The Threat

Malware usage by adversaries has reportedly declined. Partly due to sophisticated detection methods commonly deployed by medium to large organisations.

Conversely, insider threats (cybersecurity risks originating from within an organisation) are increasing, posing complex and costly challenges for businesses. CrowdStrike’s 2025 Global Threat Report indicates that insider threat operations accounted for 40% of incidents. The report emphasises how adversaries increasingly use AI-generated deception and malware-free techniques to operate undetected. For further insights into that report, please refer to our previous post here.

Unlike external attacks, insider threats exploit legitimate access via employment to systems, data, and infrastructure, making them harder to detect and often more damaging. These threats can originate from malicious insiders, negligent employees, or compromised user credentials. A recent BBC article highlighted this, reporting on a BBC employee being offered a share of a ransom payment to provide their BBC credentials to a threat actor organisation.

Such incidents can lead to data theft, significant operational disruption, reputational harm, and regulatory exposure-directly impacting the bottom line. These incidents often have a material lag time, meaning the risk can lie dormant. This reiterates the importance of technical security due diligence in acquisitions and regular vulnerability scanning.

The Legal Standard of Care

As specific cybersecurity laws emerge, the common legal standard of care is consistently a variation on an obligation to have in place “appropriate” information security measures (to protect systems, data etc). This concept is an ever-evolving standard of care to ensure the obligation does not become obsolete as technologies and the threat landscape develop (known as the pacing problem). These obligations, and cost implications, are frequently replicated in contractual terms related to information security and remain a key focus for our teams during vendor negotiations.

For many clients, effective technological solutions to mitigate cyber risk (specifically insider threat) are now considered a “state of the art” requirement by law and/or contract. Failure to mitigate this risk carries significant legal (enforcement, litigation) and operational (incident response) consequences.

Solutions

Existing Workforce

To mitigate insider threats and comply with the legal standard of care, many clients are adopting technological solutions that process personal data to monitor, detect, and respond to suspicious behavior among their current workforce. These include:

• User and Entity Behaviour Analytics (UEBA): Tools that establish behavioural baselines and flag anomalies, such as unusual access patterns or data downloads.
• Endpoint Monitoring Software: Solutions that track keystrokes, application usage, and file transfers, often capturing detailed logs or video records of user activity.
• Data Loss Prevention (DLP): Systems that prevent sensitive data from being exfiltrated via email, cloud platforms, or removable media.
• Identity and Access Management (IAM): Technologies that enforce least privilege access, multi-factor authentication, and real-time identity verification.

New Hires

Beyond the risks posed by their existing workforce, organisations are also aware of the risk of threat actors posing as new hires to gain legitimate access to the client network.

To mitigate this risk, clients are enhancing onboarding technology solutions. Commonly, biometric identity verification systems provide robust assurance that individuals are who they claim to be. This typically involves verifying government-issued IDs, such as passports or driver’s licenses, and using solutions that leverage biometric data or liveness tests to ensure the ID matches the person. Clients often use vendor solutions for these checks, which almost inevitably incorporate AI elements. Careful analysis of the lawful basis is required for this.

In addition to biometrics, organisations are leveraging multi-factor authentication, zero-trust platforms, and encrypted data transfer protocols to secure remote access and protect sensitive information from the outset of employment.

1. Existing Workforce: Using Technology Solutions

Key data privacy steps to be taken

UEBA tools establish behavioral baselines for employees and other users within an organisation’s network, continuously analysing activity like access patterns, file downloads, and system usage. When the system detects anomalies (e.g., an employee accessing sensitive files at unusual times or transferring large volumes of data), it flags these behaviours for further investigation. While deployed for a legitimate aim, there is a risk of “scope creep” as company system usage could be seen as valuable for employee evaluation. Because UEBA solutions rely on collecting and analysing detailed user activity data, their deployment directly intersects with data protection law. This creates a clear overlap, balancing robust cybersecurity measures with the need to respect individual privacy rights and comply with legal obligations regarding personal data processing (and avoiding associated legal risk).

Insider threat solutions that process material personal data are often considered a form of employee monitoring, which is generally high-risk and an ongoing focus for supervisory authorities. The data protection risk must be balanced against the business continuity and potential existential business risk posed by insider threats. Naturally, citing data protection risk as a reason not to proceed often meets resistance from the CISO team and can be escalated to the highest levels of management.

Transparency is a fundamental principle of global data protection and employment law. The GDPR requires information to be provided to the individual at the time of first collection. At a minimum, a new processing activity will necessitate an update to an employer’s HR privacy notice.

The extent to which organisations must go beyond this depends entirely on the nature of personal data processed by the insider threat solution. Data loss prevention tools are generally considered low-risk from a data protection perspective, as they monitor only aggregate data flows rather than individual user activity. These tools can be configured to detect and block the transfer of files containing sensitive keywords or data types (such as credit card numbers or confidential project names) to unauthorised external destinations, without logging or analysing individual employees’ identities or detailed behaviours. Therefore, it would require minimal, if any, updates to a privacy notice.

