlike the controlled environments of traditional office spaces, home offices lack soundproofing and privacy measures to prevent eavesdropping. Whether it is a family member, flatmate, or even a neighbour in earshot, the risk of unintentional disclosure looms large, threatening the confidentiality of sensitive discussions and information.
This was the case for Mr Loudon and his wife, who was ultimately dismissed from BP despite BP’s conclusion that she had not intentionally leaked any information to her husband.
Another significant risk associated with home working is the temptation to leave computers and devices unattended and unlocked and, therefore, vulnerable to unauthorised access.
This raises the potential for confidential information to be exposed to anyone with physical access to the device, which, in turn, increases the risk of data breaches and security incidents.
These practical risks can seriously impede an employee’s ability to comply with their regular duties of confidentiality under their employment contract and present a significant commercial risk to businesses that they should be alive to and take steps to address.
Unethical and illegal employee behaviour
Most employees are trustworthy and loyal, and deliberate wrongdoing, such as workplace fraud, is fortunately rare.
However, the illegal actions of just one employee can cause considerable damage to an organisation, both reputationally and financially – take the example of an employee who diverts payments intended for suppliers into a personal bank account. Not only has the business lost those funds, but the employee has also exposed inadequate security systems within the company, and potentially damaged ongoing commercial supply relationships.
Some employee wrongdoing may be less blatant than the example mentioned above. Those with solid knowledge of their employer’s systems and controls may be able to manipulate performance results. Enhanced results may, in turn, lead to higher personal bonuses or ensure that there is a bonus pool in the first place (if business results would otherwise fall short of the bonus threshold).
Hybrid working is now commonplace and undoubtedly creates enhanced opportunities for the minority of employees who are intent on unethical conduct. Employers who have fallen into an “out of sight, out of mind” approach in relation to staff who regularly work from home under a hybrid working policy may inadvertently embolden a dishonest employee who is willing to take the risk that their fraudulent behaviour will go unnoticed.
Warning signs of unethical and illegal employee behaviour
- Unauthorised accessing of data. Employers should ensure that they have a good understanding of which employees require access to proprietary data and confidential business information to properly perform their role. If it becomes clear that data has been accessed, viewed and processed by staff members who, on the face of it, have no reason to do so, then questions should be asked.
- Untoward employee behaviour. Personality changes or changes in behaviour can alert line managers to the fact that something is wrong. Examples might include an employee working excessive hours and a reluctance to take holidays or delegate (because wrongdoing could be uncovered by colleagues).
If you have concerns about deliberate unethical or illegal behaviour within your organisation our team of employment can offer confidential advice.
Risks of departing employees who work remotely
Employees considering departing a company or those working their notice period are also a potential risk area, heightened by remote working arrangements.
It is much easier for an employee who is working from home to access a company’s confidential information either with a view to taking it with them when they leave (perhaps to join a competitor), or simply for their own future benefit (think precedents, training documents or useful commercial information). These documents may be e-mailed to personal e-mail addresses, or perhaps printed off or photographed, and pose a risk commercially and reputationally.
Similarly, if an employee is working out their notice and feels aggrieved by the employer’s decision to terminate their employment, then it is possible that the employee may take active steps to take confidential information with them, or otherwise damage the employer’s reputation or client relationships.
Key steps for employers in minimising the risks associated with remote working
There are steps that can minimise the risks described above, most importantly:
- Remind employees of their ongoing obligations to maintain confidentiality, including whilst working remotely. Employees should treat working at home as an extension of office working for these purposes.
- Have robust policies and procedures in place that set expectations for remote working and information security. Ensure that employees have read and access these policies and are trained on them accordingly. Refresher training could be given at appropriate times, such as when a commercially sensitive deal is taking place.
- If an employee is working on a particularly confidential or sensitive project or matter, check with the employee that they feel able to maintain the necessary level of confidentiality at home and, if not, establish how the risk of any breach can be reduced. That might include encouraging employees to work in separate rooms if possible and ensuring IT equipment is properly secured at the end of each working day.
- Ensure your hybrid/remote working policies are effective and seamless. If employees can move easily between office and home and maintain their connection with colleagues and the business, there is less chance of individuals becoming disengaged and seeking to exploit opportunities.
- Operate effective security, systems and controls whether staff are in the office or elsewhere, for example through two-factor authentication and automatic screen-locking after inactivity. This is imperative in highly regulated industries, such as financial services, but it can receive less focus in businesses which do not face scrutiny from an external regulator.
- Consider siloed access to data. A review of which employees can access sensitive confidential information may reveal the need to tighten internal controls to reduce the risk that such information is misused. Some businesses operate IT and business information silos, with very limited or no access for teams that have no need to do so on a day-to-day basis.
- Review internal policies to ensure that they address employee fraud and outline the potential for dismissal for gross misconduct. In turn, regular fraud awareness training will assist line managers in understanding the warning signs to look out for and the investigation process to follow if fraud is suspected.
- Ensure adequate supervision. One of the best ways to reduce the risk of employee fraud is to minimise the opportunity for employees’ behaviour to go undetected. Employers should analyse reporting lines to identify and address any supervisory gaps which would allow employees to work under the radar for extended periods of time. Line managers should meet regularly with team members and adopt a consistent approach to supervision, regardless of whether staff are working from the office or at home.
- Consider monitoring employees (but be careful). Some employers have responded to the challenges of remote and hybrid working by expanding their employee monitoring, so that there is greater visibility in relation to employee productivity while working from home, and a means of quality checking work. Although this may assist with spotting untoward behaviour, it still requires a cautious approach and consideration of the legal implications (including under the UK data protection regime). One area that can legitimately be monitored is any e-mails sent to personal e-mail addresses that are not on the face of it personal and which include attachments that relate to client or other confidential data.
- If you are serving an employee with notice to terminate their employment and you perceive that they may be a risk to the business, consider making a payment in lieu of notice, to bring the employment relationship to an immediate end, or placing the employee on garden leave and limiting their access to systems. Employers should approach cutting or limiting access cautiously, but it is a common practice where an employee is on garden leave.
For more information or questions relating to the content within this article, please get in touch with the Fox Williams employment team.
Authors
Follow us online
