There have been two recent cases looking at the issue of ex-employees misusing business contact lists. In the first, the Information Commissioner's Office successfully prosecuted an employee for emailing client details to his personal email address when he was about to start working for a competitor. The other involved the High Court making an order allowing the inspection of an ex-employee's personal electronic devices and the destruction of any confidential information found on them.
ICO criminal prosecution for taking client contact details to a new job
Mr. Lloyd worked for a waste management company. Before leaving to start a new role at a rival company, he emailed the details of 957 clients to his personal email address. The email contained personal data such as contact details and the purchase history of customers and other commercially sensitive information.
The Information Commissioner's Office prosecuted Mr Lloyd under the Data Protection Act 1998 for the offence of unlawfully obtaining personal data. He was fined £300 and ordered to pay costs.
Unlawfully obtaining or disclosing personal data is a criminal offence under section 55 of the Data Protection Act 1998. The offence is punishable by way of a fine. The fines imposed so far have been relatively modest and the ICO is pushing for more effective sentences, including the threat of prison, to stop the unlawful use of personal information.
Employers are under a specific duty to process personal data securely, which includes ensuring appropriate measures are in place to prevent unlawful disclosure. It is, therefore, good practice for employees to be regularly reminded of their data protection obligations.
High Court orders search and destruction of confidential information on ex-employee's electronic devices
The Gallacher group of companies provide insurance brokerage services. Mr Skriptchenko had worked for them before starting work for a competitor called Portsoken Limited. Gallacher suspected misuse of its confidential information and brought a claim against Mr Skriptchenko and Portsoken.
The High Court granted an order for:
- inspection of Mr Skriptchenko's personal electronic devices (including phones and computers);
- inspection of Portsoken's computer systems; and
- destruction of any confidential information belonging to Gallacher found on them.
An order for destruction had not been made in any previous reported cases. However, the High Court was persuaded to grant it here because it had already been admitted that Mr Skriptchenko had taken a client list from Gallagher and that Portsoken had used that information to approach over 300 of Gallagher's clients. Therefore, it was felt that Portsoken could not be trusted to find and delete the confidential information themselves. It may also have been relevant that the chairman, managing director and other directors of Portsoken were all involved in misusing the confidential information.
The order was made subject to certain safeguards including an assurance that copies of the imaging of the devices would be preserved so that if material might subsequently be found to have been wrongly removed, it could be restored.
There are a number of steps you can take to protect your business where there is particular reason to suspect a future breach of confidentiality by an ex-employee. Think about:
- Reminding the former employee of their restrictive covenants (including their obligations of confidentiality); and of the fact that documents containing personal data they have produced or worked on in the course of their employment belong to you. This could all be covered in the termination letter or letter acknowledging resignation.
- Flagging that it is a criminal offence to take client records that contain personal information to a new job without permission.
- Asking the departing employee to sign an undertaking putting them on notice that you will take action if they breach their covenants. If an employee is going to work for a competitor, also think about sending the new employer a letter outlining their post-termination restrictions.
- Raising a court action. It is possible to raise court proceedings for interdict in Scotland (injunction in England and Wales) to prevent anticipated exploitation of confidential information. It is also possible to seek damages from the former employee representing lost profits as a result of any unlawfully used confidential information and/or to seek an order for the recovery or destruction of any confidential information taken by the ex-employee.
If you would like more information on data protection or confidentiality, please get in touch with your usual Brodies' contact.