Your employees are probably engaging in risky online behaviour while at work. With a view to helping with your cyber-hygiene and legal compliance, we have set out a few reasons we know this and some tips to address it.

We routinely see cyber incidents, big and small, arise from employee behaviour. Sometimes, they are intentional acts of a rogue employee. Often, employees are not being careful enough or are not well trained. Studies confirm that even up to 82% of breaches involved a human element, such as social attacks, errors and misuse; and 43% of employees engage in risky online behaviour to circumvent authentication requirements.

There are many well known and published to-do lists which suggest a holistic approach to managing cyber risk in the workplace. For example, the Canadian Centre for Cyber Security has guidance on how to protect your organization from insider threats. The guidance includes:

  • Screening employees who handle sensitive information
  • Providing mandatory training and engaging in awareness activities
  • Implementing and enforcing access controls to restrict user privileges, including multi-factor authentication (MFA)
  • Data loss prevention software, such as those noted below, which use alerts and encryption to help prevent accidental or malicious data sharing and exfiltration
  • Audits, including monitoring and logging detailed actions to detect unusual behaviour

We are seeing a shift towards greater expectations on organizations to actively monitor their electronic systems and implement technical security measures that would help detect and evaluate insider threats. See, for example, the BC Supreme Court's recent decision regarding vicarious liability for an employee's privacy breach and the OPC's investigation of Desjardins. The latter case involved the extensive exfiltration of sensitive personal information by an employee over the course of 26 months. The Privacy Commissioner of Canada found, among other issues, that Desjardins' data loss prevention solutions (DLPs) were insufficient, including that it did not have a user and entity behaviour analytics (UEBA) solution in place, and supported the active surveillance of employees' use of technology, such as the implementation of extensive DLP solutions to monitor exfiltration risks, such as email, web navigation and copying to USBs etc. and a UEBA solution to monitor unusual behaviour.

Employee electronic monitoring policy – New changes in Ontario

As a compliance reminder, organizations in many jurisdictions in Canada are statutorily obligated (and it is a best practice) to notify their employees about monitoring, including how the information collected is used. Most often, these notices appear in employee privacy policies, handbooks, and systems/acceptable use policies.

Recent amendments to the Ontario Employment Standards Act will require employer with 25 or more employees in Ontario to have an employee electronic monitoring policy in place, and to notify their employees about it. Employers are required to have the policy in place by October 11, 2022 and to notify employees within 30 calendar days (e.g. November 10).

Electronic monitoring can include a wide range of activities, such as GPS tracking, UEBA and DLP solutions, email monitoring, web browsing history review, and systems log information. The Ontario provincial government has published some guidance on the policy. The policy must describe:

  • How and in what circumstances employers may monitor employees
  • How the information collected may be used
  • The dates the policy was prepared and when any changes were made

It is also good practice to establish security requirements, such as access limitations to the monitoring solutions and information, as well as retention and destruction parameters.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.