Posted by Vijayashankar Na on December 14, 2014
Posted in Cyber Law |
Mehdi Massor Biswas the Bangalore based employee of an ITC group company was arrested by the Police for having maintained the Twitter account Shami Witness in which he was promoting ISIS ideology.
While the Police will continue their investigation and punish the guilty, the HR manager at ITC would be wondering how he/she could have not found out that a radical jihadist was working with them without being found out. Some may argue that Mehdi was very clever and carried a “Dual Personality” exhibiting only his quiet professional face in the organization and did what he did during his free time. Some may even say that organization has no responsibility for what an employee does during his spare time.
But let us not forget that ITC employed a jihadist and paid him a salary of about Rs 5.3 lakhs per annum. In a way this was funding a terrorist. However unpalatable it would look like, there is no way the organization can say they have not indirectly supported a global terror movement.
If so, can the Company officials be held liable for “Vicarious Liability”?. This depends on whether the company officials had a knowledge of Mehdi’s character as a Jihadi sympathizer and failed to take any action since nothing happenned during office time using office infrastructure. If so they would be liable for not taking such steps as would be necessary to prevent the crime. This responsibility would also fall on Mr Mehdi’s co-workers who might have had more information than the HR Manager himself.
Had the Company practiced “Due Diligence” or “Reasonable Security Practices” to identify vulnerabilities in their human resource and apply risk mitigation measures perhaps the crime would have been detected earlier.
Now that the incident is behind us, not only ITC but also other companies need to review their HR and Security policies to check if they have a Mehdi in their company?.. a person who is a radicalized “terror sympathizer” and who carries the risk of committing a terrorist campaign or even a terror attack either within the company or in India or elsewhere.
If there is any such person in their company, then they need to take action to remove him from any sensitive positions and if necessary from the organization itself. If in doubt, he needs to be kept under watch for action at a later time. Probably there is a need to share such information with the intelligence authorities also.
How do we identify persons who could be causing trouble? ..well this is a million dollar question. The normal “Back Ground Verification” where a report about the person’s previous employment etc is verified is inadequate since people providing reports are not always truthful. They tend to suppress any adverse report either because they are unsure of their assessment or because they are sympathetic to the employee even though he might have been chucked out of their organization.
We therefore need other means to identify the behavioural traits of a person during the time when a person is working for the organization. The first step in this direction is to implement a “Whistle Blower Policy”, because there is a high likely hood of the Mehdi type person exposing himself with his co-workers unwittingly. A well managed whistle blower policy would help identifying such person at the earliest.
Additionally, one needs to adopt sophisticated psychological measures to spot persons with a deviant tendency. This could be done through behavioral analytics applied in a non intrusive manner to map the behavioural tendencies of the employees. May be the well known behavioural theories used in criminal psychology can be applied to identify persons who have a deviant tendency.
In the coming days, this domain of Behaviour Science will be the new skill requirement for HR Managers and Security managers.
Related Article: ITC Confirms..