Analysis by law firm Mishcon de Reya and KPMG shows that corporate data theft cases in the UK have doubled between 2006 and 2008.
In the current uncertain times, the theft of business sensitive and confidential information by employees is a real threat to companies. With redundancies being made across all sectors in the UK along with rising job insecurity, more and more employees are using the confidential information they have obtained with their current employer in order to give them the edge in the increasingly difficult job market. In 70pc of the analysed cases, the perpetrator(s) were employees who moved to work for a competitor company.
In 75pc of all cases analysed, the data stolen was customer or client-related information (relating to customer relationships, levels of trading, pricing information, profit margins and so on) or customer lists. Financial information, such as management accounts, business plans, projections and forecasts represented 14pc of thefts.
The analysis shows that those who were caught stealing data justified their actions either by claiming that the information was already in the possession of the competitor (60pc) or that the information was already in the public domain (30pc).
Hitesh Patel, partner in KPMG’s Forensic practice, says:
“These findings highlight the challenges of defining what data within your business should be considered proprietary and also when and why it may be construed as public information. Companies need to consider how vulnerable they are to this kind of misconduct by employees and ensure that they have everything in place to prevent or fight information theft.”
The study also shows that in most (93pc) of cases, employees had already left the employer before the thefts were discovered. The restrictive covenants the company had put in place into employment contracts to protect their data seemingly had little deterrent effect because in 69pc of cases, these were breached by those stealing data. Tightly drafted restrictive covenants were key in obtaining restraining orders against offenders after the data theft had taken place.
Dan Morrison, partner in Mishcon de Reya’s Fraud & Insolvency Group, continues: “The stolen data has often limited shelf life and employees realise that they have to use the information quickly or they will lose their competitive advantage. Therefore when data theft is discovered or suspected, swift action is needed. At Mishcon de Reya the average time taken in a case of this nature from instruction to legal relief whether in the form of restraining injunction, undertakings, damages or apologies was just over 2.5 weeks.”
The research shows that this crime is a problem across many business sectors particularly the finance and construction industries. Mishcon de Reya and KPMG also analysed the worst perpetrators and discovered that 69pc of the theft instances reviewed where carried out by either males operating alone or by groups of male employees. Only 22pc were committed by women or group of women and 9pc involved both males and females. It is also the case that, with many workers uncertain about their jobs, the financial pressure continues to mount. This can result in a rise in employees tempted to act improperly and against the interest of their employer to preserve their own financial wellbeing.
Morrison says: “The theft of sensitive and confidential information from businesses is happening right now all over the UK and on an ever increasing scale. The Financial Services industry is likely to bear the brunt of this with widespread redundancies and rising jobs insecurity. City institutions are also having to leave large numbers of disenchanted employees in situ in order to comply with EU Employment law regarding the reduction of head count. History tells us that in difficult economic times, incidents of dishonesty rise. These factors combined provide opportunities for disgruntled or anxious employees to behave in a way that is not welcomed by management.
The most common method for employees to transfer stolen data is via email. In 46pc of the cases examined this was used as the primary route to improperly removing proprietary data from the business. Taking hard copy print-outs of data was the method used in 22pc of cases. Surprisingly the use of USB memory sticks, data CDs or DVDs was only present in 9pc of cases.
Hitesh Patel adds: “We expect to see an increase in the misuse of newer technologies in data theft such as smart phones, iPods, digital cameras and other types of digital media. Social networking sites have also provided data thieves with a way to remove data in some of the cases we have analysed.”
Morrison adds: “If a business’s data is held electronically, if it has a value to someone else, then it is vulnerable and businesses need to know how to protect themselves and how to recover or prevent the unsolicited use of stolen data.”
