• Leigh Payne

Employee Confidentiality and Data Theft

Two recent cases have shone a light on the ever-present problem of data theft by employees.

Whilst many companies are now becoming wise to the possibility of cyber-attacks and are setting up defences against external threats, internal threats are often overlooked by comparison. However, an internal security breach can be just as dangerous, if not more so, as it may not immediately be noticed and - before it is even detected - could cause untold damage to a company’s reputation.

The first case

The first case involves two companies in the travel industry, Travel Counsellors Ltd (TCL) and Trailfinders Ltd (Trailfinders) in a case which was heard in the High Court in January 2020.

Commencing in 2016, sales consultants employed by Trailfinders had begun to leave employment and join TCL as franchisee travel consultants. Trailfinders claimed that over 40 employees had taken this route since the first employee left and set up their own franchise.

Before leaving Trailfinders, some or all the employees noted down the information of various Trailfinders’ customers, including names, contact details and other information to which they had only had access due to being Trailfinder employees. When, and sometime before, they started working for TCL, this information was put into TCL systems with a view to obtaining business from those customer contacts for the financial gain of TCL.

When the matter came to light, Trailfinders issued proceedings against TCL and a sample of its former employees who were known to have commenced working as TCL franchisees.

After consideration of the evidence, the High Court found that the customer information disclosed to TCL was ‘highly characteristic of information long regarded by the courts as capable of being confidential and thus liable to be subject both to an implied term of confidence in a contract of employment and to an equitable obligation of confidence’.

In determining whether there was any duty owed by TCL to Trailfinders, Lord Nicholls was quoted, “the law imposes a ‘duty of confidence’ whenever a person receives information he knows or ought to know is fairly and reasonably to be regarded as confidential.” The High Court considered the facts of the case, in particular that TCL did not provide new franchisees with potential customers - instead expecting them to bring their own customer contact list -and held that TCL reasonably ought to have known that the contact information provided by new franchisees was coming from their former employers, which in this case was Trailfinders.

TCL was therefore found to be liable for the breach of an equitable obligation of confidence owed to Trailfinders.

The employees were also held liable for disclosing the confidential information to TCL in breach of their implied employment contract terms of fidelity and good faith, which was held to include an obligation not to misuse the employer’s confidential information.

TCL appealed; however, the appeal was dismissed by the Court of Appeal on 13th January 2021.

The second case

In the second case, a motor industry employee was prosecuted by the Information Commissioner’s Office (ICO).

The employee, who worked for RAC Limited (the RAC), transferred personal data (being partial names, mobile phone numbers and registration numbers) of customers who had been involved in road traffic accidents to the director of an accident claims management firm without having a lawful basis for doing so.

The employee was found to have committed offences under the Computer Misuse Act 1990, Section 1 of which refers to causing a computer to perform a function with intent to secure access to any program or data held on that computer. The ICO commenced a formal investigation and found that the employee had unlawfully processed and shared her employer’s customers’ personal data. The investigation uncovered evidence that the personal data was used to make nuisance calls to the affected customers.

The offence only came to light when a fleet management company alerted the RAC to nuisance calls received by one of its drivers about an accident in which he had been involved. The fleet management company suspected there may have been a data breach by the RAC as it had been involved in the recovery of the driver’s vehicle and therefore had recorded his personal data in connection with the accident.

The RAC carried out a data leakage scan and found evidence that incriminated the employee.

The employee pleaded guilty to charges of conspiracy to secure unauthorised access to computer data, and to selling unlawfully obtained personal data.

She received a sentence of eight months in prison, suspended for two years, and had to pay a ‘benefit figure’ (being a figure representing a benefit obtained as a result of the offence) under the Proceeds of Crime Act in the sum of £25,000. If this benefit figure is not paid within a three-month period, the employee will face three months’ imprisonment. The director of the accident claims management firm which received the personal data also pleaded guilty to conspiracy to secure unauthorised access to computer data and received an eight-month sentence suspended for two years, and was ordered to pay a benefit figure of £15,000.

This case clearly demonstrates that not just an employer, but an employee who processes personal data unlawfully could face a prosecution under section 170 of the Data Protection Act 2018. If there was such an offence committed, then in addition to any prosecution of the employee, the employer would likely have to report the data breach to the ICO and possibly also notify the affected data subjects, which could result in civil claims for compensation under the General Data Protection Regulation.

What can employers do?

rradar’s Cyber, Data and Information Law (CDIL) team deals with issues such as this on a regular basis and has the following advice for employers concerned about employee data theft:

  • Review IT security measures. Measures should include appropriate security of stored data, use of VPNs and access management (for example, use of access restrictions and good data management).

  • Revisit employment contracts. Check that all staff have signed agreements which include data protection and confidentiality terms. If these are not set out in the original employee contract, implement them within a staff handbook or policy and ensure that all employees are aware of the implications of breaching these terms.

  • Training and awareness are vital. Take steps to ensure that staff are properly trained and educated as to their own personal liability for any breaches.

  • Carry out spot checks. Employees should be monitored by way of regular spot checks or audits. Making staff aware that this takes place can act as a deterrent as everyone is encouraged to adhere to proper practices at all times and not just when they know they are being checked.

Takeaway points

In the first instance, Computer Misuse Act offences are more regularly investigated and prosecuted by the Police rather than the ICO. Accordingly, a conviction for an offence of this nature also carries with it not only the stigma of a criminal record but also the reputational damage that goes with being arrested. It is not unusual for the media to be made aware of such arrests in order that they can be present to report on the event.

When the ICO investigates a Computer Misuse Act offence, it will first focus on the data controller’s implementation of technical and organisational measures which need to be implemented by Article 32 of the GDPR. This Article is effective in ensuring the security of data and the data controller’s compliance with the Article 5(2) Accountability Principle, which, in turn, requires data controllers to provide staff training and information and ensure that all employees which process any data have received adequate training within the last 12 months. If the investigation finds that the data controller has breached these provisions, then not only is it highly unlikely that the employee will be prosecuted, but the ICO would be much more likely to take enforcement action against the data controller, i.e. the employer. It therefore remains imperative that employers maintain good practices to best protect themselves in case of any such offence being committed by an employee.