A number of recent reports and surveys have rightly highlighted the previously unappreciated risk of data theft by employees and contractors. Indeed, data is more likely to be stolen or corrupted by insiders than to be affected by malware. With employee turnover typically running at 15% to 20% at UK organisations, the effective management of the risks associated with data theft is a constant process.
The best place to start is with an appropriate risk assessment, to identify which staff or staff positions are most likely to pose a threat, and the information or software code that they are most likely to target.
In many cases, the greatest risks come from staff who can access information that is not commonly available, or who hold details on your closest relationships with customers.
And these may be employees or contractors, often in a variety of countries.
It can be relatively simple to ensure that systems can log when and how data has been accessed – an invaluable tool when trying to build up a picture of what people have been up to and whether litigation becomes necessary.
Any strategy to protect the company from data theft will need a legal component. It is important to make sure that the right wording is in place in the workers’ contracts, particularly for those who are in roles that pose the greatest risk. Software- and computer-use policies, as well as restrictive covenants, are the backbone of effective documentation here. For any restriction to be valid, it must protect a ‘protectable interest’ of the business. Interests recognised by the courts are:
• Confidential information
• Trade secrets
• Trade connections with customers, suppliers and business partners
• Connections with prospective customers
• Skills of the existing workforce
These can be protected by contracts, as long as the protection is within what the court sees as reasonable limits. Where these limits are is the issue that generates most debate in practice.
It is a common misconception that restrictive covenant clauses do not work or are not worth having. This reflects the fact that when action needs to be taken, the stakes are usually high, so each side will strongly argue its position. Arguing is exactly what lawyers are expected to do.
In reality, these are simply opinions, and the courts always look at the effect of the clauses on individual staff. One of the most common mistakes employers make is to simply paste into their contracts a clause that has been used before in another context.
This is a tempting shortcut, especially for international staff, but can be a barrier to taking appropriate action.
Choice of legal representation has a bearing on the company’s approach: many strong cases are abandoned by employers due to disproportionate concerns over smaller points. When more than one country is involved, central co-ordination of the business and legal response to data theft is crucial, particularly as the rules on jurisdiction can vary depending on whether the worker was an employee or a freelancer.
Program rights
Software code is also protected by copyright, as it is classified as a “literary work” under the Copyright, Designs and Patents Act 1988. While section 11 of the Act ensures that all code written by an employee will belong to the employer, code that is written by a contractor or an individual freelancer is not covered. This can often lead to ownership disputes over code or programs, which are difficult to resolve. The only safe way to deal with this issue for freelancers and contractors is to ensure that their contract terms include a valid assignment of rights, which can be enforced in the country where they carry out most of their work.
Similarly, information stored on a database has an additional layer of protection, due to the Copyright and Rights in Databases Regulations 1997.
The advantage of action under these regulations is that it is not necessary to show that the information was confidential for effective court action to take place.
Warren Wayne is partner in the international HR services team at law firm Bird & Bird
Further reading:
Information Age Internal risks, including information leakage, data theft, and employees and partners, continue to represent the greatest threat to corporate information security.
Information Age Troubled US payment processing company Fidelity National Information Services was hit by a class action lawsuit, following the theft of 8.5 million customer records by a former employee.
Find more stories in the Security & Continuity Briefing Room