Data - How to stop employees taking your data and what do you do?

 

There are two categories of employee who can cause untold damage to a business, both financially and by damaging its reputation. They are the rogue employee (a maverick or someone who is disaffected) and an entrepreneurial employee, who is looking to set up his/her own business. How do you protect yourself if you have either category as one of your team?

 

The Rogue Employee

The case involving supermarket giant, Morrison's, which was heard in the Court of Appeal last year and, is a milestone case. The appeal court has upheld the judgement that the business is vicariously liable for a data breach caused by an employee, despite the fact that the disgruntled employee decided to deliberately cause the business harm by posting customers' details on the web. The Judge in the first case described Morrison's' security systems as mostly providing adequate and appropriate controls and said that even if they had implemented additional recommended controls this wouldn't have prevented the breach. In effect, then, it could not reasonably have done anything more to prevent the employee in question going rogue and posting the customer data. Yet Morrison's were still held liable for the data breach, and the judgment has been upheld. The effect of the ruling means Morrison's are required to satisfy claims from customers made against them because of the data breach.

 

The Entrepreneurial Employee

Programmes like the Apprentice undoubtedly encourage individuals to set up their own business. In fact, every few weeks we will take a call from a business asking for help because their Sales Director / Sales executive or Managing Director has run off with their customer database and is now setting up in competition and attempting to divert business away. Whilst businesses cannot protect against all developing external threats, many (if not the majority) of businesses are not doing all that they can to protect themselves from internal ones. Staff awareness and training is an essential component in reducing accidental data breaches but on a more fundamental level, businesses need to ensure their own house is in order and protected from deliberate internal breaches before considering the external threats. A study conducted by the Ponemon Institute in the United States found that 59% of employees who either quit or are asked to leave take confidential or sensitive business information upon their departure. A Cisco survey of more than 1,000 UK employees showed that whilst 61% of respondents thought their company had a security policy that 48% claimed they were not concerned about it as it didn't affect them. Alarmingly 39% said they thought it was their employer's responsibility to protect data and not theirs.

 

1. Considering Morrison's, in what circumstances will the individual leaker be responsible and when would the liability move to the employer?

The original leaker will always be responsible. More often than not the business will be too even if the leak was a one off event and it would have been difficult to protect against it. There are two types of liability- Fines and criminal action taken by the ICO (Information Commissioners Office) and action taken by individuals whose data has been leaked. In this case Morrison's were not fined for the breach by the ICO because their systems were good. Nonetheless, Morrison's, (as well as the employee) were held responsible to those whose data had been leaked. The company was responsible through the principle of vicarious liability.

As arbitration service ACAS explains, in the workplace an employer can be held vicariously liable for blunders committed by employees “in the course of their employment”. In other words, even though the rogue employee acted maliciously, without the company instructions, Morrison's were ultimately responsible for ensuring the safety and security of employee data and employee's rogue actions did not absolve the employer of that responsibility or the duties owed to affected staff. In this case, the judges did not set a legal precedent on the topic of responsibility for employers in similar cases, instead they suggested that the solution is for employers to insure against such catastrophes; against losses caused by dishonest or malicious employees.

Another case that is relevant in this field as an example of when an individual leaker will be responsible is the ICO prosecution of a former Nationwide Accident Repair Services (NARS) employee Mustafa Kasim, under the Computer Misuse Act. Kasim was charged with securing unauthorised access to personal data of NARS through the use of fellow employees log in details. As in this case, when an employee acts in a malicious manner by using fellow employees log in details, as to make a gain from the company's private information, they will be held responsible ahead of the employee. This case highlights that when an individual acts maliciously in disclosing confidential information, they will be held responsible for their own actions. We are yet to see whether NARS will be held vicariously liable too.

2. What should employers do if they suspect a breach (may happen) - how should they investigate the event? At what point does the matter move from disciplinary to criminal that requires police intervention?

Initial steps should be taken to secure the breach and undertake any remedial action to prevent further breaches of that personal data. The company should then consider whether any notification need to be made to the Information Commissioners Office (ICO) or to the individual data subjects. It depends upon the seriousness of the leak and the risk. Where a personal data breach is likely to result in a risk to the rights and freedoms of one or more data subjects (this could be an applicant, member of staff or other individual whose data has been breached) then the data controller must notify the ICO about the breach - at this point there is option to employ police intervention through the ICO.

The ICO must be provided as a minimum with the following details:

• The nature of the breach, including the approximate number of individuals affected and the categories of data that have been breached;
• Contact information for the employer's data protection officer;
• The likely consequences of the personal data breach; and
• The measures taken or proposed to be taken by the employer to address the breach.

Employers must report notifiable breaches within 72 hours of becoming aware of them. The fact an employer will rarely have concluded its internal investigation into relevant matters within this initial 72 hour period, must not, however, deter the notification being made.

3. Can the employer claim financial losses back from the employee?

Yes if the employee is at fault. Various steps can be taken to find out what the risk is. For example where a rogue employee wants to use confidential information to set up a business in competition the steps below may be useful.

 

Search Orders

A Search Order is a form of injunction that can be obtained that allows one to enter and conduct a search of the individual's premises (this can be a business and /or a home address). The Search Order will allow the seizure any relevant evidence. Due to their draconian nature, obtaining a Search Order can be difficult to obtain from the Court so it is important to have a well prepared case.

 

Delivery up Order

A Delivery Up Order is a type of injunction which forces the opponent to immediately give back all stolen information (including hard copy confidential information and often copies of computers and other electronic devices). If such an Order is not complied with, individuals can be held in contempt of court, which can lead to them being fined or sent to jail.

 

Freezing Orders 

In instances where there is a risk of the individual dissipating their assets in the face of a legal claim, then through the Courts, you can ensure that assets (bank accounts, properties, shares, etc.) are frozen. This helps guarantee that any damages awarded by the Court will be recoverable once the legal proceedings have concluded. In our experience, such action really does focus the mind of the recipient and often a deal can be done quickly thereafter. Often the threat of such action is enough to stop the infringement. Also seeing the company take a hard line against others can be a very powerful deterrent. Businesses should not therefore hold back but take decisive action, if faced with such a threat.  Of course, prevention is better than cure and all businesses should take steps to safeguard themselves as much as they can.

 

For all the latest law updates, subscribe to our mailing list.