Employee data theft is a significant risk that is incredibly prevalent.
A study by the Ponemon Institute found:
75% of employees said they had access to data they should not have, and
25% of employees in the study were willing to sell data to a competitor for less than $8,000. Such data included computer source code, customer, supplier & and employee data, and other confidential information.
In this article, we will discuss why employers must be aware of the risks of employee data theft, potential actions available to employers, steps that employers can take to secure company data and other preventative measures.
Show Pony Group Pty Ltd v Black Swallow Boutique Pty Ltd – NSD1984/2016
A prominent Australian case saw online retailer Showpo take legal action against a similar online retailer named Black Swallow in the Federal Court, alleging its former employee downloaded its client database containing approximately 306,000 customer contacts, subscribers, suppliers and competition entrants. Showpo also claimed that the former employee provided the contact database to her new employer at Black Swallow, who sent unsolicited marketing emails to those contacts.
After mediation, the parties settled their dispute, where Black Swallow reportedly agreed to pay $60,000 to Showpo. In addition, each party paid their legal costs.
While the study by the Ponemon Institute will likely send shivers up many employers’ spines, the timing of employee data theft is relatively less surprising. A Carnegie Mellon University study found that:
70% of employees who stole IP from an employer did so within 60 days of their termination.
Employee Data Theft – What Can Employers Do?
I have outlined the duties that employers and ex-employers owe to their employers below.
Corporations Act
Section s183 of the Corporations Act 2001 (Cth) (‘Corporations Act‘) prohibits employees from improperly using confidential information to gain an advantage for themselves or cause detriment to the company that employs them. Under this provision of the Corporations Act, civil penalties apply.
Suppose the director, officer or employee contravenes s183 of the Corporations Act. In that case, a court must declare an infringement under section 1317E of the Corporations Act to impose a penalty under section 1317G of the Corporations Act. A court may also disqualify directors or officers from managing a company under section 206 of the Corporations Act.
It is critical for companies seeking a compensation order under section 183 of the Corporations Act to show actual damage.
Duty of Good Faith
Employees are subject to the duty of good faith at common law in their employment. This duty includes not disclosing confidential information to unauthorised third parties (Robb v. Green [1895]).
Copyright Act
If the data or information that is stolen (or reproduced) is the subject of copyright, owners may commence an action under the Copyright Act 1968 (Cth) (‘Copyright Act‘).
Damages are available under section 115 of the Copyright Act, as are special damages, depending on the ‘flagrancy’ of the breach and the need to deter similar infringements. Further, under the Copyright Act, there is no requirement to show that the employer or copyright owner has suffered damage. Instead, the theft is sufficient for the Court to award damages—for example, in SAI Global Property Division Pty Limited v Liam Johnstone [2016] FCA 1333.
This provision will be significant for software development companies and software companies where it is critical to protect valuable source code that is stolen.
Breach of Confidence
Freeburn J, in Optus Networks Pty Ltd v Telstra Corp Ltd [2010] FCAFC 21; (2010) 265 ALR 281 set out the following four elements to establish an equitable breach of confidence:
- The information in question must be identified with specificity,
- It must have the necessary quality of confidence,
- It must have been received (by the recipient) in circumstances imparting an obligation of confidence and
- there must be an actual or threatened misuse of the information without the confider’s consent.
The remedies available for breach, or threatened breach, of an equitable duty of confidence may seek an injunction or damages. Urgent injunctions are also available, particularly where misuse or disclosure of trade secrets or confidential information will have a significant financial or reputational impact.
Related: The Confidentiality Guide.
Breach of Employment Contract
Most employment contracts have express provisions specifying how employees must handle data and other confidential information and what constitutes confidential information. In cases where confidential information is unintentionally disclosed, employers can likely take disciplinary action. Unsurprisingly, however, employers are more likely to be within their rights to terminate employment when data is stolen.
Employees who breach specific terms may be sued for damages. A court may also order injunctions to prevent the use of the information and order that the information be returned to the employer.
Criminal Code
Criminal penalties may apply under Section 478.1 of the Criminal Code Act 1995 (Cth) (‘Criminal Code‘), which makes it a criminal offence to gain unauthorised access to or modification of data held on a computer that is restricted by an access control system. There are similar provisions at the State and Territory level. While these crimes target computer hackers, ‘unauthorised access’ can also apply to employees with access to a part of their employer’s network, for example.
To prosecute under the Criminal Code, employers must be able to demonstrate that the data was restricted through password protection or other similar means and the employee gained that access without the employer’s consent.
Tips For Employers to Help Protect Company Data
Action Plan
Employers must have a plan to follow when an employee or ex-employee is suspected of stealing data. It is important not to jump to conclusions and fire an employee immediately on mere suspicion. There may be a legitimate reason for what has transpired or perhaps factual misunderstandings.
The best course of action is to get legal advice from lawyers as to whether your company should:
- Perform an internal investigation or hire private investigators;
- Focus on collecting specific evidence or understand a specific method of collecting evidence;
- Reported the incident to the police;
- Terminate the employee’s employment or stand them down and
- Take other such action that is relevant in the circumstances.
Draft Policies to Deter Employee Data Theft
Prevention is better than a cure, so they say. Therefore, it is essential to have proper policies that attach to employment agreements. Steps should be taken to describe these policies to the staff so they know the various actions (described above) that may be taken against them if they are involved in data theft.
Employers should also consider implementing a policy that restricts the use of personal devices such as USB and other similar storage devices. Access to personal email accounts during work hours should also be restricted.
Restricting Access
Employers should engage IT security consultants to restrict user access levels across the business. This will ensure that employees only gain access to data that is relevant to their roles. Avoid giving all employees an ‘all-access pass’, as this can unnecessarily increase the risk of data theft. User access levels should also be adequately described in employment contracts.
Monitoring Software
Employers should work with their IT manager to ensure that there is monitoring software that logs computer activity. As the Carnegie Mellon University study taught us, monitoring employees’ activity when resigning is essential.
Video Surveillance
It is not only the computer systems that can be monitored. Video surveillance can help detect and prove data theft. Employers who have video surveillance in the workplace will need to make video surveillance a condition of employment.
