In this blog post, we look at a recent decision by the UK Court of Appeal and a separate prosecution brought by the Information Commissioner’s Office (“ICO”; the UK data protection authority), which together serve as a cautionary tale for employees and prospective future employers of the risks of civil liability and criminal conviction for confidential information and data theft.

Clear contractual terms and policies, supplemented by training, remain critical tools for employers seeking to deter employees from misappropriating corporate information.  Employers may wish to make use of these examples to underscore the importance of compliance.

Equitable Duty of Confidence

Travel Counsellors Ltd v Trailfinders Ltd [2021] EWCA is an important case that explores the circumstances creating a duty on a new employer to protect confidential information belonging to the previous employer.  An equitable duty of confidence arises if a recipient of information knows or ought to have known that it is confidential.

Several employees left Trailfinders in order to engage with Travel Counsellors Ltd (“TCL”) as franchisees.   They were encouraged to bring customer contacts with them, and accordingly took various steps to access Trailfinders’ proprietary databases in order to compile relevant customer information that they might use for their own benefit, and for the benefit of TCL.

The High Court and the Court of Appeal found that TCL’s senior management would or should have been aware: (i) that the information provided by former Trailfinders employees was likely to have been copied from Trailfinders’ systems; and (ii) that Trailfinders would reasonably have regarded it as confidential.  Nevertheless, TCL did not ask for information about the source of the information, or the extent to which Trailfinders might have sought to protect it.  TCL therefore breached its equitable obligation of confidence to Trailfinders.

Importantly, the Court of Appeal held that knowledge/notice of confidentiality had to be assessed by reference to the actions of a reasonable person in the recipient’s position.  If that person would have made enquiries upon receipt of information that might be confidential, while the defendant recipient made none, an equitable obligation of confidence arises.  It is not always necessary to prove that the defendant recipient deliberately turned a blind eye — depending on the circumstances, the absence of reasonable enquiry may be sufficient to establish liability.  TCL was therefore liable for a breach of the equitable duty of confidence.

The individual employees concerned were also found to be in breach of their contracts of employment and of equitable obligations of confidence to Trailfinders in an earlier decision by the Intellectual Property Enterprise Court.

Unauthorized Access to Personal Data was an Offence under the Computer Misuse Act

The ICO recently published details of its prosecution of a motor industry employee who, during her employment, compiled and transferred road traffic accident data without the authorization of her employer.  The employee sold the personal data to an accident claims management firm which used it to make nuisance calls.

The employee was found to have committed offences under the Computer Misuse Act 1990, section 1 of which refers to causing a computer to perform a function with intent to secure access to any program or data held on that computer.

The employee has been sentenced to eight months of imprisonment, suspended for two years, and must also carry out 100 hours of unpaid work, contribute £1,000 in costs and repay a benefit figure of £25,000.  The director of the accident claims management firm which received the data received a similar sentence after pleading guilty to conspiracy to secure unauthorized access to computer data.

An employee who obtains, retains or discloses personal data without the consent of the data controller (which will often be their employer) may also commit a criminal offence under section 170 of the Data Protection Act 2018 (“DPA”).  Such action may also constitute a reportable data breach under the DPA and the UK General Data Protection Regulation.

The ICO has the power to take action to change the behavior of organizations and individuals that collect, use and keep personal information.  This includes criminal prosecution, non-criminal enforcement and audit.

The UK Supreme Court’s decision in 2020 in the case of Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 confirmed that that an employer cannot be held liable for actions of an employee who commits an illegal act in pursuance of their own independent venture that is unrelated to activities they are authorized to undertake on behalf of their employer.  While this decision will give some comfort to employers, companies nonetheless risk very significant revenue-based fines and claims for compensation by data subjects if personal data is not sufficiently protected by adequate safeguards.

 

Print:
EmailTweetLikeLinkedIn
Photo of Christopher Walter Christopher Walter

Christopher Walter works with employer clients on domestic and international HR-legal compliance and human rights projects. Mr. Walter co-chairs the firm’s International Employment practice, and serves as Managing Partner of the London office.

Mr. Walter’s advisory practice encompasses the full range of employment…

Christopher Walter works with employer clients on domestic and international HR-legal compliance and human rights projects. Mr. Walter co-chairs the firm’s International Employment practice, and serves as Managing Partner of the London office.

