In the current world of work, it is all too easy and tempting for some employees to take information their employer has worked hard over many years to develop and send it to a personal email or access it in some other way.
Executive Summary
- Homeworking and supporting technologies have increased, giving employees more ready access to their employers’ trade secrets.
- Entrepreneurialism is also on the increase.
- The misuse of trade secrets and confidential information to help a start-up (or a competitor) is unlawful and courts are likely to step in to prevent loss and damage.
- Evidence of such wrongdoing is critical to taking successful action.
- Employers should ensure their IT systems and contractual documents guard against the risk of misuse.
- Where employers suspect or find misuse, action should be taken swiftly, assisted by the experts
Entrepreneurialism in Lockdown
Since the first lockdown, developments in home working technology have accelerated, as businesses have moved quickly—often making significant financial investments—to enable their people to remain productive. We now use Teams and Zoom (unheard of by many before March 2020) more than ever to interact with our colleagues and work via cloud-based systems. Anecdotally, it seems that many more people are using multiple digital channels in their work with documents and information moving around via WhatsApp and Messenger, along with USB sticks and other portable data storage devices.
While those advances have brought undeniable benefits to many and should move the dial toward more flexible working practices after the restrictions come to an end, it has left some feeling more distant from their employer’s “mother ship” and determined to lock in a better work-life balance once the lockdown is over.
Perhaps it is not surprising that despite the significant restrictions we have all been living and working under during the past 12 months or more, entrepreneurialism is alive and kicking. A study commissioned by the Royal Mail found record numbers of new businesses started in the period March to July 2020: more than 315,000 start-ups set sail.
Lawful Beginnings?
While the vast majority of those new enterprises have been set up using perfectly legitimate and lawful means, it is also highly probable that a significant number have been given a head start by founders using confidential information and other goodwill belonging to their former employers.
In the current world of work, it is all too easy and tempting for some employees to take information their employer has worked hard over many years to develop and send it to a personal email or access it in some other way.
Before we look at what can be done by way of cure (and ideally prevention), it is helpful to consider what is actually capable of protection—in other words, what can someone lawfully take with them to another organisation, and what is an employer entitled to protect?
Individuals are permitted to take their skills and experience built over the duration of their career to their next place of work. However, they are not permitted to take information representing trade secrets (which are fact-specific in each case) or otherwise confidential information which is protected by an appropriate clause in a contract of employment. (See the Prevention section below).
Businesses are also entitled to protect their customer connections and goodwill together with the stability of their workforce. The implied terms in every employment contract (whether or not the employee has a written contact, implied or unwritten terms exist and afford both sides certain protections) will help the employer while the employee is still employed. For example, an employee must not, during employment, compete with their employer, solicit their employer’s customers, entice others to leave the employer, divert opportunities from their employer, or misuse their employer’s property.
Once the employment relationship comes to an end, however, the employer is left with nothing other than the employee’s duty to keep trade secrets confidential as long as the trade secrets retain that status unless there are reasonable express restraints that afford further protection. These “restrictive covenants” will usually seek to reinforce the protection of confidential information, prevent the solicitation of certain customers and staff, and prohibit the employee from having business dealings with the same customers and from employing certain former colleagues.
The enforceability of post-termination restraints is often a fiercely fought and expensive battleground. One key issue for those who are embroiled in such battles is that under current law (the UK Government is currently consulting on the possibility of reform) each case turns on its facts: a particular restriction may be enforceable against one employee, but not another.
Amid the uncertainty, there is a clear and incontrovertible principle: here one business gets a head start from the unlawful misuse of another’s confidential information, the courts will usually step in.
Cure
Strong evidence is critical in support of such an action. And the sooner you can get it, the better. Any unreasonable delay is going to make getting an injunction impossible. There is also the chance that, in the face of overwhelming evidence, the wrongdoer(s) will stop their unlawful actions to avoid the time and significant expense of a legal battle.
