Euan McMahon, Managing Associate
Mishcon de Reya
Welcome everyone to our latest Dispute Nightmare scenario Flash Webinar. The subject of this edition is “What to do you discovered that a senior employee had stolen your confidential information to take to a competitor?” I’m Euan McMahon, I’m a Managing Associate in Mishcon’s Fraud and Dispute Resolution Team and I’ll introduce the other speakers very shortly but first I’ll just sketch out our nightmare scenario. So, you operate a business that has a lot of very valuable intellectual property and confidential information and a senior employee has just handed in their notice. They are currently on gardening leave and you receive an automated notification while they are on gardening leave that, from your document management system, that the employee has attempted to access various files that they’re not authorised to view and so this obviously prompts a check of their activity and it reveals that they appear to have downloaded significant amounts of confidential information in the last few weeks and there is no clear business reason for them having done so. So your obvious concern is that the employee intends to take that confidential information to a competitor. Here to discuss this with me is Martin Boyle. Martin is formerly, was formerly at Slaughter and May but he has been with Ocado for about six years now, previously as a Head of Employment and Disputes and is currently Interim Deputy General Counsel. And also with me is Sharon Tan who is a Partner in Mishcon’s Employment team and advises on all aspects of contentious and non-contentious employment law. Just before we kick off, I’ll just say if you’d like to as a question, please put them in the chat and if we have time at the end, we will answer some. So, Martin, this scenario won’t sound entirely unfamiliar to you. Obviously, it’s, it’s pretty closely based on real events that have happened to Ocado and that we dealt with together. In a situation like this, from a business’s perspective, what are your first steps going to be?
Martin Boyle, Interim General Counsel
Ocado
Thanks Euan and yes, I think the title of the, the series, ‘Nightmare Scenarios’ is pretty accurate because this is, it was a bit of a nightmare scenario. So for us, the initial kind of steps were you know upon being notified that this had happened, you know is to, first of all have the initial conversations that you need to have with the necessary senior leaders across the business to make them aware that this has happened. That is in large part to make sure that you are wrapping your arms around this and making sure that it is legal, is the function that is leading on any potential investigation and you know, the obvious reasons for that, you know, will be because we need to control, you know where the investigation goes, what the potential outcomes are, but also to make sure that we’re protecting and utilising privilege as much as possible in any of the, any of the documentation that’s generated. You know, what those conversations are and who those senior leaders will be, will very much depend upon the nature of the circumstances so, but you’ll also have to engage with other individuals and again, it’s very much dependent on the situation, it’s not possible to have a fully worked out playbook for these scenarios, so you may have to engage with the individual’s direct line managers, you may have to deal with some elements of their team, you’ll have to engage with your IT function so, you know, you very quickly have to understand who is likely you are going, who is likely to be involved in creating almost like a mini working group to help you conduct the investigation. And you know what you want to think about up front as well is around you know confidentiality and risks of leaks, so using things like project for code names for the investigation itself and/or for individuals who may be the subject of the investigation. But what you’re first of all doing really, once you’ve done those kind of high level you know points, is to look at what information is it that you know you’re, you’re looking at, what areas of the business does the employee work in, who they work with, what information have they taken and who, and what do they have access to, that’s probably the most critical point because you very quickly want to understand what’s the scale of the risk the organisation is looking at, are you looking at a potential regulatory issue, is there data, is there personal data involved, is there going to be an ICO report that needs to be made, you know, there’s all, you really need to get to that really quickly. So, looking at the value of that as well and how important it is to the business, what’s the commercial impact of it. And then…
Euan McMahon, Managing Associate
Mishcon de Reya
Oh sorry, go ahead.
