Michelle Ryan from Ronan Daly Jermyn, Cork, has highlighted data protection obligations and preventing theft of confidential information that will interest Legal-Island email subscribers:

Introduction

The emergence of cloud computing, schemes such “Bring Your Own Device to Work” and the ever increasing use of social media sites as part of business, has meant that the theft of confidential information in soft copy form has become a critical issue.

High capacity portable data storage devices, such as USB drives, have made it easy to copy large quantities of data from almost any computer.  The damage that can be caused to an organisation by data theft has resulted in recognition that the employment relationship must now be regulated to address these issues.

The theft of data can also result in a breach of an organisation’s data protection obligations, but a number of other legal issues also arise. While there exists an extensive regulatory framework in respect of data protection, the other issues must be regulated by contract between the parties as well as by any policies which an employer may have in place.

It is therefore important to consider the issues arising in this regard.

Preventing the theft of Confidential Information

The protection of confidential information involves putting appropriate contractual clauses in place in order to prevent the loss of confidential information to competitors.  It is important that obligations imposed on an employee, including any restrictive covenants, are reasonable.  For both employer and employee, concerns arise regarding loss of information.  For example, what will happen to an employee’s LinkedIn profile and contact list should they leave their employment with their employer?  If they were to download this contact list, would that amount to theft of confidential information?  On the other hand, the loss of such a list could be extremely detrimental to an employer.

Unless “social media” is mentioned as a specific category of confidential information in a confidentiality clause or non disclosure agreement, it may be difficult for an employer to assert a right over this.  Equally if there is nothing in an employee’s contract in relation to ownership of social media contacts, an employer has no right to take private passwords and login information without authorisation even where such passwords are stored on the employer’s IT systems.

Remedies

Both employers and employees ought to be aware of the legal issues associated with the theft of confidential information.

Where it is discovered that unauthorised downloading has occurred what then are the next steps?  Firstly, theft of confidential information amounts to computer fraud, which is defined as the manipulation of a data processing system without the consent of its owner to obtain information.

The Criminal Justice (Theft and Fraud Offences) Act 2001 sets out that:

“A person who dishonestly…operates or causes to be operated a computer within the state with the intention of making a gain for himself or another, or of causing a loss to another, is guilty of an offence.” 

An offence under the 2001 Act is an indictable offence, carrying a potential fine of an unspecified amount, or a maximum of 10 years imprisonment, or both.

Redress for data theft can also be sought through the civil courts in order to protect confidential information.  For example, where the employment contract contains a restrictive covenant, an employer may seek to enforce it by applying for injunctive relief to restrain an employee’s breach or threatened breach.  Similarly, an employer might seek to rely on a confidentiality clause in the contract of employment or the employer might argue that the former employee is using trade secrets learnt during the course of employment. Alternatively, the employer might seek to argue that the employee has interfered with intellectual property rights, such as copyright, design, trade marks or patents.

There has been an increase in the volume of litigation in relation to breaches of restrictive covenants and confidentiality provisions. Recent developments in Irish case law concerning the enforceability of restrictive covenants in employment contracts, intended to protect trade secrets and copyright, emphasises that a former employer may proceed against an ex-employee on the basis of a breach of director's duty, breach of the implied term of trust by use of trade secrets or breach of copyright.

It is of course necessary to examine what the Courts will deem to be “confidential information”. Faccenda Chicken Ltd v Fowler and others [1986] 1 All ER 617established that an ex-employee only has an implied duty of confidentiality with regard to certain categories of confidential information.

In this case, the Court of Appeal identified three categories of information:

1. Trade secrets or equivalent;
2. Mere confidential information (short of a trade secret); and
3. Employee’s general skill and knowledge or know how.

It was held that only the first category would remain protected following the termination of

employment. An ex-employee may therefore use confidential information acquired in the course of his previous employment, though not to the extent of memorizing or recording such information during the course of the employment for the purpose of such use afterward. In so far as knowledge gained in confidence has become part of the employee's general skill and knowledge and has necessarily remained in the employee’s head, he owes no duty after the termination of his employment to refrain from using it in another employment.

