A number of recent cases involving accusations of outgoing employees misusing their former employers’ data have highlighted a need for businesses to stringently audit what data employees can access, say experts.
In a recent case involving allegations of improperly obtaining sensitive company information, IT News reports international freighting company Toll has been granted an order from the Federal Court that will compel a former senior manager, who the company believed had taken “commercially sensitive information” before starting work at a competing freighting company, to give Toll a number of USBs to inspect.
The manager had been working with Toll since 1981, and left in August 2016 for a job with a competing company as a senior executive.
In an earlier judgment, Toll outlined its case against the ex-employee, who had access to data such as pricing information and profit margins via a business laptop. Toll claims despite the employee returning the laptop on his last day of work, the employee had used a number of USB devices to take the data from the laptop.
In a judgment issued last week, the court ruled that the former employee must provide Toll with the USBs within 17 days.
“It seems inherently unlikely that the three inserts on 11 August, the very day before his resignation, were each work-related,” said Justice Logan in the earlier judgment.
In a statement provided to SmartCompany, a Toll Group spokesperson said it had acted quickly to resolve its concerns on this issue.
“Toll takes this matter extremely seriously. We are committed to protecting the security of our customer information and are working quickly to take appropriate steps to safeguard our customers’ interests,” the spokesperson said.
Fashion retailer and Smart50 alumni Showpo recently settled a case also involving claims of misuse of company data. The company sued competing retailer Black Swallow after an outgoing Showpo graphic designer was accused of downloading the company’s customer database and providing it to her new employers, Black Swallow.
Fairfax reports Black Swallow has been ordered to pay $60,000 to Showpo, and the graphic designer in question has been banned from using the contact list.
Earlier this year, Black Swallow founder Alex Baro denied he had used the Showpo database and told SmartCompany he had contacted Showpo founder Jane Lu a “number of times” to resolve the issue.
Baro was contacted for a statement by email this morning but did not provide a written statement, and Showpo did not respond to requests for comment prior to publication.
Businesses must “act soon” to prevent data theft
Employment lawyer at TressCox Lawyers Peta Tumpey tells SmartCompany concerns around ex-employees stealing company data have “always been” a major issue, across both senior and junior positions.
“It used to be that employees would print off customer databases, now they think they’re being clever by using USBs to download them,” she says.
Tumpey believes that businesses are slowly becoming more aware of the issue and are implementing more sophisticated protections. However, she notes vigilance is needed earlier rather than later.
“It’s important to act as soon as the employee issues their resignation, especially for senior positions. Businesses should limit access to documents and only provide access to ones they need for handover, as lots of executives will have unlimited access to a lot of sensitive documentation,” Tumpey says.
“Also, immediately conduct an audit of that person’s computer, and check any use of external hard drives or USBs.”
Tumpey says many employers are reluctant to implement such stringent practices for outgoing employees, with many worried about offending the long-time workmate.
“I’ve had businesses say ‘they’d never do that, they’ve been with us 15 years’, they’re quite fearful,” she says.
“It has to be done anyway.”
In the case of the ex-Toll employee, the outgoing employee’s email account was also analysed and a number of emails were found between him and his future employers. Tumpey says keeping an eye on employees email accounts is also needed, including personal ones.
“Block access to personal email sites like Gmail or Hotmail, as some employees will send confidential emails via those,” she says.
While contractual agreements such as NDAs are good practice, Tumpey says they’re often “not worth the paper they’re written on”. If an ex-employee is found to have taken sensitive data to another employer, Tumpey advises some proactive and direct action.
“Write to the new employer and inform they have breached the constraints of the agreement if they accept the information and are therefor liable for damages,” she says.
“Businesses have got to have dedicated methods to deal with these situations, and should weigh up the cost of not just losing an employee, but the potential hit to your brand if clients become aware their information was lost via your business.”