But with new technology comes a new threat — storage devices such as USB sticks, portable hard drives, mobile phones and even iPods are capable vehicles for data theft in many businesses.

The theft of intellectual property from the workplace is on the rise, and the recent 2008 Information Security Breaches survey of more than 1000 businesses conducted by PricewaterhouseCoopers in Britain illustrates just how much of a risk businesses are taking with their company information.

The results show that since 2006, 6 per cent of businesses had suffered a breach of confidentiality; 35 per cent have no control over staff instant messaging; 52 per cent don’t carry out a formal risk assessment; 84 per cent do not scan outgoing emails for confidential data; 47 per cent of large businesses experienced staff misuse of information systems; and 34 per cent of large businesses experienced theft or fraud involving computers.

Alarmingly, the survey reports that 67 per cent of businesses do nothing to prevent company information leaving on USB storage devices. Uncontrolled use of such devices is a very real risk. It only takes one USB stick to upload a virus onto a system or, worse yet, to copy all the company’s sensitive commercial data. The repercussions are serious: business and financial loss; embarrassment; and where client confidentiality is paramount, irreversible damage to reputation and a raft of potential legal risks.

In Strickett v Arthur (2 December 1994, Employment Court, Wellington WEC 62/94, W28/94, Judge Finnigan), two workers left their employer’s business to set up their own business. Not only was the business in direct competition with the employer’s, but they were also using information such as client addresses and work records they had taken from the employer’s computer before leaving. The employees did not even leave copies of this data on the system.

If an employer believes an employee is carrying out an unlawful activity, reviewing the employee’s email system is the first place to start. Engaging the services of forensic computer experts is the next step. A pretext must be found for taking the employee’s laptop or computer and the employer must act fast. Once secured, experts can establish whether the suspect has recently acquired any removable data; whether emails containing references to confidential company information have been received, sent and subsequently deleted; and whether documents referencing sensitive data or confidential client information have been created and deleted.

In every employment relationship there are common law duties, one of which places an obligation on employees not to use or disclose their employer’s confidential information. This obligation operates whether written into the employment agreement or not, and continues after the employment has ended. Employers might consider exit interviews with employees, where confidentiality, restraint of trade and policy could be discussed and reiterated.

NZLawyer, issue 92, July 2008

Carisse de Beer is a law clerk at McCaw Lewis Chapman, New Zealand