Workers saved company information to a thumb drive, then quit to start a rival business. Their former employer sued. The outcome shows why safe data transfer policies are important and must be clear.
Here’s a brief overview of a recent court decision: Several employees of a recruiting firm, Instant Technology, LLC, quit or were fired over the course of several months. These users went on to start another IT recruiting firm.
An investigation of the former employees’ computers showed that some of them had logged onto the company’s database and saved unknown information to thumb drives.
The company sued its former employees for violating non-solicit clauses of its former clients and customers and for stealing confidential company information.
Did allegations stand up in court?
The former employees admitted to contacting customers and clients of Instant. But it argued the claims failed on those counts because they were overly restrictive – the field was too competitive, and the customer list was too broad to be restricted.
But where it gets interesting is the claims of stealing information.
A forensic investigator found that the employees had accessed Instant’s files and saved them to thumb drives plugged into their computers. When Instant filed lawsuits, the former employees returned those thumb drives, which contained some of the company’s files on them.
But the company’s policies didn’t ban storing information on USB drives – in fact, it encouraged employees to work from home, which could require access to these files.
And the fact the users returned the documents when the lawsuit was filed showed they had complied with the court’s orders. There was no evidence they had misused or copied the information from these files at any point.
In short, the court said:
[The] testimony established one point: [Its employees] used a thumb drive to store Instant files during the course of their employment with Instant … At the trial, Instant did not prove—or even argue—that the Employee Defendants retained any of the Instant documents stored on thumb drives. Instant at trial did not prove that the Employee Defendants used any of Instant’s information while operating as Connect.
Without policies banning saving company information to personal devices or any evidence those files were used, the claims failed.
Lessons learned: Policies must be explicit
This company didn’t have an issue with employees storing company data on personal devices until they left their employment. That’s when it wanted to punish them for it.
But without clear policies in place that said what was or wasn’t acceptable, the court refused to take its side.
While this case focused around thumb drives, the same or a similar situation could just as easily occur with the public cloud other services.
Make sure your policies don’t fall short. Have clauses that cover:
- How data can be transferred. List unacceptable means of transferring data – including public or private cloud storage, email rules, thumb drives or other hardware, collaboration software, etc. Make sure users know which services are appropriate for sharing and accessing company information.
- Use of information. Just because information can be accessed off-site doesn’t mean it should be. Make sure you outline acceptable use policies for data as you would any device you gave employees.
- Returning information. Stress that when employees leave your company, the data must stay in-house. Outline the steps you will take to recover this data and and the steps employees must take to turn it over properly.
- Discipline steps. As always, you’ll need employees to know there are consequences for violating your policies – including possibly losing their jobs.
What do you think? Was this company given a fair chance to prove its users stole data? Or did the court side too much on trusting employees? Leave your feedback below.