If you think employee data theft is not a big problem, you will need to think again. In fact, you will be shocked at the number of employees who said they were willing to sell data, such as computer source code and customer, supplier & employee data, and other confidential information (Data).
In this article, we will discuss why employers must be aware of the risks of employee Data theft, potential actions that are available to employers whose employees steal Data and steps that employers can take to secure company Data and other preventative measures that can be taken.
Employee data theft is incredibly prevalent – a study by the Ponemon Institute found:
75% of employees said they had access to data they shouldn’t have; and
25% of employees in the study were willing to sell data to a competitor for less than $8,000.
A prominent Australian case saw online retailer, Showpo took action against a similar online retailer named Black Swallow in the Federal Court alleging its former employee downloaded its client database containing 306,000 customer contacts, subscribers, suppliers and competition entrants. Showpo asserted that the former employee then provided the contact database to her new employer at Black Swallow.
The parties settled their dispute and Black Swallow was ordered to pay $60,000 to Showpo – each party footed their own legal costs.
While the study by the Ponemon Institute will likely send shivers up many employers’ spines, the timing of employee data theft is relatively less surprising. A Carnegie Mellon University study found that:
70% of employees, who stole IP from an employer did so within 60 days of their termination.
Employee Data Theft – What can employers do?
The potential actions for employee Data theft are outlined below.
Section s183 of the Corporations Act prohibits employees from improperly using confidential information to gain an advantage for themselves or cause detriment to the company who employs them. Under this provision of the Corporations Act, civil penalties apply.
If the director, officer or employee contravenes s183 of the Corporations Act, the court must make a declaration of contravention under section 1317E of the Corporations Act and is then able to make an order under section 1317G of the Corporations Act to pay a penalty. The court may also disqualify the director or officer from managing a company under section 206 of the Corporations Act.
Where a company brings a proceeding under section 183 and seeks a compensation order, it is critical for the company to show actual damage. In SAI Global Property Division Pty Limited v Johnstone  FCA 1333 (SAI v Johnson) damage was unable to be shown, which meant that only nominal damages were awarded.
If the information that is stolen (or reproduced) is copyrighted material, owners may bring an action for general damages and/or account of profits under s115 of the Copyright Act. Additionally, punitive damages are also available, depending on the ‘flagrancy’ of the breach. This provision will be especially important for software development companies and software companies where it is critical to protect valuable source code.
Employees need to be made aware that under the Copyright Act, there is no requirement to show the employer has suffered any damage, rather, the theft itself is sufficient for the Court to award damages – also see SAI v Johnson, where $50,000 of damages were awarded to SAI, for breaches of this provision of the Copyright Act.
Most employment contracts have express provisions that specify how employees must handle Data and other confidential information as well as specifying what constitutes confidential information. Employees who breach specific terms may be sued for breach of contract, provided they can show damage or loss. The Courts may order injunctions to prevent the use of the information and order that the information is returned to the employer.
Breach of Confidence
The equitable doctrine of confidence has been long established. In Seager v. Copydex (No.) 1967 1 WR 923, Lord Denning MR said:
He who has received information shall not take unfair advantage of it. He must not use it to the prejudice of him who gave it without gaining his consent.
The equitable duty of confidentiality makes it illegal to disclose confidential information. Employers should be aware that the doctrine does not, however, address the wrongful access to confidential information. If employees breach an equitable duty of confidence, employers may seek an injunction and/or compensation.
To be successful in proving a breach of confidence, the plaintiff must establish that the information that was disclosed:
- is confidential in nature;
- has not been authorised to be disclosed;
- has initially been provided to the disclosing party in circumstances where there is an obligation of confidence; and
- has been misused, or threatened to be misused.
Criminal Code Act (Cth)
There may be criminal penalties available under Section 478.1 of the Criminal Code which makes it a criminal offence to gain unauthorised access to, or modification of Data held on a computer which is restricted by an access control system. There are similar provisions at the State and Territory level. While these crimes are targeted at computer hackers, where the defendant gains ‘unauthorised access’, they may also apply to employees in certain circumstances.
Therefore, it must be shown that the Data was restricted through password protection or other similar means and the employee gained that access without consent for criminal action under the Criminal Code.
Tips For Employers to Help Protect Company Data
Employers must have a plan to follow, should an employee or ex-employee be suspected of stealing data. It is important to not jump to conclusions and fire an employee immediately upon mere suspicion. There may be a legitimate reason for what has transpired or employers may be mistaken as to the facts. The best course of action is to get legal advice from lawyers who are available to give you immediate advice as to whether your company should:
- perform an internal investigation or hire private investigators;
- focus on collecting specific evidence, or understand a specific method of collecting evidence;
- reported the incident to the police;
- terminate the employee’s employment, or stand them down; and
- take other such action that is relevant in the circumstances.
Draft Policies to Deter Employee Data Theft
Prevention is better than a cure, so they say. Therefore, it is important to have proper policies that attach to employment agreements. Steps should be taken to describe these policies to staff, so they are aware of the various actions (described above) that may be taken against them if they are involved in the theft of Data.
Employers should also consider implementing a policy that restricts the use of personal devices such as USB and other similar storage devices. Restrictions on access to personal email accounts during work hours should also be limited.
Employers should engage IT security consultants to formulate user access levels across the business. This will ensure that employees only gain access to Data that is relevant to their roles. Avoid giving an ‘all-access pass’ to all employees, as this can increase the risk of Data theft unnecessarily. User access levels should also be properly described in employment contracts.
Employers should work with their IT manager to ensure that there is monitoring software that logs computer activity. As the Carnegie Mellon University study taught us, it is especially important to monitor employees’ activity around the time that they resign from their position.
It is not only the computer systems that can be monitored. It is legal to have video surveillance in the office that can help detect and prove the theft of Data. Employers who have video surveillance in the workplace will need to make video surveillance a condition of employment within employment contracts.