The Dangers of Home-Working and Confidentiality

Background 

In the aftermath of Covid-19, most workplaces adopted a hybrid-working policy to ease employees back into office life after the nationwide lockdowns. 

Although employees should be alive to the sensitive information in which they deal with daily, hybrid working undeniably places employees in a more susceptible situation where confidential information can be misused as discussed below.

Summary

Earlier this year, BBC news reported that a BP employee in the United States had been dismissed and her husband charged with insider trading after he overheard and misused confidential information about the oil giant’s proposed acquisition of an American company whilst the couple were both working from home. The employee’s husband purchased 46,450 shares before the deal was made public and made an illegal profit of $1.76m once the share price rose after the acquisition. BP were unable to find evidence that the employee had knowingly leaked the information to her husband, however she was still dismissed from her role as a mergers and acquisitions manager within the company.

Despite this being a US case, it serves as an important reminder for employers of the potential confidentiality risks that can arise when staff work remotely. In this post, we examine whether, had this occurred in the UK, the decision by BP would be considered ‘fair’ in the circumstances in accordance with UK employment legislation and best practice. We also outline the practical steps that employers can take to better protect their confidential information in light of home-working arrangements. 

Was BP’s decision to dismiss their employee fair?

Any employee with over two years’ continuous service has the right not to be unfairly dismissed. The dismissal of such an employee will be unfair unless the employer can show the dismissal was one of five potentially fair reasons and that the employer acted reasonably in treating that reason as a sufficient reason for dismissal. The five fair reasons are: redundancy, capability, illegality, conduct and some other substantial reason. A breach of confidential information provisions in circumstances like this could amount to gross misconduct and justify immediate dismissal as explained further below.

The BP employee argued that her husband purchased the shares without her knowledge, however during the investigations, she revealed that from working within 20 feet of each other at home, the couple often overheard and witnessed each other’s work-related conversations. Given her role as a mergers and acquisitions manager, she would have been aware of the level of sensitivity involved in the transaction and the potential risks that could have arisen if such information was leaked. Although there is an implied level of trust between spouses, the employee should arguably have taken reasonable precautions to avoid her husband (or anyone else) overhearing the sensitive information in the first place. The employer would have had a stronger case to dismiss fairly if they had implemented some of the protections we discuss below into their working practice. Ultimately, the fairness of the dismissal will depend upon the specific factual circumstances at the time. However, where criminal proceedings have been initiated as a consequence of the confidential leak, it is likely BP would have still lawfully dismissed the employee on grounds of misconduct had this taken place in the UK. To minimise the risk of claims being bought against the company, employers should always seek legal advice before taking any steps to dismiss an employee when faced with this type of data leak.

Practical Steps

Where a company regularly deals with sensitive information, a court will only consider it to be classed as ‘confidential’ if the holder of the information has taken steps to maintain its secrecy. Employers should do more than just label information as ‘confidential’ to reduce the risks of data leaks inside and outside of the office. Some of the practical steps that can be adopted by employers to reduce these risks are detailed below.

1. Employment Contract

It is advisable for an employee’s contract to set out clear expectations in respect of their confidentiality obligations to the company and the use and/or misuse of confidential information. These provisions will typically outline to the employee what constitutes confidential information and remind the employee that they have ongoing obligations of confidentiality to the company, which continue even after the termination of their employment. Subject to the nature of the business and type of role of the employee, the company may also want to consider whether bespoke intellectual property provisions should be included in the contract.  

2. Policies and Procedures

Another way to reduce potential leaks of confidential information is by ensuring internal company policies are kept up to date and regularly circulated to employees, such as specific ‘work from home’ policies. Employers could choose to impose conditions on their remote employees in order to better protect confidential information; however, these would need to be reasonable in scope and facilitated by the employer. If appropriate, employers could also oblige employees to read and sign the policies containing these conditions before they are permitted to work from home.

3. Provision of Equipment

As highlighted above, employers may choose to impose reasonable conditions on remote workers, such as the way company equipment is used whilst home working. Examples include requiring privacy screens to be enabled on company laptops, headphones to be used during meetings and for all access to the company’s systems to go via a VPN. Employers may request that work is not undertaken whilst on public transport or in the presence of family members where possible.

In addition to providing physical equipment for employees, employers may choose to install software on company laptops to reduce data breaches which may occur if company property is misplaced. 

4. Training

Additionally, any employee handling sensitive and/or confidential information would also benefit from regular training sessions to refresh the importance of maintaining confidentiality and outline ways to ensure confidential information remains protected. Situational examples should be provided to highlight how easily confidential information can be accidentally leaked, especially when on public transport or working from home. If necessary, the employer may wish to specify in their policies that a leak of confidential information will automatically amount to misconduct and in extreme cases (for example, an intentional leak) gross misconduct, which will allow the employer to dismiss the employee with immediate effect. 

5. Ringfencing and Regulatory Requirements 

To ensure sensitive information is correctly handled within a workplace, employers may choose to ringfence information by isolating specific sets of data within the network or system so it can only be accessed by select individuals. By creating digital or physical barriers to the information, the employer minimises the impact of a data breach and mitigates any insider threats. 

In addition to ringfencing sensitive data, regulated companies should also ensure they comply with any specific guidance provided by their relevant regulator. For example, the FCA outlined its expectations for firms after Covid-19, specifying that they should have “satisfactory planning in place for hybrid working” and to ensure that each firm “has considered any data, cyber and security risks” which may now arise more frequently. 

In summary, although hybrid working can be a desirable model for employers to adopt, extra protections must be put in place for sensitive information being handled outside of the office to minimise the risks of confidential data leaks.