Sometimes the real threat is right under your nose

Organisations often believe they need procedures to protect their databases from misuse by hackers outside the organisation, writes Jimmy Desai of law firm...

Organisations often believe they need procedures to protect their databases from misuse by hackers outside the organisation, writes Jimmy Desai of law firm Blake Lapthorn Tarlo Lyons. But it is sometimes the case that an organisation's own employees use its database in unauthorised ways.

Pennwell ruling

Take the Pennwell Publishing case. A Pennwell employee listed his contacts on Penwell's Outlook system and then went on to set up a competing business, arguing that most of the contacts on the list were personal to him. In that particular case, it was decided that because it was a single list, it was not a personal list maintained by the employee and was not separate from work systems.

The Pennwell judgement also held that where a list of addresses is held on an employer's e-mail programme and backed up by the employer or by arrangement made with the employer, it belongs to the employer and cannot be copied or removed by employees for use outside their employment or after their employment comes to an end. Pennwell was entitled to retain the database, although the employee was entitled to retain contacts he had made prior to his employment with Pennwell.

In another case, TML Financial Solutions obtained a USB memory stick, the contents of which provided evidence of the misappropriation of confidential information by ex-employees.

And in Crowson Fabrics versus Rider, the employer (Crowson) alleged that ex-employees had copied confidential information (including customer contact details and sales figures). Because the ex-employees' contracts did not have restrictive covenants relating to confidential information, it was found that only Crowson's database rights had been infringed.

Message monitoring

Because of the risk of unauthorised use of databases by employees, an organisation should consider implementing e-mail policies that allow it to monitor e-mail usage: many cases have involved sales staff e-mailing data to their home e-mail accounts.

The e-mail policy should identify what information belongs to the employer and what information belongs to the employee, and should prohibit removal of employer information. An employer should ensure it obtains consent to monitoring e-mail usage from new joiners. It is also important that deleted e-mails are not to difficult to retrieve.

Companies might also include the occasional "false" lead on the database to see whether there is any leakage or unauthorised use, and limit database access to certain staff. Restrictive covenants and express confidentiality obligations in employee contracts can be used to prevent database misuse during and after an employee's employment, but this is no substitute for having the correct procedures in place to prevent misuse occurring in the first place.

Organisations invest a huge amount in their databases, so it is well worth their while investigating whether they do in fact own the intellectual property rights to them, how they deal with them, and how they might protect them from unauthorised use.

Jimmy Desai is a partner at Blake Lapthorn Tarlo Lyons

CW Security Handbook >>

Insider security threats >>

Read more on IT risk management