What Happens When an Employee Steals Your Confidential and Commercially Sensitive Data?

By Lucy Slatter

Partner

Since the beginning of the pandemic in March 2020, working away from the office, either at home or more recently out of the home, with people ‘going to work’ in local coffee shops/work spaces, the risk to companies’ confidential data has increased. The risk to businesses isn’t helped by the fact that almost all data is now electronic, making it easy to copy huge amounts of data quickly.  It is not just outside threats that companies need to consider.  Former employees also pose a threat to companies’ confidential data. A study conducted by the Ponemon Institute found that 65% of respondents admitted to taking proprietary and confidential data that could affect their former company’s business competitiveness and result in a data breach. With many ex employees leaving a business to set up a competing business or to go and work for a competition this is a real risk. 

Prevention is better than a cure, and a well-advised company will take certain precautions such as ensuring they have appropriate IT and data processing policies, and appropriately drafted employment contracts. Appropriate data protection software is ever more important. Increasingly, companies are installing software that can lock computers or laptops after a minute or so of inactivity, to limit the possibilities of people outside of their organisation gaining access to confidential data.

Unfortunately, prevention is not always successful, or even possible. When a company suspects that someone has unauthorised access to confidential data that they could use to the company’s detriment, it is important for the company to act very quickly. 

If the data was obtained by unlawful means, such as by hacking or fraud, or theft of an item of property such as a laptop, then criminal sanction might be a possibility. Criminal sanction is however insufficient to adequately protect a company’s interests, because compensating the victim is not its primary purpose, and it is a very slow process.   It is also often inapplicable where an ex-employee in concerned. Under the Theft Act 1968 data and information is not deemed to be property of the company, so an ex-employee cannot be criminally liable for misappropriation of confidential data alone.

Civil remedies must therefore be utilised, such as:

  1. A court injunction prohibiting the use of the confidential data and requiring destruction or delivery up of the media upon which it is stored;
  2. A claim for damages compensating the company for any losses it has suffered; and/or,
  3. A claim for the expropriation of profits unlawfully made by the offending ex-employee by the use of the data in question. 

It is in the first instance necessary to prevent any further misappropriation of confidential data by the ex-employee, and to identify what information the ex-employee holds or is using to determine if legal action is justified. If they still have access to a “work computer” or the company’s IT system, then it will often be possible for access to confidential information to be withdrawn, and sometimes to find out what information they had accessed or were trying to access or download. It might also be possible to ascertain how the data was being used or where it was being sent.  If the necessary IT expertise is not available “in-house”, then an expert should immediately be engaged to assist the company with this information gathering and damage limitation exercise.

If it is not possible to identify exactly what data the ex-employee has or is using, or if evidence might be destroyed or significant damage done to the company unless immediate action is taken, then it will often be necessary to immediately apply to the court for assistance. A search order might be sought, giving access to the ex-employee’s premises under the supervision of a court appointed officer, to search for and seize documents and devices on which information might be held and then permitting electronic media to be analysed by a court appointed expert.  An order might be sought for the immediate delivery up of devices known to be in the ex-employee’s possession, sometimes into the possession of a court appointed expert for expert analysis. Very often a temporary (interim) injunction is sought preventing the ex-employee or a connected party using any data they have in their possession, which remains in place until a full claim can be brought against the offending party or parties. To apply for such an order or orders, one must be able to satisfy a court that, on the face of the information and evidence available at the time, there is strong case that confidential data is being held and/or used unlawfully, and that the order sought is justified in the circumstances.  Very often you will be asked to give an undertaking to the court that you will compensate the ex-employee for any losses suffered, if it turns out that the order sought was not justified. Careful consideration must therefore be given to whether such orders are appropriate.

We have extensive experience in assisting our corporate clients prevent and obtain compensation for losses suffered by the actions of ex-employees or directors in these circumstances. If you suspect that your company might be the victim of misuse of its confidential information, then please do contact us at the earliest possible opportunity. 

For more information and to find out how we can help you, please contact 0345 646 0406 or fill in our online enquiry form and a member of our Team will be in touch.