The enemy within – employees misusing or stealing data
Businesses have to consider the security of their data, and in this technical age, that issue is of great importance. One area of particular concern is confidential data which, if it was stolen, could be used to take business away, such as lists of client or customer contact details. Often the risk here is not from external sources, but instead from employees working within the company who may depart and decide to take copies of the confidential data with them to use in their new job, or to set up a competing business.
As always, prevention is better than cure, so employers should make reasonable attempts to prevent such incidents from happening. Steps such as ensuring contracts of employment cover confidentiality, getting employees to sign confidentiality agreements, and monitoring access to confidential data, can all help.
If an employee does steal important data, what can be done?
Employers can take action in the civil courts against the employee. However, before proceedings are commenced, usually the first step is to seek undertakings (essentially a legal promise) from the employee so they agree to return data they have taken and promise not to use such data. Usually these will be sought in a letter before action. If this fails, then it is possible to seek injunctions from the courts to prevent the employee using the data, and also to seek damages for any financial loss caused as a result of the data theft. Injunctions can be sought to obtain the return, or destruction, of any data held by the employee (including data held on their electronic devices if relevant - see our previous article here). In regard to seeking damages for any financial loss caused, the word of caution here is that it can, in some circumstances, be difficult to prove any financial loss to a court. This can mean that the effort (i.e. the time and cost) of going to such lengths is relatively fruitless. That said, when the stakes are high if data is misused, then the costs and time can seem insignificant compared to the cost of doing nothing at all.
An example of how difficult it can be to demonstrate financial loss was shown in a recent case in the High Court (Marathon Asset Management LLP v Seddon & Ors). In this case, two employees had copied 40,000 documents prior to departing from the business. Notably only limited use was made of any of the documents by those two individuals. Marathon took them both to court and tried to argue that the employees had to pay for the value of the data they had taken, which they said was worth around £15 million. The court disagreed and said that no actual injury had been caused to Marathon - the judge said there was a ‘vast gulf’ between the extent of the use which Marathon said could potentially have been made of the files, and the very limited use which was actually made of them. Marathon were awarded nominal damages of £2 (£1 from each of the individuals)!
Court action aside, there is another potential step to consider, which is to report the employee to the Information Commissioner’s office, as they could be committing a criminal offence under the Data Protection Act 1998. The Information Commissioner’s office recently prosecuted an individual for such a theft of data (R v Rebecca Gray). Ms Gray worked for a recruitment company, and just before she was leaving to go and work for a rival recruitment company, she emailed herself the personal data of around 100 clients and potential clients. She then used this information in her new job. She was fined £200, ordered to pay £214 of costs and pay a £30 victim surcharge. Whilst the fines are not large amounts, Ms Gray does now have a criminal record which could affect her ability to obtain other jobs in the future. Therefore, informing employees of this risk could be a very good preventative measure indeed!
We would recommend that employers seek advice before deciding whether to report an individual to the Information Commissioner’s Office, as there may be other considerations to take into account, such as whether this then creates duties to report the matter to other regulatory authorities.
If you would like to talk through a situation you are dealing with concerning an employee misusing confidential data, please contact any member of the Pure Employment Law team (01243 836840 or firstname.lastname@example.org).