How Data Theft Occurs
In today’s digital world, the theft, copying or destruction of your databases, customer lists or trade secrets is often as simple as pushing a button. We see this often when competitors hack into databases or use third parties posing as customers to exceed their limited license to access a business’s database. We see data theft occur much more often, however, when an employee runs a business which competes with his/her current employer or copies files, customer lists or whole databases in anticipation of leaving and starting a rival business. Fortunately for an employer, there are many remedies available to businesses under such circumstances. In light of the ease of duplication of digital material, it is impractical to seek the return of stolen data. Instead, most causes of action will focus on preventing use of the data and seek damages that have resulted from the theft.
Thinking Ahead of the Hackers
One of the best ways to address data theft is to take appropriate steps in advance. If employees, vendors or third parties have access to proprietary databases, customer lists or trade secrets as part of their working relationship with you, it is critical that you have each associated person sign a comprehensive confidentiality/non-disclosure agreement. Such agreements should specify the types of data that they can/cannot lawfully access, the specific rules relating to maintaining confidentiality of the data and specific remedies, including injunctive relief and damages, available to your business in the event of the breach of such agreements, including data theft. The agreements must also detail prohibitions on post-employment use of such data. Such agreements not only provide a bit of a deterrent effect, they also make obtaining injunctive relief from a court much simpler and cheaper to accomplish.
What To Do In the Event of a Data Theft
Once you learn of a theft of your database(s), customer list(s) or trade secret(s), it is critical that you take appropriate steps immediately. First, because data theft often involves a breach of trust by a current or recent employee or someone else with whom you work closely, it is easy to react emotionally. Do not overreact, call or threaten the person suspected of misappropriation. The steps you take will have consequences.
Second, contact an attorney experienced in this area of law. If you have sufficient information indicating an actual theft or breach, your attorney should immediately prepare and send a well-worded cease and desist letter, demanding that the unlawful conduct stop and detailing the laws and/or agreements violated. Often this will be followed by the application for a temporary restraining order (“TRO”), wherein, if granted, the court prohibits the party who engaged in the alleged data theft from using the data until the court can hold a hearing to decide whether to grant a preliminary injunction, which would stay in place throughout the underlying trial. Time is of the essence when seeking a TRO, and providing the court with as much evidentiary detail to support your claims of data theft is critical.
In addition to the injunctive relief detailed above, there are many causes of action available for you to pursue in order to obtain damages from the offending party including unfair competition, misappropriation of trade secrets, breach of confidentiality/non-disclosure agreements and unjust enrichment. Depending on the nature of the data theft, whether access was authorized at the time of occurrence, and the existence of damages and losses, you will likely have a cause of action under the Computer Fraud and Abuse Act (“CFAA”), as well. Note that the CFAA carries both civil and criminal remedies.
Third, conduct a detailed investigation. Was your database hacked or was the data stolen by a current or former employee or vendor? Does a former employee/vendor still have remote password access to your computer systems? What databases, customer lists or trade secrets were affected, to what degree and over what period of time? Collect and preserve this information, which will be critical at every step of your efforts to stop the misappropriation and use of your data, and will be a key element in proving damages in a court of law.
This topic should be of interest to any company or individual engaged in a commercial venture within the United States, especially those involved in the online marketing, data collection and/or consumer product industries.