This section was produced by the editorial department. The client was not given the opportunity to put restrictions on the content or review it prior to publication.
In an era where a single data breach can undermine trust and compromise an entire business, vigilance is not optional — it is essential
Published Oct 01, 2024 • 4 minute read
You can save this article by registering for free here. Or sign-in if you have an account.
A woman walks past an entrance of ICICI Bank Ltd.’s head office in Mumbai, India.Photo by Kuni Takahashi/Bloomberg files
Article content
Howard Levitt and Puneet Tiwari
Since the pandemic made Zoom a household name and the initial default platform for any meeting, workplace technology has made unprecedented advancements. Many employees now perform their duties without ever leaving their homes. With the rise of artificial intelligence and cloud-based software, new systems can be deployed with a few clicks, making it easier than ever to do one’s job from anywhere. But alongside these technological gains, improvements in cybersecurity and employee monitoring have also made it easier for employers to oversee their workforce.
Advertisement 2
This advertisement has not loaded yet, but your article continues below.
THIS CONTENT IS RESERVED FOR SUBSCRIBERS ONLY
Subscribe now to read the latest news in your city and across Canada.
Exclusive articles from Barbara Shecter, Joe O’Connor, Gabriel Friedman, and others.
Daily content from Financial Times, the world’s leading global business publication.
Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
Daily puzzles, including the New York Times Crossword.
SUBSCRIBE TO UNLOCK MORE ARTICLES
Subscribe now to read the latest news in your city and across Canada.
Exclusive articles from Barbara Shecter, Joe O’Connor, Gabriel Friedman and others.
Daily content from Financial Times, the world’s leading global business publication.
Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
Daily puzzles, including the New York Times Crossword.
REGISTER / SIGN IN TO UNLOCK MORE ARTICLES
Create an account or sign in to continue with your reading experience.
Access articles from across Canada with one account.
Share your thoughts and join the conversation in the comments.
Enjoy additional articles per month.
Get email updates from your favourite authors.
THIS ARTICLE IS FREE TO READ REGISTER TO UNLOCK.
Create an account or sign in to continue with your reading experience.
Access articles from across Canada with one account
Share your thoughts and join the conversation in the comments
Enjoy additional articles per month
Get email updates from your favourite authors
Sign In or Create an Account
or
Article content
Despite the latter developments, employees continue to access and misuse sensitive workplace information with little deterrence. As technology has evolved, so too has employee creativity — including the ability to establish competing businesses within days, thanks to downloaded trade secrets and client lists.
This new reality highlights the need for employers to remain vigilant in protecting their assets, both physical and electronic. The recent Air Canada gold heist, allegedly carried out by employees, is one high-profile example. The theft or misuse of electronic property is becoming more prevalent, and recent case law demonstrates that it justifies dismissal for cause.
Historically, dismissal for just cause — the employment law equivalent of capital punishment — was reserved for the most egregious offenses: theft, fraud, violence, or breach of trust. Employers and legal professionals have been cautious when recommending dismissal for less overt actions, such as downloading company documents. However, what may seem like an innocuous act — an employee emailing documents to their personal account — can, upon closer inspection, be far more nefarious.
Work
FP Work touches on HR strategy, labour economics, office culture, technology and more.
By signing up you consent to receive the above newsletter from Postmedia Network Inc.
Thanks for signing up!
A welcome email is on its way. If you don’t see it, please check your junk folder.
The next issue of Work will soon be in your inbox.
We encountered an issue signing you up. Please try again
Article content
Advertisement 3
This advertisement has not loaded yet, but your article continues below.
Article content
In the case of Arora v. ICICI Bank Canada, the bank’s IT team detected an assistant vice-president, Mr. Arora, sending a large number of emails to his personal account. Upon investigation, it was revealed that these emails contained confidential client information. The subsequent formal investigation uncovered even more alarming conduct. The employee had sent himself proprietary bank information regarding new financial product ideas, incorporated a competing company, offered his services to rival banks and recruited two colleagues to join his venture.
Throughout the investigation, the employee was uncooperative. Based on these findings, the bank concluded that he had breached its policies and code of conduct and terminated his employment for cause.
Following a six-day trial, the court upheld the bank’s decision, concluding that the termination for cause was proportionate to Mr. Arora’s misconduct, even though he was not found to be a fiduciary — i.e., a senior executive owing a particularly high duty of loyalty to the bank. Not only did he receive no compensation, the court ordered Mr. Arora to pay a portion of the bank’s legal costs.
Advertisement 4
This advertisement has not loaded yet, but your article continues below.
Article content
The bank handled this situation by adhering to best practices, beginning with effective security measures. After discovering the security breach, it conducted an investigation, including interviews with Mr. Arora, and ensured that all findings were meticulously documented. These records proved crucial.
For employers, this case offers important lessons:
1. Implement effective security measures
Had the bank’s IT team not detected the unusual volume of emails, the employee might have gotten away with it. The bank’s ability to track what was being sent and how often helped mitigate potential damage. Employers should ensure that they have tools in place to monitor suspicious activity, such as large attachments or emails sent to personal accounts. The days of unrestricted employee email use are long gone, even for smaller companies.
2. Establish and communicate clear policies
Mr. Arora was unable to argue that the bank had condoned his behaviour or that he was unaware of the rules. The bank had clearly defined data security policies, including those governing confidential client information, and these policies had been reviewed with Mr. Arora. He was fully aware that his actions were prohibited, and the bank was able to prove it. Employers must ensure that policies related to sensitive data are well communicated and consistently enforced.
Advertisement 5
This advertisement has not loaded yet, but your article continues below.
Article content
3. Conduct thorough investigations
While some investigations are superficial, this case demonstrates how critical a well-conducted investigation can be. The bank documented its findings and gave Mr. Arora the opportunity to explain his actions. His refusal to co-operate only strengthened the bank’s case, highlighting his dishonesty and untrustworthiness. But, to the point, the investigator should be an internal employee who understands the bank’s IT systems and rules, not an outside lawyer who does not.
In today’s digital landscape, safeguarding sensitive information is not just a matter of operational efficiency — it is essential to maintaining corporate integrity. Physical security measures, such as locking documents in a safe, are no longer sufficient. Employers must implement robust electronic safeguards and develop comprehensive strategies for detecting and investigating breaches of data policies.
Had ICICI Bank of Canada not acted diligently, the outcome could have been detrimental. The judge noted that, without just cause, Mr. Arora would have been entitled to 18 months of reasonable notice — a financial and reputational blow of which this case serves as a stark reminder: the cost of inaction far exceeds the effort required to implement strong internal monitoring systems and conduct thorough investigations. In an era where a single data breach can undermine trust and compromise an entire business, vigilance is not optional — it is essential.
Howard Levitt is senior partner of Levitt LLP, employment and labour lawyers with offices in Ontario, Alberta and British Columbia. He practises employment law in eight provinces and is the author of six books, including the Law of Dismissal in Canada. Puneet Tiwari is a partner at Levitt LLP.
Bookmark our website and support our journalism: Don’t miss the business news you need to know — add financialpost.com to your bookmarks and sign up for our newsletters here.