With regards to a related matter recently: a media business discovered that one of its senior employees, who had resigned to join a competitor, had sent more than 100 emails containing confidential information belonging to the company from his work account to a personal account. The CEO had a decision to make—take forceful legal action potentially without notifying the employee, or speak to the employee, alerting him to the fact that the company was aware of his actions, which could have resulted in the information being dissipated and impossible to recover with certainty. Having obtained the evidence quickly and secured it within the company, the CEO decided to pursue the second option given his knowledge of and relationship with the individual. It worked: The information was saved, and the employee delivered his IT devices so they could be checked and wiped of the company’s data. Combined with a series of contractual undertakings, including promises that he had handed everything back to the company and would not misuse any information, disaster was averted.
The speed of a company’s response in such circumstances is critical. Undue delay will make it very difficult to secure urgent relief in court although it will not prevent a breach of contract claim later down the line.
Obtaining the Evidence and Assessing the Damage
Understanding the landscape of available data and securing devices of interest quickly are paramount to successfully defusing these issues. The devices to capture and where to focus your attention are heavily dependent on what you suspect has happened.
For example, has the employee emailed documentation to an external account? You will need access to the company email servers and potentially the employee’s personal email account. Do you suspect that the employee has downloaded information from a company server? You will need access to that server, and information on the level of network logging available. Do you suspect that the employee has transferred information to an external USB device? You will need access to the machine on which they completed the transfer, and the USB device in question, even if it is now empty.
Most of these data sources can be collected remotely and in a forensically defensible manner. It is far better to collect the data through independently retained consultants in order to protect the integrity of the evidence. This is especially important in the current climate, and it allows data to be collected quickly and efficiently. It is best to take a bespoke and consultative approach to the investigation. Some issues are best tackled by a detailed digital forensic investigation, focusing on the what and when. Some investigations, such as email exfiltration, are more suited to a combination of technologies and workflows more often used in the context of eDiscovery in litigation.
In a situation where exfiltrated information is found on a non-company device, you are likely to want to ensure the data is irretrievably deleted once you have captured the evidence of its misappropriation. Depending on the scope, this can either be done in a targeted manner or the entire device can be wiped. What if the information has found its way onto a new company’s network? Some platforms can scan an entire corporate network for fragments of stolen data, allowing it to be isolated and deleted.
Prevention
Is it possible for businesses to prevent or at least reduce the risk of these sorts of situations?
First, a company should have a good set of employment contracts with well-drafted restraints. They protect the employer during the life of the employment relationship and post-termination, and make it clear to employees what is not permitted, which may help to deter a potential wrongdoer. Similarly, if a company experiences this type of “business protection” issue and eventually, the workforce finds out about it, it may be sensible to talk to staff to raise awareness of acceptable practices and the risks of falling on the wrong side of the line.
In the current environment, bring your own device (BYOD) policies carry more significance. In some cases, they can lead to blurring the distinction between work and personal data. Good communication around the use of work data on a personal device is important. Looking slightly farther ahead in the process, specific attention should be given to the contractual language around these policies; this can be very helpful when the company needs to acquire a device for investigative purposes.
There are many different platforms available to businesses to monitor employee activity. Some will pick up on certain actions (such as flagging when emails are sent to certain domains) others will extensively log a wide range of activity that can then be investigated as required. The decision often comes down to proportionality as many of these platforms are expensive options more suited to large corporations.
Another effective option is to block rather than monitor. You can bar your employees from accessing certain domains when connected to the company network and disable USB ports on all devices. If an employee is determined to move data from your network, that individual can invariably find a way, but using a combination of these approaches will make it more of a challenge and will in any event, put you in a robust position should you need to call for external assistance.
Conclusion: Work in Progress
With the ever-increasing use of technology at our fingertips in a more disparate world of work, the hidden threat of an unscrupulous employee who wishes to join a competitor or to set up a competitive business and take confidential information with him or her, has perhaps never been greater.
Given that prevention is better than a cure, sensible business managers should be looking now to ensure their employment contracts and people policies are fit for purpose and IT systems are set up securely without hampering employee productivity.
© Copyright 2021. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals.
Ankura is not a law firm and cannot provide legal advice.
