Posted on

If employees steal data, confidential information or trade secrets

What’s the problem?

A study found that more than half of employees steal confidential company information when they leave their employment. Data taken include customer email addresses and contact lists. Some of these may include personal data.

Employees can use stolen data to solicit clients or trade secrets to develop competing products or services. Some have tried to sell stolen data online for millions of dollars. Such conduct may harm the company’s reputation, trade connections and business interests. The company may also be deemed to be in breach of data protection legislation.

I’ve written about this issue elsewhere. Here’re further thoughts on it.

How to Prevent?

Confidentiality & Other Clauses

Insert robust confidentiality clauses in employment contracts. It should be drafted bespoke to your business context to ensure it covers the type of confidential data your business deals with. Note that there are legal nuances about the scope of such clauses which affect their enforceability.

Confidentiality clauses should be drafted alongside non-solicitation, garden leave, termination and forfeiture provisions to ensure they harmonize and work together to protect the company.

Data Management Policies

Develop & implement written policies on data management, security and access.

Ensure that such policies are read, briefed and explicitly acknowledged by all employees.

Access to, and admin control of, highly secret or sensitive data should be restricted to select categories of employees.

Personal email accounts, storage devices, cloud storage applications should be prohibited. Provide company-controlled storage devices and cloud storage solutions.

Just before an employee’s termination, their company devices should be immediately returned. If there is a suspected data breach, do not conduct your own checks on the device as you may accidentally overwrite evidential data. There may be subsequent allegations raised about the chain of custody of the evidence.

Instead, consider sending it to an external IT forensic expert to conduct the review. If there are internal skilled IT personnel who are able to conduct such a forensic investigation, ensure that this is done by such personnel with their every activity logged.

The forensic investigation should be able to reveal if data has been emailed, copied, transferred or deleted.

Some IT forensic service providers include:

https://www.infinityforensics.com/

https://www.trsforensics.com/

http://www.rp-ds.com/#!/our-services

https://www.rsm.global/singapore/service/advisory/digital-forensics-investigation

https://www.am-investigators.com/investigator-services/

https://private-investigator-singapore.com/digital-forensics-singapore/

Detection Measures

There are IT solutions which enable you to detect when large amounts of data have been transferred or copied out of any company device.

Set the company VPN or intranet network to disable access to commonly used cloud storage applications like Dropbox, Box and Google Drive.

For employees who have tendered their resignations and are serving out their notice period, consider conducting a spot check on their company devices and accounts while they are still employed with the company. Check their access to data on cloud or shared servers or drives for unusual activity. If necessary, place them on garden leave.

Post-Termination

A review of devices and accounts, suspension of accounts, and suspension of account-connected devices such as smartphones should be conducted on the last day of employment.

Legal & Practical Responses to Breach

Court Injunction Order

You will need to act fast in preparing the evidence and court papers to apply for an urgent interim injunction or court order to stop the ex-employee from further wrongful use or disclosure of the confidential data. (It is interim in the sense that it is temporary until the entire matter has been resolved.)

Other commonly sought orders in an interim injunction include:

  1. an order for the ex-employee to deliver up documents or materials containing the confidential information;
  2. an order for the ex-employee to deliver up devices which contain the confidential information for forensic examination;
  3. an order for the ex-employee to disclose how, where or to whom the confidential information has been used or disclosed.

Civil Claim

The aforementioned interim injunction is part of the main civil claim that a business can bring against its ex-employees.

In the main civil claim, the company may claim, in addition to a permanent injunction, for monetary damages or an account of the profits. An account of profits is an order to disclose the profits made by the defendant, and to pay to the claimant such amount, derived from the wrongful use of the confidential information.

As regards damages, the claimant may claim for:

  1. loss of profits which the claimant would have obtained if not for the breach;
  2. loss of chance to obtain some contract, tender, or benefit because of the breach;
  3. Wrotham Park damages: a fee which would have been paid for a hypothetical licence or sale of the confidential data (if such a hypothetical licence or sale is commercially realistic);
  4. the cost of recreating the confidential information using legitimate sources (if it is feasible).

Report to the Police

A breach of confidence per se may not amount to a criminal offence. However, if there is unauthorized access to computer systems, it may be criminal.

You may wish to report the matter to the police. The police may consider it a private civil matter. However, in some situations, especially where it concerns regulated industries like banking and finance, the police will take action. For example, in 2008, 7 ex-employees of Citibank stole customer data and left for rival bank UBS. They were charged under the Computer Misuse Act and banking customer secrecy provisions in the Banking Act.

