There have been a couple of cheering recent developments for employers whose staff walk out the door with confidential information. Traditional legal remedies in these cases, such as an action for breach of contractual confidentiality provisions, have been around forever but these can feel impractical, expensive and unpredictable to employers who find themselves at the sharp end of information theft. However the cases mentioned below offer some different lines of attack.
Criminal Prosecution by ICO
The Information Commissioner's Office recently pursued a criminal prosecution against an employee who left his job and took with him information about his former employer’s clients. While the ICO is not concerned about all confidential information, in this case (as in many others) the information contained personal data relating to clients. This breached data protection legislation and constituted criminal activity under section 55 of the Data Protection Act 1998, since the data was obtained unlawfully.
Although the sanctions applied were small (fine of £300, victim surcharge of £30 and £400 costs), the threat of a criminal conviction will be a serious deterrent to most professionals and, of course, the employer does not directly bear the costs or administrative burden of pursuing the prosecution. In practical terms, the value of this sanction may be mostly in the threat, particularly if clients/data subjects can be persuaded to make or threaten direct complaints to the regulator.
It is also noteworthy that the ICO specifically publicised this prosecution and warned other employees who might be considering similar actions, which may be taken as a change in enforcement policy for cases of this type.
Order for Destruction of Confidential Materials
In a different case, Arthur J.Gallagher Service (UK) Limited v Skriptchenko, the court took the novel step of making an emergency injunction order that confidential information had to be deleted from computers of the ex-employees and their new employers. Odd as it may seem, such orders are not part of the normal legal repertoire in disputes of this kind and this type of order does not have any authoritative legal precedent.
While destruction of illicit copies may seem like an obvious measure to take, the permanency of this remedy can deter judges from ordering it at the interim stage (i.e. when an emergency injunction hearing is taking place). There are a number of good reasons for that. Firstly, injunctions ordering you to do something (rather than not do something) are, in general, harder to obtain. Secondly, interim orders are made on an emergency application and without the benefit of a full trial, so judges have to give consideration to the risk of injustice if their interim decision turns out to be wrong.
The evidence against the defendant was unusually strong in this case, which may be why the court was willing to take this novel step. The claimant also gave several assurances intended to pre-empt the judge's concerns about making the order; in particular by committing to keeping a complete image of the hard drives so that the information could be reinstated later, if the order proved to have been unjustified.
What does this mean for employers?
Both these cases should provide comfort to employers who are frustrated by a lack of practical and effective remedies when faced with confidential information breaches. And for employers who are on the receiving end of information they know or suspect to be ill-gotten, these cases are a reminder to tread carefully. In either case, expert advice should be sought at an early stage: to ensure a wronged employer can explore the widest range of legal options, or in the case of the receiving employer, to avoid getting into seriously hot water.