Hey cloud lawyer: Can I take my client list with me?
It's not like my boss painstakingly nurtured the contacts, right?
You spend months or years building up a client list for your employer. You nurture the relationship and build up personal ties with the client. When you leave the employer, naturally the client goes with you. And so does the client list, via a USB stick or Dropbox or your webmail account. If you don’t get all the details before you leave, you can simply log back in later and copy the rest.
Your former employer doesn’t have the relationship with the client anyway – it was personal to you – and business is business after all.
But wait. In doing so, you’ve possibly got yourself and your new employer in hot water. There are numerous measures preventing you doing this and, if any of this is done with your new employer’s encouragement or assistance, they could be liable too.
Client lists are, by their very nature, likely to contain personally identifiable information protected by the Data Protection Act. The employer must comply with the eight principles under the DPA including ensuring that the data is processed fairly and lawfully and is protected against accidental loss or destruction.
These obligations also apply to the outgoing employee. In May 2016, the Information Commissioner’s Office successfully prosecuted Mark Lloyd (his real name), an ex-employee of Acorn Waste Management Ltd in Shropshire, for emailing the details of 957 clients to his personal email address along with purchase history and commercially sensitive information prior to taking a role with a rival. In that particular case, the individual in question pleaded guilty and was fined £300, ordered to pay £405.98 costs and a £30 victim surcharge.
In fact, although this is a criminal offence, the sanction is currently only a fine, but the ICO is pushing for a change in the law so it can carry a jail sentence. Steve Eckersley, head of enforcement at the ICO, commented: “Employees need to be aware that documents containing personal data they have produced or worked on belong to their employer and are not theirs to take with them when they leave.”
This might make it look like an affordable crime for some, but if the former employer knows about it, a prosecution seems more likely. Naturally, if the former employee accesses financial information, then the Financial Conduct Authority may get involved – and it has powers to issue fines which are much higher than the ICO. The largest UK fine for a data breach was £3m against HSBC in 2009 and much higher fines are on the way under the new General Data Protection Regulation.
There is also the chance that the employer will take direct legal action against their former employees – and my colleagues at Wallace LLP have advised on both sides of the equation recently. If you are an employee considering copying a client or pricing list to Dropbox or taking it with you when parting ways with your employer, here are a couple of cautionary tales.
The first involved my employment law colleagues acting for the ex-employee. Mrs Smith (not her real name) was made redundant during maternity leave and believed she had been subjected to maternity/sex discrimination. Mrs Smith sent confidential information including client lists, business plans, work examples and other correspondence to her personal email account in order to support her appeal against the termination of her employment. She also emailed a small amount of this information to her friend, Mr Murphy (not his real name either) who worked with a third party in HR, to assist with her appeal.
Shortly after she submitted her appeal, Mrs Smith’s employer became aware of her actions and demanded she provide undertakings, surrender the information and pay damages and costs. Mrs Smith denied wrongdoing and refused to cooperate so her employer withheld her redundancy and notice payments and issued a claim in the High Court claiming damages, costs and account of profits for misuse of its confidential information, for Mrs Smith’s breach of her equitable duties of fidelity and confidence and for infringements of the employer’s database rights. They also applied for an injunction prohibiting Mrs Smith from using the confidential information and an order requiring her to disclose where she was keeping the info, what use she had made of it and, ultimately, to surrender it. It was at this point that Mrs Smith instructed my colleagues and she admitted what she had done. They negotiated a settlement for Mrs Smith which avoided her having to appear before the judge or having to pay the employer’s legal costs and negotiated the release of the payments due to her and the ability to refer to her work examples in return for her and Mr Murphy deleting the client list and other information. This was a good result for her and it could have been a lot worse as the courts regularly favour the employer in these circumstances.
In the second real scenario, my litigation colleagues were instructed on behalf of an employer. Mr Jones (again, not his real name) was a co-director and shareholder of a business. He resigned and was placed on garden leave. On leaving the business, he handed back his smartphone. It was immediately apparent that he had deleted all his text messages. The employer retrieved the messages using fairly standard methods and instructed my litigation colleagues.
These messages – along with other information gleaned from Mr Jones’ use of office IT – provided a treasure trove of incriminating evidence against him. The line of enquiry then showed that he had copied vast quantities of confidential information onto memory sticks before his departure, which amounted to a blueprint for a new business which he was about to set up with others who had been working for the business. The employer needed to act quickly without tipping off Mr Jones and the others. My colleagues obtained a search and seize order from the Court, resulting in them standing outside his house at 6.00am with the police and other investigators. Mr Jones had no choice but to let them in and they imaged all relevant devices and seized confidential information. Mr Jones was prevented from using the client list and the confidential information and his new business took longer to get off the ground as a result.
For senior employees, the employment contract will probably also prevent the employee from poaching the employer’s other staff and clients. Not all restrictions are valid – they mustn’t amount to a restraint of trade which will not be enforceable – but most properly drafted employment contracts will get the balance right.
What if there's no NDA in my contract?
Even if your employment contract is poorly drafted and doesn’t contain a confidentiality provision – or you haven’t signed one at all – there’s the general law of confidentiality. This is a broad principle of law which can prevent you being able to take unfair advantage of information you received in confidence while working for your employer. To be protected by the law of confidentiality, the information must be confidential in nature, meaning that it must have the "necessary quality of confidence" and it must be disclosed in circumstances importing an obligation of confidence. Unless there was a clear understanding that you would have rights to continue to use client lists, product specs and pricing after you leave, taking or copying these would all be caught.
Also, if the former employer fails to change passwords and the ex-employee logs back in to take the info, there could be a Computer Misuse Act violation. This Act makes denial-of-service attacks and the supply of hacking tools criminal offences. It also prohibits unauthorised access to any program or data held in any computer. If you log in to your former employer’s IT system, you could be liable to pay a fine and you could face up to two years in prison.
It’s likely that CMA actions will be combined with others. For example, in July last year Mr Skelton (his real name), an employee of Morrisons the supermarket chain, leaked staff salaries, bank details and National Insurance numbers of nearly 100,000 employees and tried to blame a co-worker. Apparently this cost Morrisons £2m to remedy. The Crown Prosecution Service prosecuted him successfully for fraud, securing unauthorised access to computer material and disclosing personal data. And while Mr Skelton didn’t have to cover the £2m, he was sentenced to eight years.
If the new employer is involved, they could become liable too. In the cases my colleagues deal with, the new employers are normally very quick to distance themselves from the actions of their new employees, leaving them to fight their own battles. There have been occasions where the new employer has sacked the new employee.
The lesson is: don’t take the client and pricing lists expecting to take advantage of your former employer without there being consequences. ®
Sponsored: Customer Identity and Access Management