Webinar: Confidentiality crisis how to respond … · Webinar: Confidentiality crisis – how to...
Transcript of Webinar: Confidentiality crisis how to respond … · Webinar: Confidentiality crisis – how to...
Webinar: Confidentiality crisis – how to
respond practically to an employee's theft
of confidential information
Jonathan Coley, Matt McDonald, Andrew Herring and James Robb
Agenda
1. Introduction
2. Case Study – crisis response
3. Responding to more complex issues
4. Risk management steps
5. The new Trade Secrets Directive
6. Q&A
Introduction
• In the digital age, confidential information can be sent worldwide in a
couple of clicks. If this information falls into the wrong hands it can
cause significant damage to an organisation’s reputation and future
plans.
• A recent study reported that 50% of employees who left or lost jobs
kept corporate confidential data. 40% plan to use it in new roles.
• On 20 November 2017, the Times reported that official figures
reveal a 25% rise in English High Court claims involving allegations
that employees have taken data without authorisation to help them
when changing jobs.
Case Study Background
• Background
a) You work for a manufacturing company called Iron Ltd, which has a
strong order book based on long-standing customer relationships.
b) An Iron Ltd board director comes to you to complain that the company
found out earlier that day that it lost a valuable contract for one of its
best customers, Gold Ltd, to a new entrant competitor.
c) The competitor company is called Rust Ltd, which has a parent
company in Italy.
d) Iron has not lost a contract opportunity to Rust Ltd before and this is
very unexpected.
e) Your board director informs you that a senior sales manager from Iron
Ltd called Mrs Wood recently handed in her resignation and is
currently working her notice.
f) It is believed that Mrs Wood has accepted a job offer from Rust Ltd.
Q. What do you do next?
Case Study Steps
Avoid knee-jerk reactions and act swiftly to protect Iron Ltd’s position,
keeping all options open at this initial stage:
1. Investigate the allegations
2. Consider the employment position of Mrs Wood
3. Consider the position of third parties (e.g. customer, competitor)
4. Consider other legal steps
Taking these points in turn…
(1) Investigation considerations
• Act Swiftly to protect Iron Ltd’s position and seek independent legal
advice.
a) Agree investigation objectives
b) Assemble an appropriate investigation team: internal and external
(investigation lead, HR, lawyers, IT forensics, etc)
c) Take steps to preserve legal professional privilege
d) Take steps to secure evidence lawfully
e) Consider Data Protection law issues in investigation
f) Consider the law of unintended consequences…
(1) Investigation considerations
• Key evidence: Mrs Wood’s IT usage:
a) Mrs Wood has a work issue laptop and mobile phone.
b) Mrs Wood has access to a personal user area.
c) Mrs Wood has unfettered access to customer information on shared
folders on Iron Ltd’s IT system, including for Gold Ltd.
• IT Forensic investigation:
a) Internal vs External IT support: pro’s and con’s
b) Instructing IT forensic experts under legal professional privilege
c) Preserve electronic evidence in an admissible manner
d) Clearly defined scope of IT forensic investigation (who, what, where,
how). Typically:
i. Emails
ii. USB sticks
iii. Cloud uploads (e.g. DropBox)
(1) Investigation considerations
• Witness interviews:
a) Identify potential witnesses
b) Conduct of interviews
c) Attendance notes of interviews – legal professional privilege
• Email Review:
a) Covert monitoring of employee IT use
b) Data Protection issues
c) Proportionate investigation – hints and tips
(2) Employment considerations
• What steps do you take in relation to the employee:
– Suspension?
– Garden leave?
– Give them enough rope…
• No “one size fits all” approach
(2) Employment considerations
Initial HR related enquiries
• Key evidence: Mrs Wood’s HR Records
a) Employment Contract
b) Employee Handbook
c) Employee Code of Conduct
d) Employee IT Policy – fair usage
e) IT training schedule
Q. What if you don’t have restrictive covenants in this situation?
(3) Third Party considerations
Initial commercial enquiries
• Identify the commercial risks, which may include:
a) What commercial opportunities is Mrs Wood working on?
b) Which customers did Mrs Wood work with – Gold Ltd and/or others?
c) What public information is available about Rust Ltd’s commercial
strategy as a new entrant?
• Start to formulate a public relations strategy in case of a worst case
scenario.
