Employers need to appreciate and address the fact that employees who remove their employers’ confidential information often do not appear to appreciate the risks of being caught or the potentially very serious consequences of their misconduct being detected. In the UK the consequences potentially include criminal sanctions if “personal data” is mishandled.
Employers perennially face the twin challenges of, firstly, implementing security and other systems which are effective to reduce the ability of employees to remove the employer’s confidential information and, second, how to detect and respond to leaks of such information when they occur. In terms of risk management, after an employee resigns at least the employer is on notice of the need to be alert and may be able to use “garden leave” as well as control of access to, and investigation of the use of, its systems in order to protect its interests. The risk of removal of an employer’s confidential information may well therefore be at its greatest ahead of the employee’s resignation or departure when the employee is getting ready to leave and wants to take information that the individual considers may be useful in some way or another in their future role.
An employee may seek to remove the employer’s information in a variety of ways such as by emailing materials to a personal email account, removing documents on a memory stick or even by old fashioned photocopying. That an employee has removed an employer’s information may come to light in a number of ways, whether as a result of a routine check by the employer’s IT team or developments which take place as a result of the misuse of that information for example by the individual’s new employer sending or mailing the old employer’s client list. The defence which one often hears from employees challenged about the removal of information from their employer, whether or not it is convincing, is that they sent the information home to their personal email address to assist them with work outside office hours and not for other illegitimate purposes. This may be more or less credible depending on whether the information removed really did relate to current work that the individual was performing.
An employer which discovers that its information has been removed has a number of options. It may simply write a legal letter demanding that the employee return all relevant information and, to avoid litigation, provide formal written undertakings that he or she has deleted the relevant information and has not disclosed it to any third party. In circumstances where the employer is more concerned about the value of the information in question to a competitor and wishes to obtain greater comfort about what has been done with it, the employer may seek a sworn affidavit from the individual explaining the situation in full and confirming where, if anywhere, the information has been sent. In circumstances where the employer is particularly concerned about the information and where it might have been sent, it may be necessary to seek to agree a “forensic protocol” with the individual providing for independent IT experts to search the individual’s computer systems and email accounts to ensure that the employer’s information is identified and deleted and to verify that it has not been sent elsewhere.
In circumstances of particular urgency or sensitivity, or where the employer requires the highest level of protection it can legitimately seek, it may be appropriate to launch formal litigation to obtain court orders requiring an individual to return the information in question, allow computer access and recover the legal costs incurred by the employer in protecting its position in response to any employee’s breach of his or her duties. The position is further complicated if it transpires that the individual has passed any confidential information to a third party, such as a new employer as that new employer may need to be joined into the pre-action correspondence and any resulting litigation.
The employer also needs to be aware of the risk of there being a breach of the Data Protection Act 1998 if, for example, an employee removes personal data relating to clients. A report to the Information Commissioner’s Office may be necessary confirming the issue and what is being done by the employer to remedy the situation.
Modern technology is such that it can be easy for employees to remove their employers’ information. Firewalls, password protection and computer use and confidentiality policies can only take an employer so far in terms of protecting its confidential information. What is surprising is that too often employees do not appear to appreciate properly either the risk of being caught or the various very significant risks to which they open themselves if they are detected. Not only will the employee potentially be faced with the risk of litigation and of his or her new employer being dragged into the issue, given the importance and complexity of these issues, the employee may face a very significant legal bill both in terms of his or her own legal costs in defending litigation and in meeting costs which the former employer may be able to recover through litigation or negotiation to resolve the situation. Depending on the new employer’s attitude to and level of involvement in the issue, the employee may have jeopardised his or her new position – and indeed his or her future employability. Employees who remove their employer’s information and are detected can therefore easily find themselves in the situation where, rather than simply being able to return the information, apologise and promise not to use it, they reap a world of pain in terms of legal costs and reputational damage. And that’s before the employer pursues damages for loss of business if the information in question has been misused.
A further consequence of removing an employer’s information that employees may well not appreciate is that, if what they take from their employer contains the “personal data” of, for example, the staff or clients of the employer, they will be committing a criminal offence. Under section 55 of the Data Protection Act 1998, it is an offence for a person to obtain or access personal data without the consent of the relevant data controller. This offence is punishable by way of a fine of up to £5,000 in a Magistrates’ Court or an unlimited fine in a Crown Court. In a recent prosecution in the Bradford and Keighley Magistrates Court, an individual was found guilty of stealing the sensitive information of over 100 people which was contained in six emails which he had sent to his personal email address shortly before leaving his employer for a rival firm. The individual had hoped to use the information, which included workload lists, file notes and template documents, in his new role. He was fined £300 and ordered to pay a £30 victim surcharge, and £438.63 prosecution costs. The risk of a criminal record should be a serious deterrent to the removal of confidential information containing personal data relating to other individuals.
Whilst of course employers need to do all they can in practical, technological and contractual terms to protect their information, the serious consequences of being caught should be a serious warning for those who contemplate removing their employers’ confidential information. Employers who are particularly concerned about the pilfering of their confidential information may want the guidance they issue to make clear to employees the potential consequences of breach of their obligations.
This is an extended version of an article which appeared on the PM Online website on 13 October 2014