Martin Boyle, Interim General Counsel
Ocado
I was just going to say and then I, then trying to understand what use they might be making of it, you know are they going to take, have they taken it for a specific purpose, you know, you know, most likely it will be to use, to use with a potential competitor in the future but you can’t just, you know as some people who will be familiar with some, some other cases where you can have rogue actors who are acting for malicious purposes as well, so, and you also need to understand who else is involved potentially outside of the business, what’s the, what’s the network of the individual involved. So, there’s a lot to get, to gather in a short period of time.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah, absolutely and I think answering those kind of key questions as quickly as possible is going to be, is going to be vital and, as you said, I think it can be, the difficulty of doing that can be kind of compounded if you don’t really know exactly where that employee may sit within the business or who they have connections with, who their team is, who their friends are, all of that can make the answering those questions quite tricky.
Martin Boyle, Interim General Counsel
Ocado
Yeah, and you have to tread quite carefully with, again, you know one of the biggest mistakes you could make is blunder in to having conversations with people and you don’t actually know what relationships there may be and so you have to, you know do have to have, take a lot of care in the conversations and try to ascertain as much information as possible at senior levels first, where there’s a higher, potentially, degree of knowledge and trust with, you know, the individuals who you may be speaking to, to try and understand what the, what the lay of the land is really that you’re stepping into because as you say, you know, in big organisations, you may never have really engaged with this particular team or this particular area of the business before and you have to get up to speed on it on what they do very quickly.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah. And just in terms of you’re having those conversations, you’re trying to answer those questions, what sort of things are you doing in terms of gathering and securing evidence, as in kind of documentary evidence?
Martin Boyle, Interim General Counsel
Ocado
Yeah, so, it’s pretty standard stuff that you would expect, it’s suspending any deletion policies, any automatic deletion policies that may be relevant for some of the data sources that you might be looking for. You’ll be looking at identifying where, where is the potential sources of evidence, so things like you know automatic backups of devices, can you obtain backups if, or can you do a remote backup if possible? You’re looking at things like the, you know, what’s on the employee’s laptop, they’re taking a, a you know a dial up potentially of their mailbox and ideally, trying to get a backup of their phone, if possible. However, and we’ll come to this later, depending on what is the primary concern for you know business at the time, you need to be careful of really understanding before you do some of these things, if you may be tipping the individual off to the fact that you’re carrying out the investigation, which I know we’ll, we’ll come to. But the one thing I would say, just as a practical point and it may be different in different organisations but, some of what you are undertaking can be very technical and very time-consuming so starting early, you, you will need to look, you know form a, a very close relationship with your, a reliable and trusted member of your IT team who can guide you through some of the, the fairly basic questions that you’ll have to ask in terms of understanding, you know, what’s actually happened, you know, and the thing is that my one tip on this is that, you know, there are no, you know, stupid questions on this because, you know, you really in my view whenever I was leading on this investigation, you’re stepping into very technical systems that you just don’t know what you don’t know and so you have to ask loads and loads of questions to really understand how it works, both to be able to translate it for external counsel or potentially to a judge at some point but also, so that you don’t necessarily miss making a connection or miss a potential avenue of further investigation that, so asking lots of really basic and obvious questions and working with somebody in IT could be really, can be really critical. And, and also just finally, on the timings point, not only does it take time to get up to speed but finally, the, it can take because of the size of some of the data sets that you might be downloading, it can actually take quite a long time to get a hold of, you know, lots of mailboxes and lots of you know, people’s you know storage, drives and things like that so, the earlier you can get on that, the better.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah, absolutely, and as we know, in our particular case, it ended up taking a surprising I think amount of time for both of us to kind of get a hold of this kind of stuff, I mean we’re talking about you know mailboxes with potentially millions of items in them. So, let’s say we’ve done that now, we’ve, we’ve set up the kind of the investigatory team and we’ve secured the evidence and perhaps we’ve started looking through it. Sharon, from your perspective, what would you be doing next in terms of further investigation?
