Partner Charlotte Walker-Osborn and Solicitor Aonghus Martin, Technology Group, and Gareth Bownes, Employment Group, Eversheds LLP, look at the thorny issue of employee data theft of company information.

The widespread use of portable storage devices and networking websites has made it easier for employees to remove confidential or copyright protected company data. This removal has been exacerbated by the current economic climate. Below are some steps that employers should consider taking in order to reduce the risks of such data leakage:

  • strictly prohibit the downloading of data, other than for legitimate business reasons, as stated in the IT policy; restrict access to sensitive data to a need to know basis, e.g. with password protection or tiered-access to sensitive data;
  • consider whether ports for portable storage devices should be disabled (if pragmatic);
  • review and seek legal advice on restrictive covenants in employment contracts to ensure that they are adequate and enforceable.

If an employer believes that an existing employee has committed a serious breach of its IT or employment policy, it should conduct a full investigation before taking disciplinary action, even if there has been an obvious breach.

This will reduce the risk of an unfair dismissal claim, as the employer needs to show that it had a genuine belief in the employee's guilt; has carried out a reasonable investigation and that the dismissal was 'within the band of reasonable responses'. The (IT) policies must clearly cover the alleged misuse; have been properly communicated to employees; and have been applied in a consistent manner.

If an employer discovers that sensitive data has been downloaded by a former employee, it should look to obtain and preserve as much evidence as legally possible and, where necessary, engage forensic technology experts.

In terms of legal redress, there is no offence clearly aimed to cover only this type of employee breach. An employee who has inappropriately accessed or copied company information could be considered to have gained unauthorised access under Section 1 Computer Misuse Act 1990 depending on strict criteria having been met.

If the data accessed by the employee is considered 'personal data' under the Data Protection Act 1998 (DPA) then the DPA will apply. Section 55 of the DPA, for example, makes it a criminal offence to disclose, obtain or procure the disclosure of personal information knowingly or recklessly without the consent of the date controller.

However, redress is usually sought through the civil courts, e.g. injunctions for breach of confidence to deliver up and prevent the use of confidential information or copyrighted information.

Unless a search and seizure order is used to seize media containing confidential information/ copyrighted information then contact should be made with the former employee to seek an undertaking to deliver up and prevent the use of such information.

If that is unsuccessful then you may need to apply for a court injunction, which can be expensive. The company may also have a claim for damages if it can prove that it has suffered loss, for example if the employee has diverted business from the company.

Additionally, the former employee may be in breach of restrictive covenants in their employment contract. Having tightly drafted restrictive covenants, intellectual property and confidentiality provisions in the employment contract will make it much easier to obtain the requisite injunctions and restraining orders.

Pragmatically, however, whether that former employee have monies to pay for any damages is another matter. In this way, prevention is clearly better than cure.

© Copyright 2009 Eversheds

Please note that the information provided above is for general information purposes only and should not be relied upon as a detailed legal source.