Employees stealing personal information and other sensitive data from their employers can be a serious problem. The theft of confidential company information has been on the rise since the start of the global coronavirus pandemic, where the move to the digital world and working from home have resulted in less stringent safeguards to protect information than would otherwise exist in the office. A recent report by cybersecurity software company Code42, found that when workers walk away from their jobs they're increasingly bringing home sensitive company data, and found that there was a 40% increase in "data exposure events" between the first half of 2020 and the first half of 2021. Facebook was recently thrust into the spotlight when ex-employee Frances Haugen leaked vast amounts of damning internal research to the US authorities and the press, detailing how Facebook knew its sites were potentially harmful to young people's mental health. While the motive may arguably be admirable in this in this context, it does raise a broader question: what can employers and other affected parties do when their sensitive information is leaked, stolen, or otherwise compromised? Well, like with all legal questions, the answer depends on the facts and circumstances.
crime of theft
When an employee steals information, the obvious answer may be to lay a charge of theft. However, it is not as simple as this. Theft requires an intention to permanently deprive an owner of their property, in this case, information. If an employee were to steal physical documents, or a hard drive, this would be sufficient to sustain a charge of theft, as confirmed in the case of Rex v Cheeseborough, where two former employees of the complainant firm stole two documents belonging to the complainant company and then joined a new firm, a competitor with the complainant firm. Where an employee copies the information and later distributes those copies, the employer has not been permanently deprived of their property. Although an argument could be made that the copies are also the property of the employer, and as such theft of such copies is still theft as the employer has been permanently deprived of those specific copies, it is likely more advisable to pursue a copyright claim against the wrongdoers where there has been unlawful copying of information.
copyright infringement
A copyright infringement can have both civil and, in limited circumstances, criminal consequences. In terms of the Copyright Act, 1978, an employer would be able to pursue a civil claim for copyright infringement against an employee that unlawfully copies information protected by copyright where the employer is the owner of such copyright. This position is protected in statute under the Copyright Act with ownership generally determined by the type of work involved, while employers are also strongly advised to include terms to this effect in employment agreements, thus removing any doubt whatsoever regarding ownership in works of copyright. These works would generally include documents, reports and the like created by the employee in the course and scope of their employment, but this will depend on the specific employee's role and may also include artistic works or computer programs/software. A criminal case is also possible, as per the usual process of reporting criminal conduct to the police and ultimately having it prosecuted by the National Prosecuting Authority. Section 27(1)(f) of the Copyright Act provides that “any person who at a time when copyright subsists in a work, without the authority of the owner of the copyright distributes for any other purposes to such an extent that the owner of the copyright is prejudicially affected articles which he knows to be infringing copies of the work, shall be guilty of an offence”. The Copyright Act further provides that the penalty for such an offence, if it is a first conviction, is a fine not exceeding five thousand rand or imprisonment for a period not exceeding three years, or to both such fine and such imprisonment, for each article to which the offence relates. In the case of subsequent offence, the penalties increase to a ten thousand Rand fine and five years' imprisonment.
the delict of unlawful competition
Another potential avenue, in parallel to pursuing a copyright infringement, would be to rely on the delict of unlawful competition. This claim can take many forms, including the misappropriation of confidential information or trade secrets, that is, using or disclosing information that is useful, not publicly available and has commercial value which was imparted or received in confidence, often in a fiduciary or employment relationship. This would require proving all the usual elements of a delictual claim, namely, wrongful conduct of a competitor using or disclosing confidential information, which has caused harm to the owner of that information, and that such conduct was intentional or negligent. It is in essence, much the same as a general civil claim for damages.
the Competition Act
The disclosure of competitively sensitive information to a competitor may also constitute a contravention of the Competition Act, 1998. Generally, competitively sensitive information includes information about an entity's pricing, trading terms, customers, costing, strategy, innovation, profitability, marketing, etc. that is not in the public domain and that affects its competitive offerings. Where an employee of a firm provides competitively sensitive information to that firm's competitor, this may constitute a contravention of section 4(1)(a) of the Competition Act, which provides that “an agreement between, or concerted practice by, firms or a decision by an association of firms, is prohibited if it is between parties in a horizontal relationship and if it has the effect of substantially preventing or lessening competition in a market, unless a party to the agreement, concerted practice, or decision can prove that any technological, efficiency or other pro-competitive, gain resulting from it outweighs that effect”. An exchange of competitively sensitive information may contravene this section insofar as it may remove strategic uncertainty from competitive decisions for one or more parties and the removal of the strategic uncertainty may lead to the softening of competition i.e. tacit collusion.
What will become important is whether the employee responsible for leaking the information has actual or ostensible authority to represent the firm concerned and to agree and bind it to participation in the cartel activities. Where an errant employee is on a frolic of their own, and there is no actual or ostensible authority for their conduct, there will be no basis for imputing liability to the firm. An example of this would be where the wrongdoer's employment with the firm concerned was terminated before the wrongdoer leaked the information. In such instances it is unlikely that a contravention of the Competition Act would be sustained.
