What To Do When Sensitive Internal Company Information Is Sent To Personal Email Addresses

Steps a Company should take, including general advice about conducting an investigation

Imagine that one of your supervisors discovers that thousands of pages of confidential Company billing and financial information has been downloaded, and e-mailed to a personal e-mail address. Upon further investigation, your supervisor has discovered that an employee has asked other employees to also send Company documents to her personal e-mail address.

This situation occurs frequently and management needs to respond quickly and comprehensively.  Each situation demands a customized response, but the general tenets of a proper response by a Company appear below.

  • Review the information that was taken and determine whether the information was already publicly available, or whether it contains Company confidential or trade secret information.
  • Determine whether multiple copies of the stolen documents exist and whether they have been designated or labeled as confidential or trade secret.
  • Evaluate adequacy of policies and procedures, agreements with the employee to determine the scope of the employee’s violations as well as determining whether the employee has a history of similar violations or conduct.
  • Involve internal IT Security department or an outside IT security/forensic specialist to assess and remedy the data breach. It is essential to conduct interviews of employees, including those employees from which the employee at issue attempted to solicit further documents.
  • If other employees transferred documents to the employee, an investigation of their activities will be necessary.
  • Depending upon the nature of the information taken by the employee(s), the Company may have an obligation to report a data breach, particularly if the employee has shared the data with unauthorized third parties.
  • Conduct an immediate in-person interview with the employee. During the interview, the employee should be confronted regarding the data transfers. The Company may discover there is an innocent explanation for the activity. The Company should probe the extent of the personal transfers, transfers from others, and whether the employee has disclosed the documents to third parties. The Company should also question the employee concerning the employee’s motivations as well as the employee’s awareness of Company policies and agreements prohibiting such activities. The Company should ask for the employee’s immediate cooperation in returning the data and request access to the employee’s personal email account as well as any other electronic devices or accounts that contain Company information to accomplish the same. It is important that the Company obtain the return of the data, particularly if the information is confidential or trade secret, so that the Company can attempt to preserve its confidential nature.

The investigative phase of this process is critical.  In our next post,  we will discuss when to consider  having outside counsel present and who from  your company  is best to include and keep away.

  • Assuming that there is no legitimate reason for the employee’s actions, the Company will need to consider appropriate discipline for the situation, including considering suspension or termination of the employee. It’s is key to create written documentation clearly demonstrating the reason such discipline was for violation(s) of particular policies or agreements, as opposed to in retaliation for any purported whistleblowing.

Civil legal theories against the employee may include, among other claims, breach of contract, breach of loyalty, conversion, trade secret misappropriation, and/or a violation of the Computer Fraud and Abuse Act (depending upon the jurisdiction) or similar state computer data protection or access laws. Depending upon the gravity of the situation, the Company may also want to consider approaching law enforcement to consider pressing charges against the employee.

  • If the employee refuses to return the documents and make the employee’s accounts and other electronic devices/accounts containing Company data available for inspection to obtain the return of the purloined data, the Company may need to consider seeking immediate injunctive relief in court.