Data theft – what are employers options and risks?

Employee data theft

Data theft is most commonly carried out by copying or removing personal data or confidential business information from a company’s computers or electronic devices.

Data theft has become common in the business world caused mainly by employees or consultants who are contemplating a move to a competitor or setting up their own business, or by external hackers.

Surveys suggest that the unlawful use of company data by former employees is very high, with the risk bneing especially high in the 3 months before they leave. Many departing employees believing they aren’t doing anything that wrong because others are doing it, have a mistaken belief of a sense of ownership of the IP or data. Other employees look to leverage databases and knowhow as a way to impress and add value in a new position. Finally there is sometimes vengeance against a previous employer.

See also generally our insight about employee’s post employment duties with confidential information.

Data theft by company directors

Data theft is not confined just to employees. We advise on many shareholder dispute which include allegations of various types of missappropriation of company funds and assets, including where a shareholder director treats company data as his or her own property. This problem appears to be quite widespread according to surveys. Often directors are also employees so employment law can apply in these situations as well as breaches of fiduciary duty or even allegations of fraud.

Flexible and remote working will often mean that employees may save and store data to personal devices for their own ease of access making unlawful use of data or theft of data easier to achieve. A business hit by its valuable data and confidential information being stolen and used by a competitor must act quickly, perhaps by way of applying for an injunction,  to minimise damage to the business by stopping the unlawful competition and data theft.

What data do employees and consultants unlawfully use?

The most common areas of vulnerability and theft by employees tend to be:

• theft of customer lists, information or database
• pricing structures
• financial information
• company secrets
• company policies
• employee information
• operating processes
• strategic plans
• software source code

How do employees remove or use business data?

Data is very easy to steal in some organisations.  What we tend to deal with is:

• Moving data to portable storage devices/removable media – such as USB devices, mobile phones and tablets
• Emailing it to a personal email account
• Extracting to cloud storage sites such as Dropbox, Google Drive or iCloud
• Printing or photocopying material.

Investigating and obtaining evidence of employee data theft

Sufficient evidence must be obtained to able to threaten and then if necessary take court action.

Transfers of data to personal email accounts or downloading data to personal devices may be evident from business computers and provide proof of data theft.

Evidence may however be lost or altered through further normal use of a computer or mobile device so swift action involving digital forensic investigators may be required to show what data theft has occurred on specific devices, when it occurred and how it occurred.

Where data theft is suspected and the evidence is not immediately available or obvious, obtaining the evidence of data theft needs to be very carefully managed, as employees have strong legal rights under GDPR and Data Protection laws. It’s essential to check your employment contracts and policies and comply with these. Whatever your policies may say, you should proceed with caution when accessing any computers or devices used by employees. Any forensic examination should be planned, documented, specific to the investigation of data theft and/or fraud and proportionate. It is always recommended to take legal advice and to have an investigation carried out by objective 3rd party experts.

Legal action for data theft or unlawful use of confidential data

A business might threaten to sue for breach of confidentiality provisions and/or restrictive covenants in employment or consultancy agreements.  Data theft may also constitute gross misconduct, but in many cases the employee may already have left employment. Stealing data may well constitute a criminal offence under the Theft Act 1968 or, if reported, lead to a prosecution of the employee by the Information Commissioners Office.. Whilst most employers do not end up bringing private prosecutions for theft against employees, the threat of doing so can be a powerful way to convince the employee or ex-employee to co-operate and return stolen data.

The best way to avoid misappropriation of assets by senior employees and disgruntled employees is often to place the employee on garden leave.

The outcome sought will vary based on the facts but could involve:

Disciplinary action and possibly dismissal of the employee

In many cases employers only discover theft and/or unlawful persoanl use of company data after an employee has left their employment. Howeverr, where the employee is still employed, disciplinary action is the most obvious option. The employee should be suspended and great care taken with any internal investigation. Data theft, where proven, could well constitute gross misconduct. Employers should be vigilant and wary of the risks of having strong evidential grounds for dismissal but leaving themselves open to  findings of unfair dismissal for some from of procedural unfairness. So, it’s essential to follow a through and full process before dismissing.

 Undertakings

The threat of litigation, often following a cease and desist notification will often result in undertakings being agreed.  Undertakings need to fit the circumstances of the particular theft, such as:

• not to misuse the confidential information
• to deliver up any material made as a result of misuse of the confidential information, or which contain any part of the confidential information
• to pay damages or an account of profits – depending on the circumstances and scale of the misuse of the data/ confidential information
• to pay costs. 

Applying for an injunction

Injunctions can also be obtained where appropriate and necessary, including:

• Computer Imaging orders – permitting independent IT experts to investigate devices to see if they contain stolen data and confidential information
• Search orders – allowing entry and search of premises to seize evidence
• Immediate delivery up order – compelling the return of stolen documents or other items within a certain specified period.

Is there a criminal case?

In dealing with any instance of data theft there are other possible remedies for a company to consider as part of its strategy to minimise damage to the business, the threat of which can assist with achieving a swift and cost effective outcome. These include:

• Data Protection laws
• Computer Misuse Act 1990

Employee liability under the Data Protection Act

In the UK, unlawfully obtaining or accessing personal data without the consent of the data controller is a criminal offence under section 55 of the Data Protection Act 1998.

The Information Commissioner’s Office (ICO) has power bring criminal proceedings against a party for unlawfully obtaining and using personal data. This might include an ex-employee and their new employer.

​In 2016 the ICO issued a warning  putting employees on notice that the taking of  client records containing personal information is a criminal offence.

Whilst financial consequences for an employee might not be huge, the outcome can result in a criminal record, as well as losing their new job and diminishing prospects for future employment.

One reason why this method of pursuing ex-employees has not been widely used is that it comes with risks to the employer, Before involving the ICO a business must consider its own role in the transfer of personal data and be aware that it may also face liability if it is found that it has not complied with its obligations under Data Protection laws including data breach reporting and keeping data secure.

Contact Us for advice and assistance

Litigation can be expensive and may involve arguments about what is and is not confidential information of the business. Many ex-employees will try to argue that  information used in their new business was not confidential information or a trade secret of their former employer, but instead know-how that they had acquired over the course of their experience in the relevant industry.

However, when an ex-employee can be shown to have copied or downloaded information, this certainly points toward somebody gathering information to compete against their ex-employer.

Please do call us to talk over your concerns or if you need lawyers to deal with a data theft situation in your business.