Sharon Tan, Partner
Mishcon de Reya
Thanks, Euan. Thanks, Martin. Having carried out that initial investigation that Martin has outlined, you might discover or you might in fact have reason to suspect that the resignation of this senior employee and the attempted theft of your confidential information is actually only the tip of the iceberg. What you often find in this situation is that a competitor has actually tried to recruit and entire team of your key employees and the question then becomes, what do you do if you find that actually this looks like part of a larger plan to ransack your business, what, what’s the next practical step? In that situation, really the first order of business is to find out how far and how wide the attempted raid extends because you’re going to need to identify the potential flight risks, so that you can steps to secure key talent, if that’s what you need to do and you might also find that you need to secure critical client relationships. But as a practical matter, one of the first things you really want to do is to identify, as Martin says, who the departing employee has been working with, primarily working with, who they’re close to, because you’re going to want to talk to those people fairly quickly, you’re going to want to get them into a room so that you can ascertain whether they themselves have been approached, you’re going to want to take the opportunity to remind them of any continuing obligations that they owe to you, fidelity, loyalty, they might have post-termination restrictions that you want to talk about if you think they are on the cusp of leaving, and crucially, you are also going to want to find out what on earth has happened to your confidential information, what’s got, you know, what’s been taken and where has it gone and you’re also going to want to find out the identity of any third parties into whose hands that confidential information might have fallen. And then really, the next practical thing for you to think about in, in, in real terms is what you do about what you’ve uncovered and obviously that will depend on what you find when you talk to people but you might want to be thinking about things like retention bonuses, do you need to think about incentivising people to stay to stabilise the business and really to lock down both the confidential information and the people that you need to protect things going forward.
One other practical point just to think about is that in our scenario, the individual who downloaded a lot of the information was on garden leave already and you know, quite frankly, if somebody is on garden leave they’ve got no good reason to have continuing access to your systems and so to some degree it’s a step that you might want to think about fairly promptly in all cases if you are putting people on garden leave but if you haven’t already done that, you would probably want to think about cutting off access to the system to make sure that you at least limit the size and scale of the problem that you’re dealing with.
So, if having spoken to all of these people you think that some of your employees might have acted in breach of their contractual obligations or if you think that they might be intending to, whether that’s you know confidentiality obligations and making sure that they keep your confidential information secure or whether you think that they’re at risk of starting work for a competitor in breach of non-compete, then in those circumstances the next thing you probably want to be doing is to write to them to remind them of the contractual obligations they are subject to and you would also ask them for a series of undertakings. And those undertakings are generally designed both to flush out any misbehaviour that’s occurred already so that you can get to grips with what’s actually happened and you’re also seeking to extract a commitment from them to make sure that they’re going to adhere to those obligations in future. The other part of the puzzle is of course to look at the competitor who you think has been raiding your business or trying to so, you will also want to be writing to them to let them know that you know what they’ve been up to, to make sure that they’re fixed with knowledge of any contractual obligations that your employers are subject to and really to request undertakings from them too, which are again designed to try to identify any wrongdoing that’s happened so far and also really to put them under pressure to confirm that they’re not going to do anything unlawful in future such as hire a bunch of your employees in breach of a non-compete. And the hope of course is that whenever they receive those letters, they’ll see the error of their ways and will return any confidential information and agree not to hire anybody in breach of any non-competes but you know, they might not do so and if they don’t, you might need to consider whether action is necessary such as seeking an injunction to secure compliance.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah, I think, I think, definitely, if your investigation reveals that a team move is on the horizon and that’s the business’s primary concern that is, you know, that that is the issue then that’s certainly, obviously, that’s the route that you want to go down or we might call a kind of I suppose on notice route, in other words letting the employee know fairly soon about what you know. There is a kind of alternative route if the primary concern and having done your investigation is that it’s, it’s the confidential information is your concern, you know it’s very valuable, there’s perhaps there’s a risk that the employee will seek to delete or conceal the incriminating evidence. In that kind of situation then you’re probably going to want to take a slightly different attack to the way that you approach things in that you, you’re not going to want to let the employee know that they’re under suspicion while you’re carrying out the investigation. The obvious reason being that they may well start taking steps to hide their tracks or delete evidence and in those kind of situations the investigation needs to be carried out quite carefully because there’s a number of ways, as Martin alluded to before, that an employee might be alerted or tipped off. The most obvious one is obviously if you send a notice of disciplinary or suspension, something like that, so you’re going to want to hold off doing that for the time being but there are obvious, there are less obvious avenues so, leaks from inside the business, again Martin you mentioned that, that’s a kind of key one, employees have connections, they have friendships and you may well not know who they’re close to, who they speak to and there may be co-conspirators as well and may be other people involved in taking this confidential information so I do think, Martin, echoing your point, picking the team carefully, keeping it narrow and making sure that they know as well that the investigation is strictly confidential and not to be discussed, keeping a lock on it, is absolutely essential in this kind of situation just to make sure that they’re not, the employee isn’t alerted.
