Put policies in place that prevent staff leaving with your entire database, says Frank Jennings.
Much is made of the risk to data security by individuals hacking into a network or thieves taking laptops. However, this is not the only type of risk to a business - the most obvious threat has to be from employees - whether they are careless, blundering or disgruntled.
People leaving laptops and confidential dossiers on trains are bad enough, but the problems increase when an employee actively looks to copy data. When you add a lax attitude to data security by the employer, this spells disaster.
Most businesses do not apply different levels of access, so that even the most junior member of staff will have access to the business's most sensitive data. A company may routinely monitor employees' outgoing emails to make sure they are not abusing company systems, but the same rarely applies to instant messengers.
Also, even if a business blocks employee access to MySpace or Facebook during working hours, it might allow unrestricted access to LinkedIn. Indeed, the courts are currently examining the use of LinkedIn by someone who used the site to connect with their employer's business contacts before leaving to set up a rival business.
One common form of data security breach is where an employee copies the customer database and then sets up in competition. We recently obtained a court order for a client, a recruitment and HR services consultancy, against two former employees who had done just this.
One of the ex-employees had earned a six-figure sum working as a senior recruitment consultant in the specialist oil and gas recruitment industry for our client. Unbeknown to his colleagues, this person had downloaded the database on to a memory stick before leaving his employer. However, the employer suspected something was wrong when the company realised that large quantities of information had been deleted from the employee's computer.
We worked closely with surveillance and forensic computer experts and built up enough evidence to convince the High Court that a secret doorstep imaging order should be made against the ex-employees and the new company they had set up in competition. This meant a surprise visit was paid to the new firm's premises to take images of computers to preserve evidence. During the search, the pair tried unsuccessfully to conceal memory sticks containing the smoking gun - the copied database.
As a result of our action, the ex-employees cannot work in the oil and gas recruitment industry for 12 months and the new company has to account to our client for all its profits, or possibly face prison for contempt. Anyone who knows of the order and knows anything to permit the ex-employees or the new company to breach its terms can also face an application for contempt of court.
This serves as a stark warning to an employee against downloading copies of their employer's database on to memory sticks and trying to use it to get ahead of the game. It is forensically traceable and, if done without permission, unlawful.
Clearly, preventing the problem is quicker, cheaper and easier than curing it afterwards. We recommend the following steps to reduce the chances of having to take your ex-employees to court:
- Ensure you have a data security policy in place that covers not only general email and internet use but also webmail and social networking sites;
- Make employees aware of the policy through their service agreements;
- Use passwords and preferably encryption;
- Restrict access to those employees who actually need the data for their job;
- Review and update your security policy regularly to keep up with change;
- Add clauses to contracts with freelancers and suppliers to ensure that they abide by your security policy.
First published in SCMagazine UK, July 2008