Data theft involves the stealing of personal information belonging to another person, firm or organisation and it is deemed to be a crime.
In the UK, the Data Protection Act of 1998 prohibits the unlawful obtaining of personal data without the consent of the data controller except where the person can show that it was for the detection or prevention of crime, or that the information is required under the law or by the court.
Sadly this does not stop employees stealing data from businesses, particularly when those employees are leaving.
Why Do Employees Steal Data?
With the onset of recession, the rate of employee migration increased and it is now common to find employees taking company confidential information along with them and offering it to new employers or setting up businesses in competition. The potential monetary gain involved is a major impetus for this trend. The sale of stolen data is also a lucrative trade in itself.
In addition, many employees view files and transactions they have worked on as their own and do not believe that by taking them away they are committing offences. According to a survey by Prefix IT, 30% of employees are of the opinion that sales leads and businesses belong to them.
Data Theft is Easy
Technological advancement and the ease of transferring information expose businesses to data theft.
With cloud storage and mobile devices, employees can keep personal copies of company information even more easily. This is particularly the case in companies where downloads of data are not tracked and there are no appropriate security controls in place to check them.
Most businesses only become aware of the theft when the data is eventually used by an unauthorised party. By this time, huge losses may have been incurred and the subsequent prosecution of such persons might not redeem the loss suffered.
How Can the Data Protection Act Help?
The Data Protection Act only provides for the payment of fines on summary conviction where a breach occurs, but this might be insufficient to repair the damage suffered.
Although an injunction may also be obtained to restrain the person from using the information and compelling its return to the employer, obtaining an injunction is a complex process which consumes time. In addition, the employer must also take steps to recover the information once the loss is discovered in order to mitigate loss.
A claim for damages could compensate the employer, but actual loss suffered must be proved which is often difficult to assess and the quantum of damages awarded by the court is discretionary.
Although the Data Protection Act purports to provide some protection, it is clear that prevention is better than cure.
Protecting Your Data
In view of limited legal protection, companies should implement policies on data protection and the provisions of which should be incorporated into employment contracts in order to simplify the prosecution of employees.
Active compliance with data protection rules should also be ensured by employers through frequent training and continual enforcement in order to reduce the risks from data theft.
For specialist advice contact Peter Gourri today by email PGourri@rollingsons.co.uk or telephone 0207 611 4848.
No comments:
Post a Comment