The widely publicized data breach of extramarital affairs website Ashley Madison last summer not only exposed the e-mail addresses of about 33 million of its users, but also the surprising number who registered for the site using a company account.
The rise of remote employees, flexible work arrangements and bring-your-own-device policies, coupled with a growing expectation for employees to make themselves available by e-mail after hours, has blurred the line between work and personal activities online.
But employee misuse of corporate e-mail accounts, computers and mobile devices has the potential to expose employers and employees to significant legal and security risks. In a recent report, Toronto-based law firm Borden Ladner Gervais LLP (BLG) cited workplace cybersex and IT security among the top 10 legal risks for businesses in 2016.
“There is clearly less and less distinction between private life and work life,” said Justine Laurier, a Quebec-based associate with the labour and employment group at BLG. “It creates new challenges for the employer, but also for the employee, who is not necessarily aware of what an employer can do or monitor when they use the employer’s working tools.”
Among the workplace e-mail domains revealed in the Ashley Madison hack were those belonging to Canadian public sector employees at the federal, provincial and municipal levels, including the Justice Department and Canada Revenue Agency, as well as members of the RCMP, the Canadian Armed Forces, and at least one MP. In the United States, leaked e-mail addresses belonged to employees of Fortune 500 companies, such as Microsoft Corp., Cisco Systems Inc., Apple Inc. and Bank of America, as well as U.S. government employees.
Ms. Laurier said she has witnessed a sharp increase in Quebec case law over the past five years related to misuse of employer tools such as e-mail addresses, computers and smartphones, a situation she said is at least partly the fault of employers who fail to clearly define appropriate use. “It’s a new reality,” she said, adding that the issue affects organizations of all shapes and sizes in Canada.
Under Quebec provincial law, employees have a duty of loyalty to protect their employers’ reputations, which extends to the employee’s cyber-identity and social media activity. As such, Ms. Laurier says Quebec residents can be terminated for engaging in any online activity that might diminish the reputation of their employer, ranging from offensive social media posts, even on personal accounts, to the misuse of company assets, including e-mail addresses.
“It could go against the company’s policies, if there’s a strict policy on the use of work e-mail,” she said. “It could also go against the company’s values, depending on the industry or the role of the employee in particular.”
Outside of Quebec, there are higher standards for termination, said Andrew Monkhouse, the managing partner and owner of Monkhouse Law, a Toronto-based firm specializing in employment and labour law.
“It’s a fine line. If you ruin or hurt the reputation of your employer to a very large degree, it might be cause for termination, but the cause for terminating someone outside of Quebec is a very high standard,” he said. “It would have to be directly related to your business.”
Though there is no explicit employer-reputation law in other provinces, Mr. Monkhouse said that employees outside of Quebec can still be terminated as a result of their online activity.
“Someone can say, ‘I can’t be fired for what I wrote on Twitter because you don’t have a policy,’ and they’re right, they can’t be terminated for cause,” he said, adding that any non-unionized employee can still be terminated without cause, so long as they’re provided sufficient notice and severance pay.
Beyond registering with a work e-mail address for services such as Ashley Madison, which have a clear potential for damaging an employer’s reputation, Ms. Laurier suggests that employees are subject to disciplinary action for misusing corporate e-mail accounts to sign up for video streaming websites like Netflix or social media accounts like Snapchat, a popular photo- and video-sharing application.
“If there’s a policy on such topics, and then the employer notices the employee is using a work e-mail for personal purposes like registering for Netflix, it can go against the policy,” she said, adding that such infractions could lead to disciplinary action but not necessarily termination.
Ms. Laurier adds that employees are often unaware that employers retain the right to access corporate e-mail accounts and company-issued devices at any time. “It’s definitely a question of the right of privacy of employees versus the rights of an employer to control or make sure that the employees are performing their job adequately,” she said.
Use of corporate e-mail addresses and company-issued devices to register for services like Netflix may seem inconsequential, but the risk it poses to employers is significant, said Addison Cameron-Huff, a Toronto-based technology lawyer.
“The most serious issue is if people are reusing the same password for services like Ashley Madison as well as for work services,” he said, explaining that hackers will try to gain access to company information using leaked corporate e-mail addresses and passwords. “If there’s a giant data breach at one of these services, the employer’s servers could be at risk.”
Mr. Cameron-Huff adds that the wave of widely publicized data breaches in recent years has done little to curb employee misuse of business tools and e-mail accounts.
“I’d like to think it’s changed their [employees’] behaviour, but I expect that in future large data breaches, we’ll see the same thing,” he said. “I don’t think a lot of people are treating it as seriously as they should be, even employers.”
To protect themselves and their employers, employees should always maintain separate work and personal e-mail accounts, said Mark Nunnikhoven, the Ottawa-based vice-president of cloud and emerging technologies for Trend Micro Inc., a global security software company.
“The good news is that it’s relatively simple to keep a strong level of separation between work and home activities, and it starts with your e-mail address, because the e-mail account tends to be the foundation piece of your digital identity,” he said.
Mr. Nunnikhoven added that employers should strive to build a corporate culture that takes such issues seriously.
“It needs to be understood, it needs to be talked about, and there are easy and inexpensive solutions,” he said, citing a guest WiFi network for personal devices as one potential solution. “As long as you can clearly communicate what you’re doing and why you’re doing it to the employees, I think that at least lets everyone make an informed decision about the activities they’re going to undertake on company assets.”
Maintaining up-to-date policies and providing regular information sessions on appropriate use can also go a long way in ensuring an employer’s e-mail domain doesn’t appear in the next large-scale data breach.
Top 10 legal challenges for business for Canadian business in 2016, according to Borden Ladner Gervais LLP:
Provincial carbon initiatives, federal targets stemming from the recent climate talks in Paris and advancements in renewable energy technology are poised to have far-reaching effects on Canadian businesses in 2016, even those operating outside the energy sector.
A need for tax revenue coupled with a global trend toward tax transparency will allow Canada Revenue Agency to become more aggressive in seeking confidential taxpayer information.
Privacy class actions
The cost of data breaches has risen 23 per cent since 2013, with class actions remaining the preferable option for privacy enforcement.
Digital financial fraud is much more difficult to prevent than in-person fraud, requiring the development of more effective authentication protocols, technology, policies and procedures.
Regulatory uncertainty following the advent of the Cooperative Capital Market Regulatory System (CCMRS) will make it more difficult to enact hostile takeovers.
Good faith contracts
Honesty is no longer the best policy; it’s the law. The Supreme Court of Canada recently established a “general organizing principle” of good-faith contractual performance in common law disputes, mandating that “parties generally must perform their contractual duties honestly and reasonably and not capriciously or arbitrarily.”
Canada’s inclusion in the Trans-Pacific Partnership and EU trade agreements will have far-reaching effects on bilateral trade and competition, particularly in the agriculture, manufacturing and service industries.
Regulatory compliance cost Canadian businesses $37.1-billion in 2014, and with the election of a new federal regime and two new provincial governments in 2015, the system is likely to become more complex.
Canada’s anti-spam law
Regulatory authorities began enforcing Canada’s anti-spam law in 2015, with penalties of up to $1-million for individuals and $10-million for businesses.Report Typo/Error