Running a business during a time labelled the ‘Digital Age’ has its advantages, not only do we have the ability to access all sorts of information at our fingertips, but businesses are able to market themselves with far more ease. However, as information and communication technologies evolve, it has become all too easy for people to retrieve confidential information from a business without the business knowing. For some employees, this coupled with a competitive job market, can lead them to see the attraction of illegitimately accessing or removing commercially confidential information, such as customer details, in an attempt to look like a more appealing candidate to a competitor.
This article focuses on data theft by employees post termination of a contract, it will look at ways to deter employees from engaging in such activities from the outset and also how businesses can protect themselves should they fall victim to cybercrime.
Prevention Is Better Than Cure
When an employee starts, it is important that the business clearly identifies when, how and what commercial data can be accessed, and that action may be taken against any employee who acts otherwise. Contracts of employments can be used to expressly state all restrictions placed on the employee, both during and following termination of their employment. These contracts should be regularly reviewed to reflect any changes in the business’ technology.
There is of course an implied term in all employment contracts that an employee will act in good faith and fidelity. This obligation will directly prevent an employee from being able to share confidential information, however unless the employee is a director, in a position of particular seniority or the information in question can be shown to be classified a ‘trade secret’, then this implied term will cease when the employment ends. To avoid any uncertainty, it is therefore always advisable to expressly write restrictive covenants into an employment contract, such as non-compete and non-solicitation clauses. It is recommended legal advice is sought when drafting such a clause, as should a business seek to rely on it in the event of a breach, the courts will need to assess whether it is reasonable. Please see our blog ‘Restrictive Covenants in Employment Contracts’ for further information.
Constant assessment of the nature of the information a business holds, the technology used to store it, and the risk of compromise is the first step to an effective policy on data protection. The ability to audit or log access to information, as well as prevent unauthorised access to it, both acts as a deterrent to prevent a breach from occurring, but also as a method to quickly identify the culprit when one occurs.
Employers should note that they are under an obligation to take reasonable steps to avoid the loss of any data. Keeping a record of electronic devices handed out to employees, encrypting and password protecting data are some of the many techniques that can be employed to fulfil such duty.
What Happens If Data Is Stolen?
Data theft is in fact a criminal offence under section 55 of the Data Protection Act 1998 and as such, if found guilty, an employee could face a criminal conviction and a fine of £5,000 in a Magistrates Court, or an unlimited fine if taken to the Crown Court. That being said, given the extent of the potential damage data theft can cause, a preferred route, and one more likely to protect the business, is to seek an injunction. Once a data breach has been discovered, it is vital to act quickly and quietly. When applying for injunctive measures, an applicant must usually notify the respondents, however there is a very real risk that should the ex-employee become aware that action is imminent, they will seek to cover their tracks and delete any evidence. It may therefore be necessary for an employer to request the court to grant an application without notice.
As the court will not be hearing from the respondent, it will only grant this application if it has been shown very good reason to do so. The onus is therefore on the employer to provide an air tight case that the respondent has unlawfully taken confidential information. A solicitor should be instructed to ensure the strength and clarity of the case. Obtaining evidence of data theft requires intricate forensic examinations, which should only be carried out by experts. An employer should refrain from letting its internal IT department investigate, as they are unlikely to have the necessary tools or expertise and as a result, vital data may be lost.
The applicant will be required to make several undertakings to the court including an undertaking for damages that they will compensate the respondent if it is later found that the injunction was wrongly granted. Should the order be granted, the forensic experts will be allowed to access the data. All evidence showing a breach will be preserved, and where possible, the stolen information recovered and secured.
Should a data breach occur, the business must look at its own obligations to notify a regulator or any contracting party. Although there is currently no requirement to notify the Information Commissioner’s Office (the ICO), with the forthcoming General Data Protection Regulations, change is imminent, and soon all businesses will be required to report data breaches to the ICO within 24 hours and the individual concerned within 72 hours. They could be fined for failure to do so.
Finally, and most importantly, should your business fall victim to employee data theft, use the experience as a valuable lesson, work out why the breach was able to occur and look to prevent it from happening again.