What happens in your company when an employee leaves, taking customer or database information, copies of programs or code, or business-critical information?
Does management go into a huddle, consulting you only when told to by its lawyers? Do you ignore the situation, or do you step forward, confident of the value you can add?
These questions are becoming increasingly important as businesses strive to adapt to the evolving nature of employee competition.
When staff leave and take confidential data with them, the most common mistake that businesses make is to let themselves be guided by assumptions and common (but incorrect) myths, such as:
- Garden leave alone is good enough
- Legally, you cannot do anything until business has been lost
- Clients will have to be involved
- It will be difficult to trace what employees have been up to.
All of these assumptions are incorrect and the business can easily lose out by believing them. The importance of the critical role that an IT function can play is usually underestimated.
Although garden leave can be useful in the short term, it does not prevent staff using information they may have taken home undetected, or from making arrangements for programs to be duplicated and used abroad.
Garden leave may keep people away from office-based information, but experience shows that anyone who is planning to leave will remove most of the information they want well in advance of their resignation.
The key to an effective strategy is a swift and focused investigation, and these are increasingly technologically driven.
It is surprising how often businesses say that they cannot do anything until they have shown that they have lost business.
This could not be further from the truth: the courts can grant injunctions as long as it can be shown that it is most likely that confidential data or business sensitive secrets have been removed.
Many businesses, even IT businesses, can be surprisingly unaware of what to do here. It is not so much that they don't know what is possible, as that there is not enough liaison between the business side and the technical side to properly identify what is being looked for, which leads to a lack of understanding of the urgency of the situation.
There is a good reason for finding evidence quickly and being able to take action quickly. The courts have to assess whether to grant an injunction by considering the "balance of convenience". This means that they have to assess whether damages after the event would be better than an injunction to prevent the release of sensitive information. Delay will reduce the chances of winning an injunction and make it more likely that information lost can never be fully recovered.
There are many ways to detect unauthorised calls, as well as uncovering and reconstructing e-mail communications, to the extent that there are a number of businesses that concentrate on nothing else.
Many employers have found critical evidence through these methods, revealing activity that they would otherwise never have believed was taking place. Once you have this evidence, there is little that the departing staff can do to defend their position and deals are often struck without the need for further legal action.
Although it is often customers that first provide a tip-off that suggests data has been removed, management are understandably afraid of involving customers. But it is exceptionally rare for any client involvement to really be necessary.
There are ways of dealing with legal evidence, forensic evidence and customers that should allow you to avoid any damage to the customer relationship. It can even be improved by the experience.
A proactive IT function that gets to grips with the investigation and delivers quickly can earn significant respect from the rest of the business.
In a world where employees are increasingly sophisticated, more able to exploit technology and less loyal to their employers, the opportunities - and need - for IT functions to step forward and play their part in security have never been more obvious.
Warren Wayne is a partner at law firm Bird & Bird
This was first published in March 2006