If employees steal data, confidential information or trade secrets
Article by Ronald JJ Wong. Republished from website.
What’s the problem?
A study found that more than half of employees steal confidential company information when they leave their employment. Data taken include customer email addresses and contact lists. Some of these may include personal data.
Employees can use stolen data to solicit clients or trade secrets to develop competing products or services. Some have tried to sell stolen data online for millions of dollars. Such conduct may harm the company’s reputation, trade connections and business interests. The company may also be deemed to be in breach of data protection legislation.
I’ve written about this issue elsewhere. Here’re further thoughts on it.
How to Prevent?
Confidentiality & Other Clauses
Insert robust confidentiality clauses in employment contracts. It should be drafted bespoke to your business context to ensure it covers the type of confidential data your business deals with. Note that there are legal nuances about the scope of such clauses which affect their enforceability.
Confidentiality clauses should be drafted alongside non-solicitation, garden leave, termination and forfeiture provisions to ensure they harmonize and work together to protect the company.
Data Management Policies
Develop & implement written policies on data management, security and access.
Ensure that such policies are read, briefed and explicitly acknowledged by all employees.
Access to, and admin control of, highly secret or sensitive data should be restricted to select categories of employees.
Personal email accounts, storage devices, cloud storage applications should be prohibited. Provide company-controlled storage devices and cloud storage solutions.
Just before an employee’s termination, their company devices should be immediately returned. If there is a suspected data breach, do not conduct your own checks on the device as you may accidentally overwrite evidential data. There may be subsequent allegations raised about the chain of custody of the evidence.
Instead, consider sending it to an external IT forensic expert to conduct the review. If there are internal skilled IT personnel who are able to conduct such a forensic investigation, ensure that this is done by such personnel with their every activity logged.
The forensic investigation should be able to reveal if data has been emailed, copied, transferred or deleted.
Some IT forensic service providers include:
https://www.infinityforensics.com/
http://www.rp-ds.com/#!/our-services
https://www.rsm.global/singapore/service/advisory/digital-forensics-investigation
https://www.am-investigators.com/investigator-services/
https://private-investigator-singapore.com/digital-forensics-singapore/
Detection Measures
There are IT solutions which enable you to detect when large amounts of data have been transferred or copied out of any company device.
Set the company VPN or intranet network to disable access to commonly used cloud storage applications like Dropbox, Box and Google Drive.
For employees who have tendered their resignations and are serving out their notice period, consider conducting a spot check on their company devices and accounts while they are still employed with the company. Check their access to data on cloud or shared servers or drives for unusual activity. If necessary, place them on garden leave.
Post-Termination
A review of devices and accounts, suspension of accounts, and suspension of account-connected devices such as smartphones should be conducted on the last day of employment.
Legal & Practical Responses to Breach
Court Injunction Order
You will need to act fast in preparing the evidence and court papers to apply for an urgent interim injunction or court order to stop the ex-employee from further wrongful use or disclosure of the confidential data. (It is interim in the sense that it is temporary until the entire matter has been resolved.)
Other commonly sought orders in an interim injunction include:
an order for the ex-employee to deliver up documents or materials containing the confidential information;
an order for the ex-employee to deliver up devices which contain the confidential information for forensic examination;
an order for the ex-employee to disclose how, where or to whom the confidential information has been used or disclosed.
Civil Claim
The aforementioned interim injunction is part of the main civil claim that a business can bring against its ex-employees.
In the main civil claim, the company may claim, in addition to a permanent injunction, for monetary damages or an account of the profits. An account of profits is an order to disclose the profits made by the defendant, and to pay to the claimant such amount, derived from the wrongful use of the confidential information.
As regards damages, the claimant may claim for:
loss of profits which the claimant would have obtained if not for the breach;
loss of chance to obtain some contract, tender, or benefit because of the breach;
Wrotham Park damages: a fee which would have been paid for a hypothetical licence or sale of the confidential data (if such a hypothetical licence or sale is commercially realistic);
the cost of recreating the confidential information using legitimate sources (if it is feasible).
