The cost of taking prompt and decisive action to contain the impact of information theft by an employee may be significant, but the alternative could be much worse.
When SAI Global discovered that its former employee, Liam Johnstone, had taken SAI's customer list with him to a competitor, it took action in the Federal Court (SAI Global Property Division Pty Ltd v Johnstone  FCA 1333).
The Court's decision focused on who should bear the cost of that action, and although it was not all good news for SAI, it was probably a cost worth bearing.
Confidential information goes missing
SAI is a leading provider of integrated search, settlement and conveyancing software and services in Australia. It employed Mr Johnstone as a business development manager. When Mr Johnstone resigned to work for a competitor, he was asked to attend an exit interview at which SAI gave him a letter reminding him of his confidentiality obligations to SAI. Mr Johnstone returned the laptop that had been supplied to him by SAI, and went on gardening leave.
SAI was suspicious about Mr Johnstone's conduct and had his laptop forensically examined. SAI discovered files had been copied to a USB device three days before Mr Johnstone resigned. The files included SAI's confidential customer list.
A fight without much of a fight
SAI immediately commenced legal action against Mr Johnstone in the Federal Court. The court ordered that Mr Johnstone provide an affidavit setting out details of the SAI information he had taken and used, and that he not delete any SAI information from any device in his possession. He was also ordered to deliver up these devices to the court.
Mr Johnstone realised the game was up. He promptly signed an affidavit admitting he had copied SAI's information and used it to identify which of SAI's customers were also customers of his new employer. He said he had not contacted any customers, or provided SAI's information to his new employer. He also handed up to the court a USB device and laptop belonging to him containing SAI's information. A laptop belonging to his new employer was also delivered up. SAI, not having any particular reason to trust Mr Johnstone, had these devices forensically examined too.
Damages = $5,001
Mr Johnstone admitted all material wrongdoing and there was little dispute about the facts. The real issue was what orders the court should make, particularly relating to damages and costs.
SAI could not show it had suffered any loss or Mr Johnstone had made any profit from the wrongful use of its confidential information, so it did not pursue damages for that.
The SAI customer list was a copyright work so SAI sought, and Mr Johnstone agreed to, nominal damages of $1 for infringement of copyright.
SAI also sought and obtained $5,000 additional damages due to the flagrancy of the infringement.
SAI legal costs = $275,459
SAI sought a further order that Mr Johnstone pay its legal costs. Costs are calculated using a court scale and, as a rule of thumb, a successful party can expect to recover about 60% of its actual costs from the unsuccessful party.
SAI's costs came to the grand total of $275,469, most being incurred after Mr Johnstone admitted fault. Mr Johnstone submitted that there was no need for SAI to incur further costs after he complied with the court's orders.
The court disagreed. It was reasonable for SAI to have the USB drive and laptops delivered up by Mr Johnstone forensically examined, which accounted for $34,411. The court also said it was reasonable for SAI to pursue the matter to a final hearing, given Mr Johnstone continue to dispute some issues, which accounted for a further $158,106. These costs, however, were out of proportion to the importance and complexity of the matter, and so ordered they be discounted by 50%.
Based on these orders, Mr Johnstone likely ended up having to pay about $120,000 of SAI's costs, plus his own costs. That left SAI having to pay about $155,000 of its costs, despite being successful on nearly every point.
Expensive, but still worth doing
It is difficult to say what SAI could have done differently to avoid this outcome. The most robust security measures are unlikely to stop a determined employee from stealing confidential information. An employee who takes confidential information cannot be trusted, so any assurances they give once caught will hold little weight. The potential loss to SAI if the information had been misused could have be substantial. SAI no doubt decided that thorough and vigorous legal action to prevent that was justified. And it cannot be forgotten that Mr Johnstone will still have to pay a substantial amount of money.
Despite the significant cost to SAI of pursuing Mr Johnstone, businesses in a similar situation would need to weigh up the potentially greater losses that might flow from not acting. The case highlights the importance of being vigilant and acting promptly and decisively to minimise the risk and impact of information theft, and sends a strong message to other employees that information theft will be taken seriously.