Learning from #DataGate – What can your real estate business do to protect itself from data theft?

November, 2018

By Lisa Anaf, Partner and Diana Diaz, Senior Associate

By now you will no doubt have heard about the $750,000 settlement reached by Harris Real Estate in South Australia and Arabella Hooper, a former Toop & Toop employee who moved to Harris Real Estate after allegedly taking a significant amount of client data with her to her new employer. The settlement was reached 3 weeks into a trial in the District Court of South Australia.

In the 6 week period where Ms Hooper was alleged to have taken the data whilst still in employment, it was also alleged that she altered Toop & Toop database records so that a number of active clients appeared inactive. Further allegations were also made that Phil Harris, a director of Harris Real Estate, was aware of and encouraged the data theft, causing him to step down as REISA President – a position he had only recently been appointed to.

Although this case has received a large amount of media attention due to the significant settlement reached, the theft of client data is not new.

There are always ways for an employer to protect itself from data theft – before and after it happens. Despite this, what we sometimes find in dealing with these cases is that a client’s ability to take action would have been much stronger had they taken some basic steps to protect their data and their interests.  Steps such as:

  1. Prepare robust employment contracts: ensure your employment contracts have clear and robust confidential information and post-employment restraint clauses.
  2. Sign and retain copy of contracts: once you have contracts drafted, ensure that you have on-boarding processes in place in which each employee signs the contract and you keep a copy. Trying to enforce obligations in an unsigned employment contract is like fighting with both arms tied behind your back.
  3. Update contracts when roles change: every time a person is promoted or has a change in position title the employee must sign a new contract with updated post-employment restraints to ensure that employees have obligations that apply to them in their current role.  Restraints in contracts for outdated positions are unlikely to be enforceable.
  4. Implement policies that allow you to monitor staff IT use: consider monitoring your business’ IT systems and having IT policies to support that make it clear that employees will be monitored. Regular and routine monitoring may uncover the unexpected, or at the very least put employees on notice that you take data theft seriously. (Depending on the State/Territory in which you operate, note that there may be obligations about notifying staff that you are monitoring IT systems so IT polices are a must).
  5. Warn staff of post-employment obligations where they leave: ensure that your off-boarding processes when employees leave their employment include a sweep of employees’ computer, email, work phone etc. You should also write to departing employees demanding a return of your property and putting them on notice of any post-employment restraints that apply to them to help reduce the likelihood of blatant breaches.

Of course, there are many other steps that employers can take if they discover data theft in their business, including “warning off” letters to former employees (and their new employers) and litigation. With that said, your options may be limited if your business has not taken the five steps set out above.

Given that these are often easy and cost effective steps for any business to implement, wouldn’t you want to know that your business had done everything it could to protect itself and take action should an employee do the wrong thing?

Contact Mills Oakley

If you require further advice on the issues raised in this alert, please do not hesitate to contact:


Lisa Anaf | Partner
T: +61 3 9605 0857
E: lanaf@millsoakley.com.au

John Turnbull | Partner
T: +61 3 8568 9519
E: jturnbull@millsoakley.com.au

 

 

  • Workplace Relations, Employment & Safety

  • Privacy Policy | Terms of Use