Report to the Police
A breach of confidence per se may not amount to a criminal offence. However, if there is unauthorized access to computer systems, it may be criminal.
You may wish to report the matter to the police. The police may consider it a private civil matter. However, in some situations, especially where it concerns regulated industries like banking and finance, the police will take action. For example, in 2008, 7 ex-employees of Citibank stole customer data and left for rival bank UBS. They were charged under the Computer Misuse Act and banking customer secrecy provisions in the Banking Act.
PDPA Breach Notification
If personal data may have been taken, you will need to assess whether the data breach notification obligations in the Personal Data Protection Act 2012 are triggered. There are certain deadlines to such assessments and notifications. Broadly, the criteria for data breach notification is significant harm to affected individuals (based on class of personal data) or significant scale (500 or more individuals).
Business Recovery
Businesses would want to swiftly respond to data breaches by courting customers or employees who may have been poached, assuring remaining customers about their data, and patch any gaps in their data security or management processes.
Commonly Disputed Legal Issues
In legal disputes concerning these circumstances, the following legal issues are commonly fought between parties.
Whether confidentiality obligation applies
A confidentiality obligation may apply because of an express contract term or under the general law of equity.
If it is based on an express contract term, the issues which follow is the scope of the term and the interpretation of the wording.
If it is based on the general law of equity, the Singapore Court of Appeal in I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others [2020] SGCA 32 has held that the court must first consider two prerequisites:
whether the information in question has the necessary quality of confidence about it; and
whether it was imparted in circumstances importing an obligation of confidence. An obligation of confidence will also be found where confidential information has been accessed or acquired without the plaintiff’s knowledge or consent.
It is upon the satisfaction of these prerequisites that an action for breach of confidence may be presumed.
The presumption can be displaced where, eg, the defendant came across the information by accident or was unaware of its confidential nature or believed that there is a strong public interest in disclosing it. The burden of proof is shifted to the defendant to prove that his conscience was unaffected.
Whether information is confidential
The legal framework to analyse whether data or information is confidential or trade secrets is broadly also based on (i) the wording of the contract term (if any); or (ii) general law’s categorization of types of information applied to the facts.
On (ii), the legal authority often cited is Faccenda Chicken Ltd v Fowler [1985] 1 All ER 724 (Ch). There, the English High Court classified 3 categories: (i) trivial information; (ii) confidential information which when internalized into the memory of an employee becomes part of his skill and knowledge; (iii) specific trade secrets so confidential that even if learnt by heart cannot be used by an employee after he has left the employment.
It is often held by courts that client information, client lists, pricing information, unique recipes, unique chemical formula, etc. are confidential.
Compilation of data into a database based on information from the public domain may be deemed confidential (I-Admin).
Whether and to what extent duty of confidence applies to the recipient
While an express contractual provision on confidentiality will not apply to a third party who receives the confidential information, e.g. the new employer of the employee who left the claimant, a third party recipient may be imposed with an obligation of confidence under general equitable principles.
This is significant because it would allow the claimant to also claim against the new or prospective employer.
The approach set out in I-Admin mentioned above would apply. The question thus is whether the information is confidential and the information was imparted in circumstances importing an obligation of confidentiality.
The issue is the knowledge the recipient has about whether the information is confidential and how the recipient received the information.
If indeed it would be obvious to any reasonable person that the information is confidential, the recipient may well be subject to the confidentiality obligation.
Interplay with non-solicit and non-compete restrictive covenants
It is often the case that employees will use the confidential data stolen to benefit themselves in a new business they begin or for a new employer.
As such, the claimant company will often also claim in breach of non-solicit of customers and/or non-compete clauses (if any).
The usual issues which then arise are whether those clauses are reasonable and thus enforceable. Or even if not, whether parts of such clauses can be severed to render the remainder enforceable.
Optimally, these clauses should have been well drafted from the outset, narrowly limited to protect only the legitimate interests of the employer, and customized to the specific employer’s context.