This page contains a Flash digital edition of a book.
Ask the expert Ask the expert


What to do in case of database theft


We suspect that a former employee has stolen our customer database and is using it to start up his own business. What should our course of action be? How can we minimise the damage this could cause and how do we ensure it doesn’t happen again?


Sarah Birkbeck is a partner at law firm Thomas Eggar.


Report the suspicion directly to the highest level of management. The risk to the business needs to be assessed quickly and confidentially from a human resources and commercial risk perspective. Legal advice should be sought straight away: the early stages are vital in securing evidence effectively, assessing risk and minimising damage. Sometimes the alarm is raised when it is discovered for instance that a database has been sent to a home email account, but that is not always the case.


Care needs to be taken to secure any electronic evidence of illegality (like unauthorised access or downloading) properly so that, if necessary, it can be used in subsequent legal action. A forensic computer expert may be needed. At the same time, a commercial operation needs to swing into action to get the best relationship managers available to protect the relationships with key customers to whom the former employee was close. The legal team will assess the available options on the facts. They will check the former employee’s contract. Does it adequately protect the use of the business’s confidential information after termination? If not, the legal team will have to assess whether the customer database is otherwise protected. There may be provisions in the contract that would not be legally enforceable, or they may not go far enough, and implied duties (which are limited) may need to be relied on. Each case will be different. Depending on the seriousness of the threat posed, a possible option is to instruct the legal team to engage with the former employee to secure contractually enforceable written assurances not to use and to return the database, and to provide details of usage to date for assessment. If that is unsuccessful in the very short term, an application for an injunction followed by a trial can be considered.


The nuclear option, where there is exceptional urgency and very high risk, a special type of injunction is applied for before any engagement with the former employee to allow a closely regulated search of premises and electronic devices. If successful in getting an injunction, a trial follows (or earlier settlement). Such cases are relatively unusual and require a high degree of evidence.


It is not possible to eradicate the risk but it is possible to minimise it by implementing a mix of legal and practical measures. Below are some headline pointers: • Ensure appropriate professionally drafted restrictions are in place in employment/service contracts • Password-protect confidential databases • Limit access to the database to the trusted few • Reinforce the confidential nature of customer databases regularly and make it clear that it is property that belongs to the business


• Make sure key customers have relationships with more than one employee • Be clear about acceptable use of personal electronic devices for work purposes


• Have a professionally drafted email monitoring and social network policy • Ensure the return of business property (electronic devices and documents) on termination.


Have a question you’d like an expert to answer? Email it to jamesd@catalog-biz.com.


Sarah Birkbeck www.catalog-biz.com | Catalogue e-business | Direct Commerce


7


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36