Data theft — beware of departing employees
There are a number of practical measures which can be put in place to protect a company’s confidential information from those on the inside
It is a scenario that is all too common:
You have a senior trusted employee, who is close to a number of your key clients and with whom you shared all of your confidential information. However, when they get headhunted by a competitor of yours, they are understandably flattered by the attention, attracted by a new challenge and perhaps sold on the promise of an increased salary. When their leave date starts to creep closer though, it dawns on them that the expectations of their new employer are likely to be significant. Whilst they will no doubt be welcoming to their new recruit, they will expect a return on their investment and will want quick and tangible results.
A thought then goes through the mind of your employee: “If I could just forward this database of client contacts to my Hotmail account, and then delete my sent items, would anyone ever really find out? It would make my life so much easier when I am in post at the new place.”
Misappropriation of confidential data
Ever-increasing amounts of confidential data (be that data about your clients, your business or your products and services) are being stored electronically. Such data can take a wide variety of forms, including:
- client lists, with contact details and certain “business development” information about those clients and their current requirements and plans;
- target lists of potential clients, which may have taken significant time and resources to generate;
- the contents of a complete customer relationship management system with up to date information, as described above;
- client documents, proposals, bids specifications or even technical data;
- business plans and progress against objectives; and
- employee personal information.
The list goes on. Every business will hold numerous types of confidential information in a myriad of different ways, and that information needs to be protected against those who may wish to misuse it, for their own benefit and that of competitors in your market. Sometimes, however, it can be alarmingly easy for departing employees to get that confidential information out of a business.
Methods of extracting confidential data can range from the relatively common and unimaginative (e.g. simply forwarding confidential data from a work email address to a web-based personal email address, or downloading it to a removable device) to the quite complex (e.g. using sophisticated screen-scraping software to replicate a confidential database).
Whichever method is used, however, the impact of any form of data theft by departing employees cannot be underestimated. It can lead to serious financial and reputational damage, with lost business opportunities, damage to client confidence, negative PR, unwanted litigation and costs, and possible sanction from regulators. Businesses should therefore be looking to protect themselves, and their electronically stored confidential information, now.
How to protect against the deliberate acts of departing employees
Clear policies and procedures, which are understood and accepted by all employees, are a good starting point and will often be deployed in evidence. For example, your policies can:
- explain the acceptable use of emails and the internet, and also note that company e-mail accounts remain company property and may be subject to monitoring;
- explain permitted remote working practices; and
- set clear rules for the safe-keeping and/or secure transmission of any confidential information.
Another basic requirement, which is often given far too little importance by busy employers, is having well-drafted, up to date and signed employment contracts on file. Such contracts will often be tested where a business seeks to take action against a former employee who may have used its confidential information to solicit customers, prospective customers or employees.
In particular, leaving aside any express obligations of confidence in those contracts, as well as the obligations of good faith and fidelity which are present within all contracts of employment, a heavily litigated area of contract law is the application of post-termination restrictive covenants. These are contractual obligations that operate to preclude the competitive activities of former employees for a period of time after they have left their employment (typically 6 or 12 months in duration).
It is often a widely held view by departing employees who are subject to such restrictive covenants that they are “not worth the paper they are written on” and are void for being a restraint of trade. However, restrictive covenants will only be void if they are unreasonably wide. This is assessed on an individual basis rather than involving any standardised approach, depending upon the nature of the threat. Covenants which are necessary to protect a company’s legitimate business interests, and are reasonable in scope and duration, are quite capable of being upheld by the courts and they will usually do so.
Therefore, it is important that such covenants are carefully drafted to match the circumstances of specific employees and also kept up to date. However, care should be taken when employees are asked to sign new and potentially more onerous covenants, as new contracts which are not supported by any “consideration” passing from employer to employee (e.g. a pay rise or a promotion) will likely be unenforceable when the company comes to exercise its rights in relation to that contract.
In addition to contractual protections, some forms of confidential information may also be entitled to special protection afforded by statute. For example, if a company can show that a database that it possesses comes within the necessary statutory definitions, it may qualify for a “database right” under The Copyright and Rights in Databases Regulations 1997.
There are a number of additional practical measures which can also be put in place to protect a company’s confidential information from those on the inside and to discourage determined employees who may be working their notice period and minded to misappropriate such information for future use. Such measures include:
- regulating the use of USB ports, with specific approval being needed (e.g. from the IT team) before data can be downloaded or uploaded;
- limiting access to file-sharing websites and web-based email accounts (ensuring that staff can only email from a company-controlled account);
- restricting printing facilities, so that staff can only print from company-controlled machines with all print requests being logged;
- monitoring remote devices and, when an employee leaves the business, ensuring that access is swiftly disabled and all devices promptly returned; and
- using (or adapting) current IT systems to identify large processing or downloading activity and alerting you to this.
If you’re looking at ways to ensure your business has a comprehensive plan in place to protect your business from cybercrime, contact our data protection lawyers.