Following the trail – dealing with former employees taking customer data
Insight
Over the course of the last year, and perhaps prompted by the fallout from the pandemic, we have seen a marked increase in instructions from clients pursuing ex-employees who have taken customer information with them to use in the organisations they are joining. The recent Court of Appeal decision in the case of Trailfinders Limited v Travel Counsellors Limited adds to the weaponry available to the former employer by extending the potential liability of the business the ex-employee is joining.
The Trailfinders judgment puts organisations acquiring information from former employees at greater risk of liability in breach of confidence if they fail to ask questions about whether they can receive and use this information.
Background
In 2016 four employees of Trailfinders departed to become franchisee travel consultants at TCL. The former employees took with them contact and other details of customers of Trailfinders from Trailfinders’ computer systems. Some of the information was recorded from the computer system onto paper records and combined with other information which was publicly available. It was then sent to TCL via email. The information of a particularly high value client was printed off by one former employee with a view to using it later to complete the travel itineraries for that client once the former employee joined TCL. In another example, customer information was compiled into a contact book. It included information that would allow the departing employee to gain access to a computer system used by customers of Trailfinders and which contained more of their details. Again, this contact book was supplied to TCL. The information obtained by the former employees was added to TCL’s computer systems.
Taking two of the individual defendants as test cases, the Intellectual Property Enterprise Court (IPEC) held that the individual defendants had breached their contracts of employment with Trailfinders as well as their equitable obligation of confidence to their former employers.
IPEC also found that TCL’s senior personnel should have realised that at least some of the information supplied by the former employees would have been copied from Trailfinders’ customer data and regarded as confidential by it. Accordingly, in using this information in its business, TCL breached an equitable obligation of confidence it owed to Trailfinders.
Appeal
TCL appealed IPEC’s decision to the Court of Appeal (the individual defendants did not appeal). TCL primarily argued that it did not owe an obligation of confidence to Trailfinders because it did not have sufficient knowledge that the relevant customer information was confidential – it did not know this and nor had it turned a blind eye to the possibility. The Court of Appeal rejected the appeal and upheld the decision in IPEC.
Central to the Court of Appeal’s decision is its finding that if a former employee is bringing customer information with them to their new employer in circumstances where it should raise a question about whether that information is confidential to the former employer, then the new employer should make enquiries as to whether this information can be received and used by them. If they fail to do so, then an equitable obligation of confidence will be imposed at that point in time. In this case, it was the quantity and quality of the information about customers that should have caused TCL to ask questions, but they failed to do so (indeed, the evidence went further than this in that TCL positively encouraged new consultants to bring customer information with them). It is therefore not sufficient anymore to adopt a position of, “Don’t know, don’t ask”. Instead, the position now is, “Don’t know, then ask”.
Practical implications
This decision means that former employers have much stronger grounds to take action, not only against former employees, but also against the new employer or other organisations the former employees are joining. Typically, on discovering that customer information has been taken, the former employer will put the new employer on notice of this, fixing them with potential liability if they continue to use and retain the information from that point in time. However, now the former employer has grounds for asserting that this liability for the new employer arises much earlier, potentially giving them access to much deeper pockets than they would find if they just pursued the former employees.
This ruling also potentially offers much greater protection to former employers in another respect, as it is likely to mean that new employers will be much more cautious before accepting information supplied by new employees. Looking at it from the point of view of new employers, where a new employee proposes to provide information which may be confidential, that employer would be wise to consider whether the new employee can do so where it appears to be the type of information that might be considered to be confidential to a former employer.
New employees should be questioned if they appear to be bringing customer information, product information or any form of trade secret which may be confidential. The Court of Appeal did not indicate how far employers should go with their enquiries, but in the interests of minimising risk it would be sensible to enquire until the source of any information can be ascertained.
Data Protection issues – some other practical and legal implications
Finally, an issue that is sometimes overlooked in these cases, but which is becoming increasingly important, are the data protection implications when customer data is misused in this way.
The customer data will be personal data. As such the former employer has obligations to those individuals to keep that data secure. The unauthorised access to and taking of that data by the former employees is a data security breach. It may be reportable to the regulator (in the UK this is the Information Commissioner or ICO), and to the affected customers depending on how serious it is. Recent guidance from the European Data Protection Board (EDPB) – the collective body of EU data protection regulators – is that it is normally reportable to a regulator but not to the individuals affected. So, the former employer should think carefully about these reporting requirements bearing in mind that the breach should be reported to the regulator, if it is serious enough, within 72 hours of discovery (and to affected individuals “without undue delay”).
Our view is that if the breach is discovered reasonably early on and undertakings and other suitable information are obtained from the former employees (and new employer) quickly, then the breach is probably not reportable to a regulator. However, in forming this view it is important to obtain very early disclosure from the former employee (usually through a witness statement) about what personal data they took, how they did it and what they have done with it. In other words, this requirement for information from the former employees is not only important in further establishing the claim against them (and their new employer), but also in assessing the risks to the customer data and hence the reporting requirements to regulators and customers.
The former employee may also be in some difficulty. The ICO has shown a recent tendency to prosecute former employees who have taken customer data (this is one of the relatively few criminal offences provided for under the UK’s Data Protection Act 2018). The ICO does have an increasing interest in such cases. Therefore, one of the additional routes that the former employer might consider taking is reporting the matter to the ICO in any event with a view to the ICO taking further action (particularly in circumstances where the former employer may not feel able to pursue a civil claim against the former employee). However, the former employer should consider this carefully as reporting the breach to the ICO might raise questions about how the former employer allowed the breach to occur in the first place and prompt an investigation by the ICO in that respect.
Finally, there is the position of the new employer. It will have received and be using the data of the customers, making it a controller of that data. This brings with it all of the obligations that this entails under data protection law. In particular, within one month of receiving the personal data, the new employer is required to inform the customers by providing them with relevant information (typically a Privacy Notice) explaining that they have their information and what they are using it for. This includes disclosing where they got the information from, which rather lets the cat out of the bag in terms of its acquisition from the former employer.
Conclusion
As will be apparent from the above, it is vital that employers are aware of what departing employees take with them when they leave and what arriving employees bring with them upon arrival. Where that involves any data which may be confidential, steps should be taken by both the former and new employer to ensure that no confidential data is being removed in breach of contract or equitable obligations of confidence or data protection laws. The Trailfinders decision suggests that it may be prudent to implement a procedure under which new employees are interviewed on arrival and a risk assessment is carried out in respect of any potentially confidential information they bring through the door.
If you require further information about anything covered in this article, please contact Ian De Freitas, William Charrington or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2021