In Pulse Group Ltd and another v O'Reilly and another [2006] IEHC 50, in following the rationale in Faccenda Chicken Ltd, Clarke J noted at para. 3.4 that:

“[…] in summary, the law is clear. In the absence of an express term in a contract of employment the only enduring obligation on the part of an employee after his employment has ceased is one which precludes the employee from disclosing a trade secret.”

It is clear, therefore, that an employee is entitled to bring his general skill with him wherever he may go. It is only information that goes beyond general skill and knowledge which cannot be used against a former employer.

In the High Court judgment in Net Affinity Ltd v Conaghan, 2011 ELR 11, it was established that the employee had downloaded certain information from her company lap top the night before she handed in her notice. An injunction to prevent her breaching her duty of confidentiality to her former employer was granted.  The Court looked at what constitutes “confidential information” and held that it is not “confined to documentation of materials, but rather includes ‘know how’ and customer connections.”

In AIB v. Diamond & Ors (Unreported Clarke J High Court 14th of October 2011) there was no restrictive covenant in the contracts of employment. IT specialists for the employer had uncovered emails and attachments which some of the employees had taken from AIB. It was alleged that, on one date, a significant download of information from AIB’s server regarding 17 clients was made onto USB sticks. Furthermore, a document was prepared setting out in detail the status of each customer within relevant sections of AIB.

The Court granted an injunction restraining the use of confidential information, amongst other orders, in the following terms:

-Using confidential information to be defined with much greater precision in a schedule to be attached to the order with the terms of that schedule to be the subject of further submissions having regard to the analysis set out earlier in this judgment; and

-Returning confidential information by reference to the same or alternative schedule to be likewise the subject of further debate.

There has also been a recent High Court case, which was unusual in so far as it was taken by a former employee who was the subject of a non-compete clause.  In Octavio Hernandez v Vodafone Ireland Ltd, [2013] IEHC 70, the employee successfully applied for an interlocutory injunction to prohibit his former employer from restraining him commencing employment with its competitor.

This case is in line with the earlier Net Affinity judgment which suggests that the High Court is more inclined to allow an employer to rely on confidentiality and non solicitation restrictions than to prohibit a former employee from working in competition with his or her previous employer.  Employers should consider reviewing and updating the restrictive covenants in their contracts of employment to ensure that they have strong confidentiality and non solicitation provisions.

With regard to trade secrets, in Koger Inc.  v. O’Donnell (Unreported High Court (Feeney J.) 8th October 2010), the employer was a software company that sought an injunction against former employees who had set up a company and developed a similar product to that of Koger after leaving employment.

In relation to the claim that the defendants used trade secrets belonging to Koger, the Court stated:-

“The plaintiffs have failed to identify the use or misuse of any identifiable trade secrets. No claim is made that the defendants used or applied skill, expertise know-how and general knowledge gained during the course of their employment. Indeed, such a claim could not succeed. There is clear authority for the fact that protection cannot legitimately be claimed in respect of skill, expertise, know-how and general knowledge acquired by an employee as part of his job during the course of his employment, even though it might equip him as a competitor of his employer.”

The Court found that the breach of trade secrets claim was dependent on the employer showing that the former employees had an unauthorised copy of the product in question. Once a finding was made that this was not the case then the Court found that the claim for use of trade secrets failed.

Conclusion

It is clear that the theft of confidential information, through employees downloading data is a critical issue and needs to be addressed in policies and contacts going forward.

Furthermore, in addition to the problems caused by data theft, both employers and employees should be aware that computer fraud can also be committed by using a computer to access inappropriate websites, or in order to bully or harass other employees, both of which can result in prosecution.  Employers should be aware that there is also a possibility of them being held to be vicariously liable for their employee’s acts.

It is critical that these matters are properly addressed in the employment relationship and that appropriate preventative measures are put in place to prevent damage to a company’s property and also to prevent costly litigation.  The key here is prevention.  As we have seen above, where the theft of data occurs, it can result in technically challenging and costly investigations or litigation, at which point, the damage may already be done.