And then the, the other potential way of it might be brought to the employee’s attention is kind of other unusual activity. Sharon, you mentioned disabling the employee’s access to when they’re on gardening leaving. Obviously this should have been done probably automatically but at this stage having found out that they are accessing confidential information or they’re trying to, it might be prudent to hold off suspending their access, if only for a little bit, if the risk is that it might tip them off that they’re under suspicion so, yeah, as I say, you just, the investigation needs to be kind of handled quite carefully and with some kind of secrecy and really the reason for the secrecy is that you preserve the utility of certain orders that the court can make. So just running through a few that might be suitable in this scenario, you can get delivery up order, so an order requiring an employee to hand over confidential material within a set period and sometimes that is elevated to a doorstep delivery up, where the order is served on the person at their premises and they need to hand over the information immediately there and then. Going up the scale of severity, you can obtain an imaging order so, an order, that’s an order for the employee’s personal electronic devices, so things like their personal phones and laptops but also things like their personal email accounts, WhatsApp and other messaging services, you know, all electronic data devices are copied and provided they’ve not been tipped off, the first the employee knows about it is when they are served with the order so it’s incredibly effective at preserving evidence and ensuring that it can’t be destroyed or tampered with as long as the employee isn’t forewarned. And then just kind of at the top end of severity, you have a full blown search order which is literally a kind of a physical inspection of an employee’s premises, literally going kind of room to room collecting, going through documentation and collecting anything that’s relevant or incriminating and quite often you can combine them so, you know, you will have a search, a search imaging and perhaps delivery up order kind of all at once. So, they’re, they’re powerful and they’re intrusive orders and they come with stringent requirements but in the right case they are really, really effective. Obviously, as you know Martin in our case that’s what we ended up doing, we ended up getting search order, imaging order and delivery up against both the employee but also the competitor company and ended up raiding their business premises and retrieved you know large amounts of confidential information and incriminating evidence. So those are kind of the two, two kind of potential avenues and the root that you take I think is really just going to depend on what you find as a result of your initial investigation and what the priority for the business is.
So, let’s say that you proceeded down one of these routes, presumably then Sharon, a disciplinary will come next to kind clean house? How would you go about it and any major pitfalls to avoid?
Sharon Tan, Partner
Mishcon de Reya
Actually, disciplinary action is something that people do ask about a lot in this sort of situation and you know, where appropriate you should obviously take, undertaken promptly in a fair manner, you know in the usual way with people understanding the allegations against them and the evidence and so on and so forth. It’s important of course that you do that to make sure that you avoid any allegations of unfair dismissal if that’s ultimately where you end up, as you might well. But the reality is that in a fast moving situation such as this one, your primary focus is likely to be on securing your confidential information as you said and protecting the business and so really, disciplinary action is something that tends to be a little bit more for the medium term, more the secondary concern and something that you deal with a little bit further down the line. The immediate thing that you’re probably want, going to want to have in your radar is whether a suspension, which I think you alluded to earlier Euan, is something you need to think about just to take somebody out of circulation and to isolate them from the business for a little while, while you take a look at things, assuming of course that you’re not looking for a without notice course but I think the one thing just to remember there is that suspension shouldn’t be a kneejerk reaction, it’s not regarded as a neutral act as it were in the employment world and it should only really be used where necessary and kept as short as possible. That does bring me onto another thing that is actually very important to bear in mind whenever you are dealing with this sort of thing and it is just to make sure that you don’t give your employees grounds to claim that the way that you have gone about handling matters is, is such that you’ve given in effect to what lawyers would call a repudiatory breach of their employment contract, in other words a fundamental breach that goes to the root of the contract, so you need to be very, quite careful not to be too heavy-handed in the way that you engage with them, if indeed you are going to engage with them, in interviewing them and asking them questions and all of the rest of it because if you do, you could find that you’ve effectively given them the opportunity to walk away immediately from the employment contract and also from any post-termination, post-termination restrictions that might otherwise have been engaged on termination and so you’re effectively giving them a free pass to walk into the arms of a competitor as it were.
