Opinion

Ensure data doesn't leave with your staff

With average employee turnover in the UK stable at about 15%, the security implications of staff departures should not be overlooked. While most departing employees are honourable, there is, unfortunately, a sizeable minority who will copy databases, customer requirements, tender documents or, in some cases, copy and remove proprietary code.

What can be done to stop this happening? One of the first steps to take, well in advance of any specific employee problem, is to treat this as a regular business issue, and a suitable business approach should be taken.

The best place to start is with an appropriate risk assessment. This would focus on identifying two things: first, which employees or teams are the most likely to be tempted to remove information or try to take customers when they leave. In many cases, the greatest risks come from senior staff or sales teams.

Second, you should try to spot the data and information that is most likely to be targeted. Then you can ensure that there is appropriate security, as well as a reliable system for tracking when and how the data has been accessed - which is an invaluable tool when trying to build up a picture of what employees have been up to.

This should be backed up by making sure that the right wording is in place in the employee's contracts, particularly those who pose the greatest risk. It is a common misapprehension that restrictive covenant clauses do not work or are not worth having. Employers tend to think this because lawyers argue so much about whether these clauses are enforceable, but this ignores the fact that this is exactly what lawyers are paid to do.

When action needs to be taken, the stakes are usually high, so it is natural for each side to strongly argue its position. However, these are nothing more than opinions that the lawyers are paid to have, although many strong cases have been abandoned despite positive legal advice.

Once it is discovered that a current employee is intending to leave and has acted suspiciously in relation to business data, another set of decisions has to be taken. Do you dismiss or do you suspend and investigate?

By dismissing the employee, you may only succeed in giving them grounds for an unfair dismissal claim and, at the same time, destroy the effectiveness of any restrictive covenants in their contracts.

This also releases them early to join their new employer. If you suspend and investigate, this avoids those problems.

But the employee is still part of the business and may be able to do further damage by communicating with other staff or accessing work information. The decision is best made as part of an overall strategy in each case, as the business objectives tend to vary from case to case.

In many instances though, the full extent of the employee's wrongdoing is not discovered until after they have left. When that happens, legal remedies become far more important. Even if there is no contract in place or no restrictive covenants, all is not lost.

If it can be shown that an employee has removed information or data that is confidential and which would give them some competitive advantage, the High Court has jurisdiction to issue an injunction preventing the information from being used, even where there is no employment contract.

In some cases, this can result in employees being prohibited from working for whatever period the court thinks is appropriate. These are usually called springboard injunctions and are based on the court's "inherent jurisdiction" to grant appropriate remedies. (The concept goes back to the 1895 case of Robb v Green.)

As another alternative to restrictive covenant injunctions (which are more expensive) it is also possible to get an order from the High Court that all of your property be "delivered up" or returned, with strict conditions attached.

These can include the right for you to send an independent expert to interrogate and analyse a former employee's computers, to ensure that all information has been destroyed and not copied or forwarded on. This is particularly useful where code has been removed, or when the information only exists in soft copy.

It is also worth remembering that injunctions are court orders, so if employees break them they are in contempt of court, which can mean that they will be sent to prison and, although this only usually happens in the more extreme cases, the courts do regularly hear applications for committal.

But the legal remedies do not stop there. Apart from the various injunction orders that exist, you can also obtain orders for ex-employees to honestly account for their activities and to compensate their former employer.

Compensation is most often "contractual", in that it is designed to put the ex-employer in the position they would have been in if the employee had not removed the information or used it to steal business. This can often be significant, particularly where proprietary code is taken and used in a new product without approval.

But businesses are now increasingly applying for even greater compensation, based on the law of tort. This allows you to claim damages for loss of profit for some time, in some cases for several years. For example, if an employee leaves and takes information crucial to a customer relationship, then uses the information to get the customer to follow them, you can claim for the loss.

The immediate loss of profit on the contracts removed from your business will be the contractual damages. But, by claiming for the loss of the whole relationship as a result of the ex-employee's behaviour, you can claim for several times the contractual amount because it includes a claim for the lost profit on all the contracts you expected to get in future.

At every stage of an employee move, there are plenty of things a business can do to protect its information, or to get it back with proper compensation.

Warren Wayne is an employment law partner at international law firm Bird & Bird

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

This was first published in March 2006

 

COMMENTS powered by Disqus  //  Commenting policy