Conversely, some endpoint monitoring software can capture comprehensive logs of user activity, including keystrokes, application usage, file transfers, and even video recordings of employee screens. Updating the HR privacy notice before deploying this technology across a user database is unlikely to meet regulatory expectations for employee monitoring. ICO guidance, for example, clearly states that organisations must actively ensure workers are aware of what personal data is collected and how it is used. While not directly related to insider threat solutions, the Serco Monetary Penalty Notice found that Serco failed to process data lawfully because employees were not clearly informed about the monitoring activities. To align with regulatory expectations, a clear communications plan and strategy for substantive technology changes are crucial from a data protection perspective.

For each insider threat solution involving the processing of personal data, the relevant controller should triage whether a DPIA is required against Article 35 requirements and supplementary provisions in Member State or UK law before processing any personal data. If that screening exercise indicates high-risk processing, a DPIA must be conducted before the solution is rolled out. The ICO’s recent investigation into Snap’s completion of a DPIA for high-risk processing reiterates that this is an aspect of data protection law regulatory authorities are scrutinising. A thorough DPIA will document the necessity, proportionality, and risk mitigation measures of the solution. The DPIA process should be iterative, with regular reviews as technologies or processing activities evolve, ensuring ongoing compliance and accountability.

Provided client teams give due consideration to data protection requirements, and the solution is proportionate to the risk, legislative requirements should rarely block deploying solutions to mitigate cyber risk. At DLA Piper, we have extensive experience negotiating these issues and can ensure you have risk-appropriate contractual protection. In this context, we routinely support clients with: (i) data mapping; (ii) drafting and negotiating data protection terms; (iii) completing DPIAs; and (iv) advising on transparency requirements and strategy.

Key employment steps to be taken

Works councils are statutory employee representative bodies whose involvement is mandated by national laws. They play a critical role in safeguarding employee rights and ensuring that monitoring practices are transparent, proportionate, and compliant with local laws. Whether works councils are appointed or engaged depends on the organisation.

If a works council is appointed, varying levels of engagement (consultation, consent, etc.) will generally be required, either as good practice or by law. At a minimum, this will entail providing all information related to the underlying processing activities. In stricter jurisdictions, works council consent will be required before technology deployment. Any rollout plan should account for this engagement, which takes time and is often considered too late, jeopardising the agreed rollout date.

In addition to works council engagement, companies must navigate various employment law issues when implementing employee monitoring. Employers must be transparent about the purpose, scope, and methods of monitoring, ensuring it is proportionate to legitimate business interests. There is also a risk of undermining employee trust and morale if monitoring is perceived as intrusive or excessive. Furthermore, monitoring practices must not result in discriminatory treatment or disproportionately impact certain employee groups. Clear internal policies, robust data governance, and appropriate training for managers are essential to mitigate these risks and ensure compliance with employment law obligations.

Key contracting steps to be taken

When deploying insider threat solutions, thorough due diligence on third-party vendors is essential for both legal compliance and effective risk management. These vendors often process or access significant volumes of sensitive personal data as part of their service, meaning any shortcomings in their security practices or data protection standards can have a knock-on effect for the employer/controller.

This due diligence will almost inevitably be supplemented by a recommendation for robust contractual terms, which will likely need to comply with prescriptive minimum content requirements of data protection law. Vendors offering SaaS solutions often provide their terms on a “take it or leave it” basis, granting them significant discretion to process data for their own purposes and price the product accordingly. Such terms do not provide sufficient comfort for the controller regarding data protection, intellectual property, and confidential information. Having a trusted partner with strict parameters around information use is a critical consideration for the overall compliance.

2. New Hires: Using Insider Threat Recruitment Solutions

Key data privacy steps to be taken

The following controls should be considered and implemented as required:

• Conduct due diligence on proposed vendors to ensure maximum comfort from an info-sec/privacy perspective;
• Early determination of whether a vendor providing identity verification solutions acts as a processor or controller is critical. This depends on several factors, including the extent to which the individual accesses and uses the vendor’s user interface. We are aware that some vendors offer these solutions at a low cost relative to the potential scope and volume of data processed. This cost is conditional upon the customer organisation accepting their commercial and data protection terms “as is.” Upon further inspection, it becomes clear that these terms give the vendor wide discretion to use customer data for their own purposes and/or to further train their models. In this scenario, the data is the true price, and care should be taken to avoid models of this nature;
• Provide a detailed privacy notice to candidates, offering transparency regarding ID verification;
• Conduct a Data Protection Impact Assessment (DPIA), as biometric processing operations are likely to result in a high risk to individuals whose personal data will be processed, given the unique and sensitive nature of biometric data;
• Implement a robust set of data protection terms with the chosen vendor as a processor, complying with Article 28 GDPR;
• Maintain an internal policy setting out appropriate rules for conducting checks and maintaining the confidentiality and security of obtained information;(With vendor support) apply a human verification element if an individual fails ID checks, and revoke any employment offer (unless the check is strictly required by law);
• Update any record of processing activities that sets out the personal data processed, applicable data subjects, purposes for processing, whether data is shared with third parties (including international transfers), and relevant data retention periods.

Key employment steps to be taken

From an employment law perspective (beyond data protection compliance), organisations should:

• Ensure ID checks are applied consistently to all candidates to avoid discrimination claims. Checks should not unlawfully exclude candidates based on protected characteristics.
• In some jurisdictions, works councils or employee representatives must be consulted or informed before implementing new onboarding or monitoring processes. Allocate sufficient time for this engagement to avoid delays.
• Consider how these checks can supplement or interact with mandatory right-to-work checks.