Case Study update
• Investigation initial findings:
a) Mrs Wood resigned on 1 November 2017 and is still within her 3 month
period of notice. She has worked for Iron Ltd for 5 years. Her departure
date is 1 February 2018.
b) Mrs Wood was aware of all company IT policies including covert
monitoring provisions. She had completed the latest company IT
compliance training.
c) Witnesses in the sales team confirm Mrs Wood had not worked on
Gold Ltd business for over 12 months prior to her resignation and had
no legitimate reason to access Gold Ltd information.
d) Witnesses also state Mrs Wood would always work her contracted
hours and leave the office at 5pm.
Case Study update
e) The IT forensic investigation has discovered covertly from central IT
systems (i.e. without needing to investigate her devices):
i. At 20:00 on 20 November 2017, Mrs Wood accessed the
dedicated Gold Ltd shared folder and downloaded specific
documents to her personal user area (pricing, customer contacts,
contract volumes, etc).
ii. At 20:10 on the same date she used a USB stick to
indiscriminately copy all files on her personal user area.
iii. Her mobile phone itemised statement shows evidence of phone
calls to Italian dial code numbers particularly between 15
November and 25 November 2017 potentially implicating Rust
Ltd’s parent company.
Confidential Information recap
• Express contractual duties of confidentiality – check employment
terms
• Implied contractual duties of confidentiality and fidelity
• Equitable duties of confidentiality: In Coco v A N Clark (Engineers) Ltd
[1968] FSR 415, Megarry J identified three elements as normally required if,
apart from contract, a case of breach of confidence is to succeed:
“First, the information itself … must ‘have the necessary quality of confidence
about it’. Secondly, that information must have been imparted in circumstances
importing an obligation of confidence. Thirdly, there must be an unauthorised
use of that information to the detriment of the party communicating it.”
What are your options?
• Recommended Steps:
a) Employment disciplinary process – an opportunity for Mrs
Wood to co-operate with the investigation and for Iron Ltd to
complete due process.
b) Giving the competitor, Rust Ltd, formal notice of Mrs Wood’s
relevant current and ongoing duties to Iron Ltd and third
parties.
c) Letter before Action to Mrs Wood and possibly Rust Ltd
(subject to outcomes of (a) and (b) above)
d) Injunctive Relief against Mrs Wood and possibly Rust Ltd
(subject to outcomes of (a), (b) and (c) above)
Taking these in turn…
Go down disciplinary route
Commercial RAG Analysis:
a) Delay could put potential injunction at risk (lack of urgency)
b) Further time required to conduct further investigations
c) Delays could cause further damage to Iron Ltd
d) No immediate resolution
e) Keeps all options open
f) Mrs Wood may refuse to engage, leading to adverse inferences
g) This step could uncover any credible innocent explanations
h) Could lead to a quicker successful outcome on acceptable terms
i) Facilitates more informed decisions / avoids premature conclusions
j) Better control, less rushed
k) Enables expert evidence to be presented most effectively
l) Gives the defendant the opportunity to co-operate
m)Potential to resolve matter without litigating
Legal Action phase
1. Letter before Action demanding delivery up / destruction of
confidential information and undertakings to protect Iron Ltd’s
commercial rights and interests.
Commercial RAG analysis:
a) Risk that the employee / competitor will not take matters seriously
without the commencement of litigation
b) Keeps all options open
c) Could lead to successful outcome on acceptable terms without need to
litigate
d) Leverage to get defendants to negotiating table
e) Greater control than immediately litigating
Q. Prospects of a successful outcome at this stage?
Legal Action phase
2. Injunctive relief against Mrs Wood and/or Rust Ltd
Commercial RAG analysis:
a) If Without Notice, risk that injunction is subsequently dismissed
b) Potential exposure to indemnify defendants under cross-undertaking in
damages
c) Questionable cost benefit depending on seriousness of alleged misuse
d) Risk of jumping to conclusions and taking this action prematurely
e) Most uncompromising option
f) Offers potentially the best protection
g) Provides maximum leverage to force negotiation
Legal Action phase
1. Injunction to enforce Mrs Woods’ existing duties of confidentiality
(and other duties if relevant) and restrain an anticipated misuse of
information that remains confidential. Terms may include:
a) Prohibit use of confidential information
b) Enforce post termination restrictions
c) Delivery up of confidential information and devices storing confidential
information for forensic investigation
d) Affidavit evidence about conduct relating to confidential information
Legal Action Phase
2. Injunction to cancel out any unfair competitive advantage gained
through misuse of confidential information. This is the so-called
‘Springboard’ injunction.
