Employees “stealing” documents when they leave a business can be a major issue for employers. Two recent cases show how the UK courts have been dealing with it:
A recruiter forwards client details to personal email (and then contacts the client)
Before leaving to start a new job at a competitor, a recruiter emailed personal details of around 100 clients and potential clients to her personal email. She then contacted those individuals when she started her new job. The ICO prosecuted the recruiter for unlawfully obtaining personal data under the DPA. She pleaded guilty and was fined £200 and was ordered to pay costs of £214 and a victim surcharge of £30. The key point was that data should only be used for the purpose for which it is collected, which is unlikely to include transferring the data to a new employer.
Two investment managers steal files (and don’t use them)
In Marathon Asset Management LLP & Ors v Seddon & Ors, the judge said that an investment management firm “missed the jackpot” when he ruled that Marathon was only entitled to £2 in damages from two former employees despite claiming £15 million in damages for the stolen data.
The firm sued two former employees after they copied several files of confidential information before they left the firm. Marathon argued that the defendants should pay the value of what they had taken as opposed to damages for any loss suffered, which was zero as the employees hadn’t actually made use of the information contained in the files.
Marathon argued that if you take something, you should pay for it. Marathon also argued that the firm was exposed to a risk of loss and the two former employees acquired an opportunity for financial gain in taking the files. The judge gave these arguments short shrift. He made the analogy that a motorist driving at high speed may be putting lives and safety at risk, but the people in danger cannot claim for damages.
The judge said that there was a “vast gulf” between the use that the firm argued could have been made of the files, and the very limited used that was actually made of them by the former employees. Marathon had advanced no case based on time, trouble and expense incurred, and instead they went “all out” for the maximum damages, which were not suitable.
As one of the employee’s lawyers said, this judgment is a cautionary tale for employers attempting to assert significant losses for the removal of company documents. Marathon’s £15 million claim and £2 payout shows how perceptions of value can widely differ from the actual amount that can be reasonably claimed in damages, and how hard it can be to establish a realistic usage value for commercial documents.
As an aside, Marathon rejected a sensible settlement offer from the defendants and spent up to £10 million on legal fees only to recover £2 in damages.
What Should Employers Do Next?
- Businesses should be cautious about client information brought to them by new employees. If you know that the information is owned by a previous employer, the business (as well as the employee) may risk action from the ICO if you then process that data.
- You could ask for a warranty from new employees to confirm that they will not be acting in breach of any existing obligations, in relation to confidential information and data protection if they turn up on day one with boxes of files.
- You should ensure that your policies and contracts in relation to confidential information and data protection are comprehensive, consistent, up to date and have been properly communicated to all staff.