PDPA Breach Notification

If personal data may have been taken, you will need to assess whether the data breach notification obligations in the Personal Data Protection Act 2012 are triggered. There are certain deadlines to such assessments and notifications. Broadly, the criteria for data breach notification is significant harm to affected individuals (based on class of personal data) or significant scale (500 or more individuals).

Business Recovery

Businesses would want to swiftly respond to data breaches by courting customers or employees who may have been poached, assuring remaining customers about their data, and patch any gaps in their data security or management processes.

Commonly Disputed Legal Issues

In legal disputes concerning these circumstances, the following legal issues are commonly fought between parties.

Whether confidentiality obligation applies

A confidentiality obligation may apply because of an express contract term or under the general law of equity.

If it is based on an express contract term, the issues which follow is the scope of the term and the interpretation of the wording.

If it is based on the general law of equity, the Singapore Court of Appeal in I-Admin (Singapore) Pte Ltd v Hong Ying Ting and others [2020] SGCA 32 has held that the court must first consider two prerequisites:

a.  whether the information in question has the necessary quality of confidence about it; and

b.  whether it was imparted in circumstances importing an obligation of confidence. An obligation of confidence will also be found where confidential information has been accessed or acquired without the plaintiff’s knowledge or consent.

It is upon the satisfaction of these prerequisites that an action for breach of confidence may be presumed.

The presumption can be displaced where, eg, the defendant came across the information by accident or was unaware of its confidential nature or believed that there is a strong public interest in disclosing it. The burden of proof is shifted to the defendant to prove that his conscience was unaffected.

Whether information is confidential

The legal framework to analyse whether data or information is confidential or trade secrets is broadly also based on (i) the wording of the contract term (if any); or (ii) general law’s categorization of types of information applied to the facts.

On (ii), the legal authority often cited is Faccenda Chicken Ltd v Fowler [1985] 1 All ER 724 (Ch). There, the English High Court classified 3 categories: (i) trivial information; (ii) confidential information which when internalized into the memory of an employee becomes part of his skill and knowledge; (iii) specific trade secrets so confidential that even if learnt by heart cannot be used by an employee after he has left the employment.

It is often held by courts that client information, client lists, pricing information, unique recipes, unique chemical formula, etc. are confidential.

Compilation of data into database based on information from the public domain may be deemed confidential (I-Admin).

Whether and to what extent duty of confidence applies to recipient

While an express contractual provision on confidentiality will not apply to a third party who receives the confidential information, e.g. the new employer of the employee who left the claimant, a third party recipient may be imposed with an obligation of confidence under general equitable principles.

This is significant because it would allow the claimant to also claim against the new or prospective employer.

The approach set out in I-Admin mentioned above would apply. The question thus is whether the information is confidential and the information was imparted in circumstances importing an obligation of confidentiality.

The issue is the knowledge the recipient has about whether the information is confidential and how the recipient received the information.

If indeed it would be obvious to any reasonable person that the information is confidential, the recipient may well be subject to the confidentiality obligation.

Interplay with non-solicit and non-compete restrictive covenants

It is often the case that employees will use the confidential data stolen to benefit themselves in a new business they begin or for a new employer.

As such, the claimant company will often also claim in breach of non-solicit of customers and/or non-compete clauses (if any).

The usual issues which then arise is whether those clauses are reasonable and thus enforceable. Or even if not, whether parts of such clauses can be severed to render the remainder enforceable.

Optimally, these clauses should have been well drafted from the outset, narrowly limited to protect only the legitimate interests of the employer, and customized to the specific employer’s context.

Posted on

Case: Sun Electric Power Pte Ltd v RCMA Asia Pte Ltd [2021] SGCA 60 – cash flow test for insolvency; directors liability for costs

Sun Electric Power Pte Ltd v RCMA Asia Pte Ltd (formerly known as Tong Teik Pte Ltd) [2021] SGCA 60

Supreme Court Case Summary | Judgment

Significance:

A. Directors’ conduct of appeal against company winding up

A company may appeal against a winding up order. Its directors may control the conduct of the appeal. However, the directors and/or shareholders may not use the company’s funds to pursue an unmeritorious appeal when these funds should be reserved for payment to the creditors. 2 general rules:

(1) directors and/or shareholders controlling the conduct of the appeal should pay costs incurred by the company in prosecuting the appeal out of their own pockets instead of using company funds. If the appeal succeeds, the directors and/or shareholders can reclaim from the company the funds that they had expended from their own pockets in prosecuting the appeal.

(2) the directors and/or shareholders controlling the conduct of the appeal should be personally responsible for the payment of any party and party costs awarded in favour of the respondent if the appeal fails.

B. Cash Flow Test for Insolvency

Previously, courts have applied both the cash flow test and the balance sheet test to assess if a company is insolvent.

