An analysis of recent cases by law firm Mishcon de Reya and KPMG shows that corporate data theft cases in the UK have doubled between 2006 and 2008.
In the current uncertain times, the theft of business sensitive and confidential information by employees is a real threat to companies. With redundancies being made across all sectors in the UK along with rising job insecurity, more and more employees are using the confidential information they have obtained with their current employer in order to give them the edge in the increasingly difficult job market. In 70% of the analysed cases, the perpetrator(s) were employees who moved to work for a competitor company.
Furthermore in 75% of all cases analysed, the data stolen was customer or client-related information (relating to customer relationships, levels of trading, pricing information, profit margins and so on) or customer lists. Financial information, such as management accounts, business plans, projections and forecasts represented 14% of thefts.
The analysis shows that those who were caught stealing data justified their actions either by claiming that the information was already in the possession of the competitor (60%) or that the information was already in the public domain (30%).
Hitesh Patel, partner in KPMG’s Forensic Group says: “These findings highlight the challenges of defining what data within your business should be considered proprietary and also when and why it may be construed as public information. Companies need to consider how vulnerable they are to this kind of misconduct by employees and ensure that they have everything in place to prevent or fight information theft.”
The study also shows that in 93% of cases, employees had already left the employer before the thefts were discovered. The restrictive covenants the company had put in place into employment contracts to protect their data seemingly had little deterrent effect because in 69% of cases, these were breached by those stealing data. Tightly drafted restrictive covenants were key in obtaining restraining orders against offenders after the data theft had taken place.
Dan Morrison, partner in Mishcon de Reya’s Fraud & Insolvency Group continues: “The stolen data has often limited shelf life and employees realise that they have to use the information quickly or they will lose their competitive advantage. Therefore when data theft is discovered or suspected, swift action is needed. At Mishcon de Reya the average time taken in a case of this nature from instruction to legal relief whether in the form of restraining injunction, undertakings, damages or apologies was just over 2.5 weeks.”
The research shows that this crime is a problem across many business sectors particularly the finance and construction industries. Mishcon de Reya and KPMG also analysed the worst perpetrators and discovered that 69% of the theft instances reviewed where carried out by either males operating alone or by groups of male employees. Only 22% were committed by women or group of women and 9% involved both males and females. It is also the case that, with many workers uncertain about their jobs, the financial pressure continues to mount. This can result in a rise in employees tempted to act improperly and against the interest of their employer to preserve their own financial wellbeing.
Morrison says: “The theft of sensitive and confidential information from businesses is happening right now all over the UK and on an ever increasing scale. The Financial Services industry is likely to bear the brunt of this with widespread redundancies and rising jobs insecurity. City institutions are also having to leave large numbers of disenchanted employees in situ in order to comply with EU Employment law regarding the reduction of head count. History tells us that in difficult economic times, incidents of dishonesty rise. These factors combined provide opportunities for disgruntled or anxious employees to behave in a way that is not welcomed by management.”
The most common method for employees to transfer stolen data is via email. In 46% of the cases examined this was used as the primary route to improperly removing proprietary data from the business. Taking hard copy print-outs of data was the method used in 22% of cases. Surprisingly the use of USB memory sticks, data CDs or DVDs was only present in 9% of cases.
Hitesh Patel continues: “We expect to see an increase in the misuse of newer technologies in data theft such as smart phones, iPods, digital cameras and other types of digital media. Social networking sites have also provided data thieves with a way to remove data in some of the cases we have analysed.”