Vestergaard Frandsen A/S v Bestnet Europe Ltd [2009] EWHC 1456 (Ch),
Arnold J said:
“in the absence of specific discretionary reasons for the refusal of an injunction,
where the claimant has established that the defendant has acted in breach of
an equitable obligation of confidence and that there is a sufficient risk of
repetition, the claimant is generally entitled to an injunction save in exceptional
circumstances.”
More complex issues
Some potential issues to bear in mind:
1. Is the incident part of a wider commercial attack by the competitor?
2. Is the incident merely the ‘tip of the iceberg’?
3. How do you quantify damages for misuse of confidential
information?
4. Risks relating to covert monitoring of employee IT usage.
5. Risks of involving the Police.
6. Interaction between the Law of Confidence and Intellectual
Property Rights.
Risk Management Steps
Prevention is better than Cure
1. Audit your existing contractual documentation, employee
monitoring arrangements and employee induction and exit
procedures.
2. Training for your key staff on how to protect against theft and
misuse of confidential information, how to spot the early signs of a
potential infringement and what to do if one occurs.
3. Policies and practical procedures in place to ensure a rapid
response in the event of any suspicious activity.
• Directive (EU) 2016/943 – the “Trade Secrets Directive” (TSD)
• The TSD aims to harmonise trade secrets protection across the EU
and provide a ‘level playing field’ of rights and remedies
• TSD and its implementation:
– In force 5 July 2016
– 9 June 2018 deadline for EU member states to implement
– UK legislation implementing the Directive and reflecting its
principles by May 2018 (pre-Brexit)…or perhaps not?
• Obtaining EU-wide relief as a UK entity may present challenges
post-Brexit
The new Trade Secrets Directive
Highlight: a unified definition
• The TSD will introduce a unified definition of what constitutes a
protectable trade secret
• This definition is almost identical to that outlined in the TRIPS
Agreement, the US Defend Trade Secrets Act and other legislation
• Under the TSD, a trade secret is information which is:
– Secret in the sense that it is not, as a body or in the precise
configuration and assembly of its components, generally known
or readily accessible to persons within the circles who normally
deal with the kind of information in question;
– Of commercial value because of its secrecy; and
– Has been subject to reasonable steps by the person lawfully in
control of the information to keep it secret.
Highlight: unlawful acquisition
• The TSD introduces a new offence – unlawful acquisition:
– the acquisition of a trade secret without the consent of the trade
secret holder shall be considered unlawful, whenever carried out
by:
• unauthorised access to, appropriation of, or copying of any
documents, objects, materials, substances or electronic files,
lawfully under the control of the trade secret holder,
containing the trade secret or from which the trade secret can
be deduced;
• any other conduct which, under the circumstances, is
considered contrary to honest commercial practices
• How might this change Mrs Wood’s position in the case study?
Impact of the TSD
• Unclear if / how the TSD will be formally implemented in the UK and
how it will interface with the law of confidence, but harmonisation
across the EU and globally means consistency (in theory)
• Practically, consider whether you are taking “reasonable steps”:
– Identify trade secrets and confidential information
– Review all policies and procedures for capturing, protecting and
controlling confidential information:
• Document/data management and access restrictions
• Confidentiality trainings and on-boarding induction
• Employment agreement provisions around confidentiality
• Confidentiality agreements (incl. NDAs) and their usage
– the TSD specifically endorses and protects the use of
confidentiality agreements
Top learning points
• Act swiftly but carefully.
• Timely investigation.
• Choose your investigation team wisely.
• Understand and clarify your investigation and commercial objectives.
• Consideration and protection of the evidence.
• Consideration of legal privilege.
• Early consideration of potential recovery of losses.
• Consideration of publicity – internal and external.
• Continued business involvement in legal action is essential.
• Timing of legal action steps can be critically important.
• Policies review “fit for purpose”.
Questions & Answers
Partner
T: +44 121 335 2910
M: +44 7717 488 453
Associate
T: +44 121 335 2969
M: +44 7392 269 612
Senior Associate
T: +44 121 335 2985
M: +44 7585 996 162
Associate
T: +44 20 7054 2699
M: +44 7920 266 001
Pinsent Masons LLP is a limited liability partnership, registered in England and Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority
and the appropriate jurisdictions in which it operates. The word 'partner', used in relation to the LLP, refers to a member or an employee or consultant of the LLP, or any firm of
equivalent standing. A list of the members of the LLP, and of those non-members who are designated as partners, is available for inspection at our registered office: 30 Crown Place,
London, EC2A 4ES, United Kingdom. © Pinsent Masons 2017.
For a full list of the jurisdictions where we operate, see www.pinsentmasons.com