The Court of Appeal held that the cash flow test is the only test under s 254(2)(c) of the Companies Act (now s 125(2)(c) of the Insolvency Restructuring and Dissolution Act) to determine whether a company is unable to pay its debts: at [65].

It assesses whether the company’s current assets exceed its current liabilities such that it is able to meet all debts as and when they fall due.

“Current assets” and “current liabilities” refer to assets which will be realisable and debts which will fall due within a 12-month timeframe.

Continue reading “Case: Sun Electric Power Pte Ltd v RCMA Asia Pte Ltd [2021] SGCA 60 – cash flow test for insolvency; directors liability for costs”

Posted on

Christie, Hamish Alexander v Tan Boon Kian [2021] SGHC 62 – bankrupt’s payments to family members clawed back – unfair preference and undervalue transactions

Christie, Hamish Alexander (as private trustee in bankruptcy of Tan Boon Kian) v Tan Boon Kian and others [2021] SGHC 62 

Significance: The bankrupt made certain cheque payments to his family members in the clawback period prior to his bankruptcy. The trustee in bankruptcy applied to claw back these payments for being unfair preference (as two of the family members were also creditors of the bankrupt) and undervalue transaction (this was essentially a gift to his daughter which she used to pay for expenses for her wedding, which cost a total of about S$135,000).  The statutory presumption of unfair preference was not found to have been rebutted. The court found that it would not be justified to not order a claw back for the gift to the daughter as it would otherwise be tantamount to the bankrupt’s creditors footing the bill of the daughter’s “lavish wedding”.

Posted on

Case: Okpabi v Royal Dutch Shell Plc [2021] UKSC 3 – suing foreign parent company for negligence

Significance: This case involves an interesting litigation strategy which has paid off up to this step in the proceeding.

Claimants in Nigeria sued the UK-domiciled parent company of a Nigerian-registered company for breach of common law duty of care on the basis that the parent exercised significant control over material aspects of the subsidiary’s operations and/or assumed responsibility for its operations, which allegedly failed to protect the appellants against the risk of foreseeable harm arising from its operations (oil spills).

UK Supreme Court granted the possibility of this claim and allowed the matter to proceed as a matter of jurisdiction.

Continue reading “Case: Okpabi v Royal Dutch Shell Plc [2021] UKSC 3 – suing foreign parent company for negligence”

Posted on

Whether Managing Director or CEO has legal power or authority to borrow money or give security

Blasco, Martinez Gemma v Ee Meng Yen Angela [2020] SGHC 247

Significance: Singapore High Court, per Kannan Ramesh J, held that a managing director or CEO (acting or otherwise) did not, as a general rule, have the power (implied actual authority or apparent / ostensible authority) to borrow money or give security on behalf of the company by reason of his position. This was a context-sensitive issue and regard should be had to all the circumstances of the case: at [38].

Continue reading “Whether Managing Director or CEO has legal power or authority to borrow money or give security”

Posted on

Jurong Aromatics Corp Pte Ltd v BP Singapore Pte Ltd [2018] SGHC 215 – Charges over receivables as security; contracts prohibiting assignment

In Jurong Aromatics Corp Pte Ltd (receivers and managers appointed) and others v BP Singapore Pte Ltd and another matter [2018] SGHC 215, the Singapore High Court considered the nature of charges and whether contractual clauses prohibiting assignments applied to prevent the charge from arising. The court also considered decrystallisation, estoppel, waiver, and whether insolvency set-off applied.

Continue reading “Jurong Aromatics Corp Pte Ltd v BP Singapore Pte Ltd [2018] SGHC 215 – Charges over receivables as security; contracts prohibiting assignment”

Posted on

Ma Hongjin v SCP Holdings Pte Ltd [2020] SGCA 106 – Doctrine of Consideration in Variation of Contracts Upheld

Singapore Law; Legal; Lawyer

Significance: five-person bench of the Singapore Court of Appeal refuses to abolish the doctrine and requirement of valid consideration for variation of contracts, while suggesting that contracting parties may expressly agree to dispense with the requirement for varying a particular contract.

Continue reading “Ma Hongjin v SCP Holdings Pte Ltd [2020] SGCA 106 – Doctrine of Consideration in Variation of Contracts Upheld”

Posted on

Retailer Insolvency and Rights of Goods Suppliers

It was reported that in the light of the liquidation of long-surviving departmental store Robinsons, goods suppliers have been experiencing issues with payments for sold consigned goods.

What has not been considered in these reports is that suppliers who consigned goods to Robinsons should consider if it is indeed a consignment at law and whether title or property of goods have passed to Robinsons, or if not then whether they can take back the goods.

Continue reading “Retailer Insolvency and Rights of Goods Suppliers”