Top 10 Tips for Protecting Your Database17 September, 2013
Almost all businesses will have some sort of database that contains, for example, marketing, sales, or customer data. Most companies appreciate that this information needs to be protected from competitors, but in our experience most businesses could do more to protect their confidential information. Here are our top 10 tips to help protect your database:
Are your IT systems secure? How easy would it be for someone to gain access to your network? Most businesses have systems in place to prevent external sources from gaining access to network computers, however, in our experience most breaches of security occur from within an organisation. With this in mind, you should consider what systems you have in place to monitor access to your database and prevent it from being sent to third parties.
It may seem simple, but the more copies of the database there are, the harder it is to monitor who has access to it and prevent it from falling into the wrong hands. In particular, you should consider whether the database can be stored on a central server, which can only be accessed (but not downloaded) by network computers.
3 Limit / monitor access
In our experience, most cases of database ‘theft’ involve an employee, or former employee. You should therefore consider whether it is necessary for everyone in your organisation to have access to the database. This may include limiting access to parts of it, where it contains more than one type of information.
You should also consider whether it is possible to password-protect your database. When doing so, it is important that each individual user has their own personal login details so that you can monitor who is accessing the database. This is especially important where the database is being accessed by third parties. Additionally, you should consider putting a reminder on the database login page to remind the users of the database about the extent of their authority to access / use the database (see paragraph 6 below).
4 Restrictive covenants
It is important that restrictions are placed on all staff as part of their employment contract in order to prevent them from distributing confidential information to third parties. Such restrictions can operate during the course of their employment and post-termination.
In addition, a restrictive covenant can be placed on an employee to prevent them from working for a competitor after they have left your employment. This can be an effective tool in preventing confidential information from falling into the wrong hands. A restrictive covenant will be void, however, unless you can show that:
– Your company has a legitimate interest that it is appropriate to protect; and
– The protection sought is no more than is reasonably necessary to protect that interest.
When considering the above it is important to think about each individual employee and whether the restrictions you are seeking to place on them are proportionate to the interest you are trying to protect (for example, it is likely that you can place a larger restriction on a director than say, a truck driver). The restriction should go no further (e.g. in geographic location / duration) than is necessary to protect the interest and it is prudent to seek legal advice to ensure that any restrictive covenants you are seeking to impose on an employee could be enforceable. This is especially important for (high level) employees who will have access to your confidential information.
5 Gardening leave
It will usually be the case that high level employees will have a long notice period included in their contract of employment. This is beneficial because it allows the company to find a suitable replacement, with little disruption to business operations. However, a long notice period can be counterproductive with a disgruntled employee. At best the employee is likely to be disruptive and / or distract other employees, but at worst this can give them a long period of time to access and store confidential information owned by the company. With this in mind, you should consider whether it would be appropriate to place the employee on gardening leave (a paid, non-working period) while they serve out their notice. Before doing so you should check that this provision is expressly included in the employee’s contract of employment. If not, you will need to agree this with the employee.
6 Training for employees
It is important to clearly define your IT systems policy and take steps to ensure your employees do not use your IT systems for illegitimate means. As part of this policy it is important to clearly identify your database(s) (and other confidential electronic information) and clearly set out the employee’s authority (or lack of) to access / use this information. The terms of this use should be specific so that you can clearly identify when that employee has acted outside of their authority, for example, by sending the database to a third party.
If an employee exceeds their authority and you can show that they knew they were exceeding their authority at the time they took the database then you may be able to show the employee has committed a criminal offence under the Computer Misuse Act 1990.
7 Ownership of the database
If you are looking to claim a right over a database then it is important that you can clearly show that the database is owned by you and there is no dispute over its ownership. This is unlikely to be an issue where the database has been developed in-house, but what happens if it has been developed by a third party?
The person who assumes the risk of investing in obtaining, verifying or presenting the contents of the database is deemed to own it. Assuming you are taking on this risk (usually by paying for it), then it is likely that you will retain ownership of the database, even where it has been developed (or added to) by a third party. To avoid any potential issues, you should check that as part of any contract for the development of the database, you have expressly retained the ownership of it.
You should also note that where an employee develops a database during the course of their employment, the normal rule is that the company (not the employee) retains ownership of it.
8 Licence agreements
If you allow a third party to use or exploit your database then you should ensure that the terms of the licence are clear and unambiguous. In particular, the licence should stipulate that the licensee (and its employees) will only use the database for the purpose that was intended and that they will indemnify you for any loss / damage caused as a result of any misuse of the database. This indemnity should include the cost of any action taken against the company, or any of its employees.
Also, you should consider whether it is necessary to supply a copy of the database to the licensee or whether it can be made available via an extranet / web-portal. The latter allows you to monitor the use of the database (which will give you an idea of its value) and allow you to withdraw access in the event the licensee fails to make payment.
9 False entries
If possible, create false entries in the database, so that if a competitor gets hold of a copy of the database and tries to use the information contained in it, it will be easily identifiable. For example, in marketing databases it can be a good idea to add a number of your friends or family who will inform you if they suddenly get marketing material from a competitor. This can be useful evidence when trying to prove that a competitor has obtained a copy of your database.
10 Provide electronic equipment to staff
If it is necessary for the database or other confidential information to be used out of the office then you should consider supplying staff with company laptops / memory sticks. If possible you can take steps to ensure that the material stored on these devices is not transferred to another electronic device and you can ask for these to be returned at the end of your employee’s employment.
Hopefully the tips above will allow you to minimise the risk of your database falling into the wrong hands, but if it does it is important that you take action fast to recover it and minimise the damage caused to your business.
Reviewed in 2015