The Competition Act is generally aimed at preventing collusive conduct between competitors rather than corporate espionage. Where a firm has its confidential information leaked to a competitor by a disgruntled employee, and that competitor is conferred a competitive advantage thereby to the victim firm's detriment, this conduct is not truly within the focus of the competition authorities as it does not involve any collusion. However, this will once again turn on whether the employee had actual or ostensible authority at the time of the disclosure. It is worth noting that in the case of Ferro, the Competition Tribunal dismissed an application in terms of which Ferro (Pty) Ltd sought to change various merger conditions requiring divestiture on the grounds that a former employee allegedly stole certain confidential and competitively sensitive information being used to unfairly compete with Ferro. The Tribunal held that Ferro's recourse was with the High Court as the theft of information was not a competition issue, and that “the kind of information exchange that is prohibited by section 4 [of the Competition Act] is usually a voluntary exchange between competitors collaborating to avoid competition between them”.
monitoring communications to detect theft under RICA and POPIA
Organisations often wish to monitor their employees' work-related communications to establish whether confidential information is being leaked or stolen. To this end, the application of the Regulation of Interception of Communications and Provision of Communication-Related Information Act, 2002 (“RICA”) and the Protection of Personal Information Act, 2013 (“POPIA”) should be considered.
RICA, among other things, places restrictions on companies wishing to monitor telephonic, e-mail and other communications of employees at the workplace. In terms of section 5, such communications may be monitored if one of the parties to the communication gives written consent thereto.
Under section 6(1), the monitoring of communications is also permissible if these communications have been made “in the course of the carrying on business, in the course of its transmission over a telecommunication system.” Section 6(2) sets specific requirements to do so, including that the CEO must have made all reasonable efforts to inform the relevant employee in advance of such monitoring or the employee's express or implied consent has been obtained.
In terms of POPIA, it is important to note that “the criminal behaviour of a data subject to the extent that such information relates to the alleged commission by a data subject of any offence”, such as alleged theft of data, would constitute special personal information, that may not be processed unless, for example, the employer has obtained the consent of the relevant employee.
Reading RICA and POPIA together, employers should consider obtaining consent from employees to monitor communications within the scope of their employment.
cybercrimes and POPIA violation
Section 22 of POPIA imposes a mandatory security compromise notification obligation “[w]here there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person”.
The theft of personal information by an employee and subsequent disclosure thereof to unauthorised third parties would invariably trigger a reporting obligation to the Information Regulator and, as a general rule, affected data subjects.
The employer may be held vicariously liable for loss caused by its employee's data breach. In the UK Supreme Court decision of WM Morrison Supermarkets plc v Various Claimants, Morrisons Supermarket was sued by numerous of its employees on the basis that it was alleged to be vicariously liable for a data breach caused by the malicious conduct of a disgruntled employee in terms of the UK Data Protection Act, 1998 (“DPA”) on which POPIA is closely modelled. In this case, Morrisons suffered a serious data breach when the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details) was posted online by a disgruntled Morrisons employee. The data breach had serious implications for Morrisons' share price and a number of employees (whose data had been leaked) brought proceedings against Morrisons for damages. While the court ultimately found that Morrisons was not vicariously liable in that the employee had not been furthering Morissons' business, but rather pursuing a personal vendetta, the South African courts are likely to make a different finding. Based on the decision in the Supreme Court of Appeal in Stallion Security (Pty) Ltd v Van Staden, where the court found the employer to be vicariously liable for the actions of the employee and ordered the employer to pay damages, in circumstances where the employee acted intentionally and “entirely for his own purposes”.
Importantly, POPIA makes provision for a form of statutory vicarious liability for employers, in the event of a contravention of the Act by any of its employees. Section 99(1) of POPIA provides that a civil action for damages may be instituted against the responsible party [the employer] irrespective of whether there is intent or negligence on the part of the responsible party).
In addition, in terms of section 109(3), when determining an appropriate administrative fine for criminal offences under POPIA, the Information Regulator is obliged to consider various factors, including whether the responsible party [the employer] or a third party [the employee] could have prevented the contravention from occurring, or whether there was any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information.
breach of contract
Lastly, it bears mention that the simplest remedy may take the form of a breach of contract. This could take several forms, depending on whether the party leaking the information is still an employee of the victim firm at the time of the leak. Where there is still an employment relationship, the breach of trust occasioned by the employee's misconduct in leaking the information would likely serve as grounds for dismissal. Where the employee has already left the employ of the victim firm, it may still be breach of contract in respect of various clauses which survive the termination of the employment contract, for instance, confidentiality clauses generally drafted to survive the termination of employment and are enforceable even after an employee leaves their role. Another example would be a restraint of trade clause, which generally remains enforceable against an employee several years after their employment has been terminated, in order to prevent that employee from competing unfairly with their former employer. In order for such a restraint to be enforceable there must be a protectable interest, which our courts have held include trade secrets. As such, it would be possible to claim damages for breach of contract in these instances. Ultimately, a claim for breach of contract will depend on what was agreed to between the affected firm and the wrongdoer.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
