Intellectual property (IP) theft and fraud are rampant in the workplace, and can cost businesses millions of dollars in lost customers and eroded confidence, KordaMentha partner (forensic) Nigel Carson told a Kemp Strang briefing in Sydney last week.
The good news for employers is that technology has become a "silent witness" to employees' every move.
From accessing a building with a swipe card or a computer with a password, to using a phone, GPS or ATM out-of-hours, every action leaves an "imprint" which could prove useful in court, he says.
When a key worker leaves the organisation in suspicious circumstances, the employer should consider calling in an expert to make an exact copy of their hard drive, Carson says.
This "forensic image" will preserve all active and deleted data in a tamper-proof form that can be analysed in detail if warranted.
Carson says incriminating evidence contained on a hard drive might include emails deleted from the employee's work account or email from a private account which was accessed at work. Sometimes information can be recovered from Facebook, Linked In or chat programs.
Internet history can also be revealing. Bank statements viewed at work could be recoverable and in some cases, the worker will have visited the ASIC website to set up another business while still employed.
A forensic expert will also look at when certain files were accessed, altered, printed, deleted or copied to a removable device.
Use of programs such as "evidence eliminator" show the person had something to hide, even if some of the evidence has already been wiped.
If amateur IT staff trawl through the hard drive before a copy is preserved, however, they could inadvertently erase or alter vital evidence, Carson warns. At the very least, simply accessing the computer will "lessen the weight" of the evidence, he says.
Tips for vigilance
Carson says employers striving for vigilance in this area should:
consider putting an outgoing worker's hard drive "on ice", or make a copy - don't reallocate the computer straight away, particularly if the person is a key member of the organisation;
conduct thorough exit interviews - "drill in" to find out why workers are leaving and where they're going next. Make use of external providers if this is too awkward for internal staff;
monitor critical documents - ask your IT staff to put a filter on sensitive folders to see who's looking at what, when, and review results on a regular basis;
monitor email and internet use - and keep an eye out for suspicious activity, such as large downloads;
limit access to sensitive information - but remember, high-level executives with access to everything will still be a risk; and
maintain up-to-date policies and procedures - and enforce compliance. Carson says staff awareness of these processes is the most effective preventative measure of all. Knowledge that a former employee has been prosecuted for a breach will encourage the view: "If I was even thinking about it before, I'm definitely not now".
Delay can be fatal
Kemp Strang partner Lisa Berton warned HR professionals at the briefing to ensure their policies were compliant with privacy legislation and that employment contracts were up-to-date.
If an employee is suspected of IP theft or a restraint-of-trade breach, the employer must act quickly - particularly if the worker has already resigned, she says.
"Re-establish your customer connections - get [a forensic expert] on the phone, but in the meantime, get in there and get in front of your clients and your customers and re-connect," she says.
"I've seen many times people haven't done that, they haven't been proactive, they've been reactive - and the damage has been done."
Employers should obtain evidence of the offending conduct as quickly as possible, and, depending on the worker's contract and post-employment activities, send a cease and desist letter reminding them of their legal obligations.
If the employer's IT policy is not compliant with privacy legislation, trawling for electronic evidence could constitute a privacy breach.
"You might end up having reams and reams of material that support an employee taking confidential information, setting up their own business... dealing with your customers and trying to poach your customers, [but] you won't be able to use it," Berton warns.
In the absence of a compliant policy, the employer could, however, seek specific permission for "covert surveillance" from the court, she says.
If a worker who is under suspicion has a contract that lacks the necessary restraint clause, and they have not yet resigned, the employer might consider confiscating their computer and putting them on "gardening leave".
"Whilst they are still an employee, the duties are greater," Berton explains. "If you can present [evidence] that says all these things happened while the person was employed... that's probably enough - certainly enough in our experience - to see employees turn to water."
If the worker has left, and there is evidence of unlawful activity and damage to the business, the employer might be able to apply for an injunction.
In "most serious cases", such as a group of senior executives leaving en masse to take up employment with a rival company, an employer that can show the court there is a real risk that incriminating evidence will be destroyed could make an "Anton Pillar" order, she adds.
If granted, personal laptops, mobile phones and other relevant devices can be seized without warning.
If you have some HR news to share or would like to suggest a topic for an article, click here to email the editor.
