The recent conviction of Mark Lloyd brings a clear warning to departing employees - taking customer lists to your new job could land you with a criminal record.
Mr Lloyd emailed the details of 957 of his employer's customers to his personal email address before starting a role with a rival company. The documents contained personal information including the contact details of clients, as well as purchase history and commercially sensitive information.
Sound familiar? Recruitment companies – whose lifeblood is often their client and candidate database - are regularly faced with this situation. Managing the insider threat is a common security concern for them. This recent enforcement action taken by the Information Commissioner's Office is a further sign (along with the advent of hefty fines) that the data regulator in the UK is flexing its muscles and getting tough.
In May 2016, Mr Lloyd pleaded guilty to unlawfully obtaining personal data under section 55 of the Data Protection Act 1998. His punishment may be modest in financial terms (a £300 fine and some costs) but he now has a criminal record which is likely to have major implications on his life and ability to find new work.
This is a step in the right direction when it comes to tackling the misappropriation of personal data. Recruitment companies should always ensure that their contracts of employment contain adequate safeguards, including specific provisions to protect the database and confidential information. Employers have always been able to obtain injunctions in the civil courts to get back confidential data and to protect customer relationships. However, this adds another string to their bow.
The message sent by the ICO in this case acts as an effective deterrent to recruitment consultants who might be contemplating stealing client and candidate lists before they leave. We now know that reporting an incident of this nature to the ICO may no longer go unanswered. There is an opportunity now to remind employees of their obligations and to train staff on the serious consequences that may follow data theft.