Organisations often believe they need procedures to
protect their databases from misuse by hackers outside the
organisation, writes Jimmy Desai of law firm Blake Lapthorn
Tarlo Lyons. But it is sometimes the case that an
organisation's own employees use its database in unauthorised
ways.
Pennwell ruling
Take the
Pennwell Publishing case. A Pennwell employee listed his
contacts on Penwell's Outlook system and then went on to set up a
competing business, arguing that most of the contacts on the list
were personal to him. In that particular case, it was decided that
because it was a single list, it was not a personal list maintained
by the employee and was not separate from work systems.
The Pennwell judgement also held that where a list of addresses
is held on an employer's e-mail programme and backed up by the
employer or by arrangement made with the employer, it belongs to
the employer and cannot be copied or removed by employees for use
outside their employment or after their employment comes to an end.
Pennwell was entitled to retain the database, although the employee
was entitled to retain contacts he had made prior to his employment
with Pennwell.
In another case, TML Financial Solutions obtained a USB memory
stick, the contents of which provided evidence of the
misappropriation of confidential information by ex-employees.
And in
Crowson
Fabrics versus Rider, the employer (Crowson) alleged that
ex-employees had copied confidential information (including
customer contact details and sales figures). Because the
ex-employees' contracts did not have restrictive covenants relating
to confidential information, it was found that only Crowson's
database rights had been infringed.
Message monitoring
Because of the risk of unauthorised use of databases by
employees, an organisation should consider implementing e-mail
policies that allow it to
monitor e-mail usage: many cases have involved sales staff
e-mailing data to their home e-mail accounts.
The e-mail policy should identify what information belongs to
the employer and what information belongs to the employee, and
should prohibit removal of employer information. An employer should
ensure it obtains consent to monitoring e-mail usage from new
joiners. It is also important that deleted e-mails are not to
difficult to retrieve.
Companies might also include the occasional "false" lead on the
database to see whether there is any leakage or unauthorised use,
and limit database access to certain staff. Restrictive covenants
and express confidentiality obligations in employee contracts can
be used to prevent database misuse during and after an employee's
employment, but this is no substitute for having the correct
procedures in place to prevent misuse occurring in the first
place.
Organisations invest a huge amount in their databases, so it is
well worth their while investigating whether they do in fact own
the intellectual property rights to them, how they deal with them,
and how they might protect them from unauthorised use.
Jimmy Desai is a partner atBlake
Lapthorn Tarlo Lyons
CW Security Handbook >>
Insider security threats >>