Data theft is a people issue

16 May 2008

Warren Wayne

A number of recent reports and surveys have rightly highlighted the previously unappreciated risk of data theft and competition by employees and contractors. Data is more likely to be stolen or corrupted by insiders, than to be affected by malware. In the UK, employee turnover typically runs at 15% to 20%, meaning that effective management of the risks is a constant process.

Assessing the risks

The best place to start is with an appropriate risk assessment, to identify which staff are most likely to pose a threat and the information or code that they are most likely to target.

In many cases, the greatest risks come from staff who can access information that is not commonly available, or may hold the deepest relationships with your customers. These may be employees, or contractors, often in a variety of countries.

It can be relatively simple to ensure that systems can log when and how data has been accessed, which is an invaluable tool when trying to build up a picture of what people have been up to and if litigation becomes necessary.

Taking recovery action

Any strategy to protect the company from data theft will need a legal component. It is important to make sure that the right wording is in place in the worker’s contracts, particularly those who pose the greatest risk. Software and computer use policies, as well as restrictive covenants are the backbone of effective documentation here. For any restriction to be valid, it must protect a “protectable interest” of the business. Interests recognised by the Courts are:

  • Confidential information.

  • Trade secrets

  • Trade connections with customers, suppliers and business partners

  • Connections with prospective customers.

  • Skills of the existing workforce.

These can be protected by contracts, as long as the protection is within what the Court sees as reasonable limits. Where these limits are is the issue that generates most debate in practice.

It is a common misconception that restrictive covenant clauses do not work or are not worth having. This reflects the fact that when action needs to be taken, the stakes are usually high, so each side will strongly argue its position. Arguing, however, is exactly what lawyers are expected to do.

In reality, these are simply opinions and the courts always look at the effect of the clauses on individual staff. One of the most common mistakes employers make is to simply paste into their contracts a clause that has been used before in another context. This is a tempting shortcut, especially for international staff, but can be a barrier to taking appropriate action.

Choice of legal representation has a bearing on the company’s approach: many strong cases are abandoned by employers, due to disproportionate concerns over smaller points. When more than one country is involved, central co-ordination of the business and legal response to data theft is crucial, particularly as the rules on jurisdiction can vary depending on whether the worker was an employee or a freelancer.

Code and programs

Code is also protected by copyright, as it is classified as a “literary work” under the Copyright, Designs and Patents Act 1988. While section 11 of the Act ensures that all code written by an employee will belong to the employer, code that is written by a contractor or an individual freelancer is not covered. This can often lead to ownership disputes over code or programs, which are difficult to resolve. The only safe way to deal with this issue for freelancers and contractors is to ensure that their contract terms include a valid assignment of rights, which can be enforced in the country where they carry out most of their work.

Similarly, information stored on a database has an additional layer of protection, due to the Copyright and Rights in Databases Regulations 1997. The advantage of action under these Regulations is that it is not necessary to show that the information was confidential for effective Court action to take place.

Key points


  • Risk assessment, combined with appropriately targeted documentation and technical measures are the cornerstone of effective protection.

  • Security measures and polices and contracts need to be kept under review.

  • If legal action is needed, remember that nuances argued over in legal correspondence are not as important as getting an expert view quickly and then being decisive about your strategy.

Warren Wayne is a partner in the International HR Services team at law firm Bird & Bird.