Terrie's Job Tips -- Information Security – Part Three: The Hays Case in the UK

There was a very interesting court case in the UK in June of this year (2008), whereby a large recruiting company called Hays sued an ex-employee for the return of his database of contacts after he left the firm and set up a competing company. In the High Court, Hays argued that the ex-employee had unlawfully used confidential company client email addresses to create his own database in anticipation of starting his new business venture.

“Well,” you may be thinking, “this sort of thing happens all the time – recruiters, sales staff, and managers are always absconding with contact information, even if it’s only their name card collection – what’s so unique about this case?”

In fact, what was unique is that the ex-employee had used the email addresses to invite Hays’ clients to join his network at the popular SNS site, Linked In (www.linkedin.com). According to the ex-employee, rather than taking data, those clients responding to him did so of their own volition and registered with his network. In doing so, they were placing their contact data in the public domain, which would then excuse him of any breach of taking Hays data directly.

He further argued that he’d been using the Linked In website for a year with the full knowledge and encouragement of Hays. He said that he and other Hays recruiters were using Linked In as an effective tool for finding clients and candidates and that in using the website, Hays was tacitly agreeing that any information found through the site would be in the public domain.

Actually, I thought that both of these points comprise an ingenious defense, and certainly he makes a very good point that once data is on an SNS, and the employer knows about it and accepts the situation, then the employer can no longer claim that the data is private. Like most SNS’s, Linked In’s terms and conditions specify that it owns the rights to use the data in any way it likes, so in reality, as soon as a user puts something on the Linked In site, they no longer have traditional ownership over the content.

The ex-employee, however, lost the case. The British judge ruled that the accused had used email addresses learned from his work at Hays and since he knew that such use would subvert the ownership of the resulting information, this comprised wrongful use of those email addresses.

The ex-employee was ordered by the judge to disclose his Linked In business contacts where they resulted from emails sent from or received at his email account within the Hays network – in effect establishing the judgment (for the UK at least) that all data sent from a computer owned by the employer rightfully belongs to that employer. The accused was ordered to not destroy any evidence and to show if any business had resulted from use of the database – presumable so that damages could be calculated. It seems that the issue of whether some Linked In contacts might have resulted from legitimate use by the accused did not come up. I would assume however, that the judge would have ordered the accused to provide proof in the form of emails and other documentation of legitimate computer activity so as to exempt that activity from the damages sum.

From a practical viewpoint, I wonder how a company could realistically track such misuse of data unless they blocked access to the websites in question. Remember this is browser activity, not filterable email, and further, the Hays staff are many times a day legitimately using email addresses to contact both clients and candidates. At the end of the day, I guess it comes down to clearly spelling out policy to everyone, and trust.

Luckily for Hays and their case, the smoking gun was the Linked In auto-return function received from several invitations successfully accepted by email recipients, to the ex-employee’s old Hays email account. Without this proof, I guess that Hays would not have been able to prosecute at all.

After seeing this case, I wondered how a similar situation would be viewed here in Japan, so I decided to run it by an old friend, Jiri Mestecky, who is currently the only foreign partner at Osaka’s leading law firm Kitahama Partners, as well as his colleague, Japanese attorney and intellectual property expert, Ayumu Iijima, who is also a partner with such law firm. Next week, I give you the Japan version of what would have been likely in this case.