But picking up again this point about disciplinary action, one thing that you might want to have in mind too is the range of potential sanctions that might be available to you and depending really on how egregious the behaviour has been and you can quite easily see how it could be fairly egregious in this kind of situation if someone is guilty as charged then you might want to look at whether a clawback is something that you might be able to use. Oftentimes you will find that in bonus schemes, incentive arrangements and all of the rest of it and with a highly paid senior individual in particular it can be a very effective tool or a weapon in your armoury that you want to have a think about.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah, I think you’d agree with that Martin, given that we found it was a useful tool in the armoury.
Martin Boyle, Interim General Counsel
Ocado
It was and you know it is, I think it’s something that you know in, in a lot of situations isn’t necessarily the first thing your mind goes to but actually if you’re looking at individuals and you’re trying to exert some pressure then it can be a very effective tool and in our case in particular we did clawback bonuses over the course of and shares that had invested over the course of the previous two or three years of his employment so, it was a very effective tool and definitely one I think you should bear in mind.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah, absolutely. So, just very, very quickly we’ve been talking about a kind of data theft that has already taken place but I think it’s probably worth just briefly touching on what safeguards and other measures can be put in place to prepare yourself for that eventuality. Perhaps we can just kind of give a pointer or two from our experience. Martin, do you want to kick off?
Martin Boyle, Interim General Counsel
Ocado
Yeah, so for, for me I think the key things for me just in practical terms I suppose to necessarily thinking about it from a legal perspective is around making sure you understand how your IT systems work, you know understanding what the IT infrastructure is and understanding is it the case that you know it’s appropriate, is there a sufficiency of guards built in that would, would almost flag to you that this type of activity is potentially happening within your organisation. Now, it’s the kind of thing that you know there’s a always a balancing act between you know doing it in such a way that hinders people’s ability to go about their day-to-day jobs but at the same time you can do it in a way that’s light touch enough that gives you the flags needed to know that somebody is doing something they otherwise shouldn’t be doing. So you’re looking at those red flags being things like you know, you know have people exceeded normal download limits or have they tried to access documentation that they otherwise shouldn’t have? You’ll be looking at things like are there, you know, flags in terms of has somebody tried to you know put in, inserting USB device into one of our IT systems, those are all kind of the standard things you would expect if somebody is trying to take information out of your systems. They’d be looking at those so, you really want to make sure that you know and a lot of you know people will be listening that these things will be in place but you kind of want to know that those are there to give you, you know, yourself that reassurance that you know you’ve at least got those systems in place to flag an issue so that you can look into it.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah, I think, I think that’s right. Ultimately, you know, you’re going to need to give your employees enough free rein so that they can do their, their jobs properly but just, you know, it might not be a question of kind of limiting their access but certainly things like logs are incredibly useful so often you know you can get most modern devices and, and document management systems have file logs, you know they will record when people access things or when they print them. Making sure those are switched on, knowing what’s being logged, how long it’s kept for and where the information is stored is incredibly useful, you know it’s, it’s music to my ears when a client comes to me with that information because one, can really quickly work out what’s, what’s being going on and two, it’s just great evidence that if you do need to get an order of the sort that we’ve talked about, it’s all there, you know you can present it to the court and it’s very, very compelling and you’ll usually get your order off the back of it.
Just, very, very quickly, just in terms of monitoring employees more generally, Sharon, is there anything to be cautious of there?
