The March 2020 Government announcement that employees should work from home in response to the COVID-19 pandemic markedly changed the working environment. In response, many employers hurriedly put in place arrangements to enable employees to work from home where possible, in order to save lives (and rightly so). However, in providing unfettered home access to confidential clients lists and other “crown jewels”, many employers have found themselves inadvertently exposed to an epidemic of other sorts; theft of confidential information and trade secrets by employees working from home.
Lawyers and forensic IT investigators have noted a significant and ongoing trend of increasing numbers of employees stealing confidential information and trade secrets whilst working from home. From my perspective, I believe this is driven by a combination of four key factors:
Firstly, there has been a notable change in employees’ expectations and feelings of entitlement. Many employees now want to be able to work when they want and how they want. If their role no longer suits them or does not provide the flexibility they have become accustomed to in the last 18 months, they will go elsewhere. But it is more than this. There is a feeling amongst some employees that somehow they are entitled to take clients lists, financial data and the like, because they have worked on this or helped develop a client relationship. In reality, the law is clear on this and that theft of confidential information may amount to gross misconduct and give rise to civil and criminal claims. One senior barrister recently told me he had never lost a case against a former employee who had stolen confidential information. Simply because they are not entitled to do it.
Secondly, the jobs market is buoyant and this is presenting employees with opportunities with competing businesses who may be keen to secure new client relationships and business. According to the Office for National Statistics, there were an estimated 953,000 job vacancies in May to July 2021, a record high, having grown by 290,000 compared with the previous quarter and 168,000 more than its pre-pandemic level (January to March 2020). Furthermore, growth in average total pay (including bonuses) was 8.8% and regular pay (excluding bonuses) was 7.4% in April to June 2021. So, employees armed with confidential information may find themselves highly sought after and may want to secure their employment with a competitor by unfairly using their former employer’s confidential information and property.
Thirdly, many employers simply have no IT processes and policies in place to prevent or identify confidential information or data breaches or set out the consequences for such conduct.
Fourthly, employees may feel safer sending their employer’s confidential information and trade secrets in the safety of their own home than in a formal office environment where there may be a greater sense of being watched.
As a minimum, employers should have in place comprehensive contracts of employment that protect confidential information, require employees to return confidential information on request and in any event on termination and require employees to comply with the IT security policy. The IT security policy should be signed by the employee and should include important prohibitions on things like sending information or documents to a personal email address or downloading it to a USB. The current most popular method of theft seems to be sending information to a personal email. This seems such an obvious and clear breach, but many employers simply do not prohibit this, or to communicate this is prohibited.
Companies that implement proper IT security measures are much better placed to respond to potential breaches. I have one client which has an IT system in place which immediately alerts IT in the event an email is sent to a personal email, or if information is downloaded to a USB. Other clients ensure the screen saver flags that expressly prohibits the unlawful downloading, misuse or retention of confidential information.
Ultimately, it can be costly and time consuming to deal with breaches of confidence and can require reporting to the Information Commissioner. Employers who have evaluated the risks and taken appropriate measures, will be much better placed to face this particular epidemic.