Employers often experience the theft of sensitive company information and data at the hands of an aggrieved employee during their employment or, particularly, after resigning. This can have serious consequences both for the business and the culprit. However, the exact impact depends on what information/data is removed. When an employee accesses or misuses information, different laws apply depending on the circumstances and the type of information involved.
Personal Data
Accessing or removing personal data (information relating to a living individual and which can identify him/her) is governed by the Data Protection Act 2018 and the General Data Protection Regulations (GDPR), which deal with the holding, storing, processing, accessing and disclosure of information to protect personal data and the privacy of individuals. Employers must have and implement adequate controls to protect personal data and, where there has been a breach, they must investigate the breach, review their security procedures, document their findings, inform the ‘victim’ and inform the Information Commissioner’s Office (ICO) as soon as possible.
Misuse of Computers
The Computer Misuse Act 1990 deals with unauthorised access to a computer. An employee may be guilty of an offence if he/she makes an unauthorised use of a computer with the intention of accessing information which they would not ordinarily be entitled to. This is reportable to the police and the National Crime Agency, which can lead to fines and custodial sentences.
Illegal Disclosures
Where employees misuse computers to obtain and/or disclose confidential materials or trade secrets without permission, the Trade Secrets Regulations 2018 may apply. These Regulations apply to protect undisclosed know-how and business information from unlawful acquisition and disclosure. A breach of the Regulations can lead to civil injunctions and damages.
Client Confidentiality
Many commercial contracts have inbuilt confidentiality clauses and, if there is unauthorised access or disclosure, this can put the business in breach of that agreement and jeopardise the relationship. Businesses can take serious disciplinary action where information is accessed, disclosed or misused, causing regulatory breaches and reputational damage, undermining contractual relationships and weakening their market strength.
How to Reduce the Risk of Data Theft
Prevention of theft is far better than repairing the damage. It is important that businesses set up and implement rigorous rules and procedures.
-
Set up clear rules on what constitutes business and confidential information.
-
Set out clear rules on who can access that information and the parameters on the use of company information.
-
Provide staff training on data protection matters so staff understand what they can and cannot do and have knowledge of the legal consequences of mishandling data.
-
Implement strong monitoring and detection practices, and prompt reporting procedures, to minimise further risks.
Businesses should be aware of their legal duties and responsibilities and, where breaches occur, prompt investigations are important. The risk of theft of business data is minimised if you implement clear policies, restrict access, adopt strong technical controls, engage in active monitoring and provide regular staff training.
Further guidance can be obtained from the ICO website.
If you require any further assistance, please do not hesitate to contact our HR/Legal advice line team on 01455 852 028.