Sharon Tan, Partner
Mishcon de Reya
Erm, yes, I mean you clearly ought to be making sure that you’ve got your house in order in terms of documents and advance notice and everything else. You should make it clear in your employee handbook and then any other employment documents that those who use your IT systems don’t have any expectation of privacy and that you know frankly anything that you send, they choose to send across your systems, you might have sight of and that you might both monitor by communications and also monitor the data at any time.
Martin Boyle, Interim General Counsel
Ocado
Yeah and just to add to that Sharon, that point for the very beginning of the investigation, if you are going to be accessing large amounts or any really personal data of the individual, so for example I’ve downloaded their mailbox that you think about carrying out a data privacy impact assessment so upfront so that you are protecting the, you know the integrity of the investigation from future challenges on multiple grounds so that you can ensure that you turned your mind to this as an organisation right at the beginning.
Sharon Tan, Partner
Mishcon de Reya
Yeah, really good point, I entirely agree with that. And just picking up again if I may on the point of documentation, I am sure you would expect me to say that you know clearly the other thing that you need to do and get right is to make sure that your employment contracts are as robust as possible and you want to make sure that you’ve got great confidentiality provisions in place and that the restrictive covenants that you have are appropriately tailored so that you’ve got the best prospects of enforceability in the event that you do need to go and try and get an injunction to stop somebody from going to a competitor and walking off with the crown jewels of your business and all of your confidential information. The worst kind of scenario is when you kind of realise after the event that you’ve got in hand nothing other than an unenforceable non-compete that, that’s fairly worthless.
Martin Boyle, Interim General Counsel
Ocado
Yeah and I think likewise the other thing to be aware of is around similarly to pick up on the clawback point that you’ve got, you know adequate provisions in the rules of the various bonus plans or schemes or share schemes that you’ve got to ensure that you’ve got that flexibility to either suspend or clawback payments and then, and on that note another practical point is just to make sure that you are mindful of your benefits and benefits teams kind of investing schedules, when do bonuses become payable, when are shares vesting so that you can understand you know especially in circumstances where you know, either scenario whether it’s a team move or not that you are understanding what’s, what’s potentially going out to the individual or individuals in terms of bonusses or vesting of shares.
Euan McMahon, Managing Associate
Mishcon de Reya
Yeah, absolutely. And just, just finally then, the other thing is that disputes can often lead to adverse publicity. Sharon, anything that you can do to get ahead of that or to plan for that?
Sharon Tan, Partner
Mishcon de Reya
Yes, I mean Martin mentioned I think the, the kind of the good practical step of making sure that you use code names and protect confidentiality from the get-go if you are creating records and so on that might end up in courts and it’s, it’s most likely only to be relevant in terms of PR and adverse publicity I suppose if you do end up in litigation or if you think there’s going to be a leak for nefarious reasons or otherwise but in that scenario it would make sense to have a PR firm lined up potentially or at the very least, some reactive statements ready and drafted so that you’re not caught on the hop and so that you’re best placed to really manage any potential reputation 29.13.
Martin Boyle, Interim General Counsel
Ocado
Yeah. And I would add to that that I would say your internal PR if you have it, is one of the, somebody you want to bring into the fold pretty early on so that they are aware of what’s happening and can react to a leak if necessary. But then the other point is, the, have a think about if it does get out into the public domain, you know you’re going to have queries coming in, not just maybe from the general public but also from investors so making sure your investor relations team is made aware of what’s happening so that they can field those queries is really important as well.
Euan McMahon, Managing Associate
Mishcon de Reya
Yep, again, very, very important. Well we are, we are at time. Unfortunately, we’ve run out of time so we can’t answer any of the questions on this webinar but we’d like to say thank you very much, hopefully you have got some helpful hints and tips if you are faced with a data scenario, data theft scenario, like this or just to bolster your systems to prevent one in the future. If you have questions for us, either on the subject of employee data theft or more generally, there will be a link in the follow-up email to you, to put fifteen minutes in our diaries to discuss it. But that leaves me just to say thank you very much, thank you Martin and Sharon, I hope you have enjoyed this session and we will see you at the next Flash Webinar.