avr. 21. 2017

Copying and Retention of Confidential Company Data by Former Employees

ORBCOMM INC. v Randy Taylor Professional Corporation, 2017 ONSC 2308 (CanLII)

A senior employee leaves the company. You discover he made copies of company emails and other data confidential to the company before departing. What can you do?

ORBCOMM INC. v Randy Taylor Professional Corporation, 2017 ONSC 2308, suggests the answer is “not much”, unless there is an agreement that restricted the employee’s ability to retain copies of company data after the end of his employment.

This seems questionable, especially in a case involving the wholesale copying and retention of company data by senior employees after their employment ended. The practical lesson is that confidentiality agreements with employees and others should expressly address the return, destruction or deletion of copies of confidential or private information.

The Decision

In this case, ORBCOMM acquired SkyWave, which continued under the same name. After the acquisition, ORBCOMM brought certain claims against the escrow fund established as part of the transaction. ORBCOMM also came to believe that information relevant to these claims had been deleted by the former CEO and CFO.

It was not disputed that before leaving SkyWave, the former CEO made electronic copies of various files, including his emails, the CFO’s emails, and the contents of the data room made available to ORBCOMM during the acquisition. The former CFO also acknowledged making and keeping copies of her emails and documents.

The former CEO had provided his services by way of a corporation. Under an agreement between the corporation and SkyWave, the former CEO agreed not to divulge or misuse SkyWave’s private and confidential information. The agreement had no provision restricting the former CEO’s ability to make or retain copies of such information.

The former CFO was an employee. Any employment agreement was not in evidence, and there was no other evidence that she was under a contractual obligation not to keep records or copies of records after her employment.

Both the CEO and CFO were willing to provide ORBCOMM and SkyWave with copies of the data they had copied before leaving SkyWave. They were not prepared to delete their own copies.

Section 104 of the Courts of Justice Act permits an Ontario court to make an interim order for recovery of possession of personal property. SkyWave sought an order under section 104 requiring the former CEO and CFO to return the data they had copied and delete the copies in their possession.

Justice MacLeod therefore had to consider whether section 104 could be used to order return of data. As he noted, this is not straightforward because of the question of whether information is property: “The question as to whether data is property may appear self-evident but in fact it is unclear. This is because ordinarily in ‘data theft’ what is taken is a copy of the data and not the data itself so arguably the owner is not deprived of the use of the information. What the owner loses is the confidentiality of the information and it is far less clear that confidentiality is best addressed through remedies dealing with tangible personal property.”

Although ultimately Justice MacLeod did not rule out the possibility that section 104 could be used to order the interim return of confidential data, ultimately he declined to do so in this case. He emphasized that there was no contractual obligation preventing the CEO from keeping copies or requiring him to return or delete copies. He reached similar conclusions in respect of the CFO’s retention of copies. He confirmed that both the former CEO and CFO remained under legal obligations not to disclose the copied information or use it for an improper purpose. The former CEO and CFO were therefore permitted to keep their copies of SkyWave’s data.

Analysis

The decision does not explicitly address whether or not the making of copies by the former CEO or CFO was itself a misuse of information prohibited by their duties of confidentiality. At one point in the decision, Justice MacLeod observed that there are “many perfectly legitimate reasons why [the CEO] might have to consult his records either to defend himself against allegations of impropriety or simply to answer questions”. The decision does not, however, state, that these reasons were in fact why the CEO made the copies.

In any event, the proposition that it is a legitimate use of confidential or private company data for an employee to make copies “just in case” the copies are needed post-employment seems somewhat tenuous.

As a starting point, to say that the CEO might need to consult “his records” is incorrect; the records were the company’s, not the CEO’s.

Once it is accepted that the records were the company’s, it is difficult to see how the copying was for the company’s use. If the copying was so that the CEO could defend himself in the future, that would seem to be a personal use. If the copying was so that the CEO could assist the company in the future, that still seems questionable, as the company could and presumably would provide access to the information if and when the need to consult the former CEO about it arose in the future.

Further, the copied data included the former CEO’s notes and emails, as well as all documents disclosed to the purchaser during the due diligence phase of the acquisition. One can only assume the copied data included SkyWave’s most confidential and commercially sensitive data. The proposition that it was a proper use of that information for the CEO to copy such important data wholesale and retain it beyond the reach of SkyWave’s technological and other protections is hard to accept, particularly given ever-increasing concerns about data and privacy protection.

Somewhat oddly, the decision is silent on the application of copyright law. Presumably any copyright in the records copied by the CEO and CFO belonged to SkyWave, and copyright law may have provided remedies that contracts and the law of confidential information would not, but for reasons not explained in the decision, copyright was not addressed.

Conclusion

Whether the decision is right or wrong, the practical lesson is that there should be a comprehensive written confidentiality agreement with any employee, officer or other service provider who receives an organization’s confidential or private information Such an agreement should, absent unusual circumstances, expressly provide for the return, destruction or deletion of any copies of the organization’s confidential or private information upon the conclusion of the relationship.