Mr. Walter’s advisory practice encompasses the full range of employment and employee benefits issues that matter to leading multinational employers, including the drafting of share and other incentive plans, global mobility, privacy compliance, employment issues in M&A transactions, outsourcing, workforce integration, and the implementation of core policies/codes of conduct, with a particular focus on business and human rights.

Mr. Walter began his legal career as a UK barrister, however, and also has considerable experience as an advocate before UK courts and tribunals, securing confidentiality injunctions and defending employers against claims of unfairness, discrimination and other alleged violations of employment laws.

.

Photo of Helena Milner-Smith Helena Milner-Smith

Helena Milner-Smith helps clients navigate international HR-legal compliance issues. Her practice includes implementing global employment contracts, policies and codes of business conduct, managing multi-country reviews and projects, advising on the employment aspects of large-scale corporate reorganisations, handling disciplinary and grievance matters and dismissals…

Helena Milner-Smith helps clients navigate international HR-legal compliance issues. Her practice includes implementing global employment contracts, policies and codes of business conduct, managing multi-country reviews and projects, advising on the employment aspects of large-scale corporate reorganisations, handling disciplinary and grievance matters and dismissals, and negotiating settlement agreements. She has successfully defended clients in the UK employment tribunal. Ms. Milner-Smith has also gained valuable in-house experience while on secondment at three large multinational corporations, including a pharmaceutical company.

Photo of Louise Freeman Louise Freeman

Louise Freeman focuses on complex commercial disputes, and co-chairs the firm’s Commercial Litigation Practice Group. Described by Legal 500 as “one of London’s most effective partners,” Ms. Freeman helps clients to navigate challenging situations in a range of industries, including financial markets, technology…

Louise Freeman focuses on complex commercial disputes, and co-chairs the firm’s Commercial Litigation Practice Group. Described by Legal 500 as “one of London’s most effective partners,” Ms. Freeman helps clients to navigate challenging situations in a range of industries, including financial markets, technology and life sciences. Most of her cases involve multiple parties and jurisdictions, where her strategic, dynamic advice is invaluable.

Photo of Dan Cooper Dan Cooper

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws…

Daniel Cooper heads up the firm’s growing Data Privacy and Cybersecurity practice in London, and counsels clients in the information technology, pharmaceutical research, sports and financial services industries, among others, on European and UK data protection, data retention and freedom of information laws, as well as associated information technology and e-commerce laws and regulations. Mr. Cooper also regularly counsels clients with respect to Internet-related liabilities under European and US laws. Mr. Cooper sits on the advisory boards of a number of privacy NGOs, privacy think tanks, and related bodies.

Photo of Mark Young Mark Young

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He…

Mark Young advises clients on data protection, cybersecurity and other tech regulatory matters. He has particular expertise in product counselling, GDPR regulatory investigations, and legislative advocacy. Mr. Young leads on EU cybersecurity regulatory matters, and helps to oversee our internet enforcement team.

He has been recognized in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field.” Recent editions note that he is “deeply knowledgeable in the area of privacy and data protection,” “fast, thorough and responsive,” and has “great insight into the regulators.”

Mr. Young has over 15 years of experience advising global companies, particularly in the technology, health and pharmaceutical sectors, on all aspects of data protection and security. This includes providing practical guidance on analyzing and using personal data, transferring personal data across borders, and potential liability exposure. He specializes in advising in relation to new products and services, and providing strategic advice and advocacy on a range of EU law reform issues and references to the EU Court of Justice.

For cybersecurity matters, he counsels clients on practices to protect business-critical information and comply with national and sector-specific regulation, and on preparing for and responding to cyber-based attacks and internal threats to their networks and information. He has helped a range of organizations respond to cyber and data security incidents – including external data breaches and insider theft of trade secrets – through the stages of initial detection, containment, notification, recovery and remediation.

In the IP enforcement space, Mr. Young represents right owners in the sport, media, publishing, fashion and luxury goods industries, and helps coordinate a team of internet investigators that has nearly two decades of experience conducting global notice and takedown programs to combat internet piracy.