Friend has done something stupid

[TigerStripe]

A friend recently left her former place of work, where she'd been for 3 years. She has started up on her own. I guess she is now a competitor with her former employer, as she offers some of the services they do, although on a much smaller scale.

About a month after she left, she logged into her old work account from her home computer (it hadn't been deactivated), and basically stole the email addresses of her former customers. She then emailed them, saying she had left, and that she knew they would still continue to receive the same excellent treatment at her former work place. She then gave her personal contact details in case any of her 'private customers' needed to contact her.

One of the people she emailed immediately complained to her former employer, giving them a copy of the email. She received an email from a senior manager saying they were investigating and asking her to respond within 72 hours. 36 hours later she received a registered letter from their legal department.

My friend fully accepts how stupid she has been. She has written back to the manager to say this and to apologise. She has assured him that all customer data has now been deleted. She never signed a contract all the time she was there.

I have tried to give all the information I know, without being too specific with any details that could identify her. I would be very grateful if anyone with experience could let me know what can she expect to happen now? Does anyone have any idea of what the worst possible outcome would be for her?

Thank you so much in advance.

Might be better transferring this into the employment thread.

Chances are the ex employers won't want to get tied up with lawyers, but what did they actually say/threaten? She has already admitted it (she could have kept quiet as email addresses are get-able, so not impossible to compile a list), and it is not good business that she did this - although she didn't slag off her old company not directly canvas for work.

I assume the old firm is angry and pissed off that they received a complaint, they are not financially out of pocket because of this, but she needs to ask them what are the next steps and if they intend to take the matter 'further'.

I hope she's ok - a minute of bad judgement (as they say). Maybe the CAB can help.

Thank you both. I will also post in employment.

Frontpaw, I have just sent a message to ask her what today's letter said & will let you know when she gets back to me. I can't quite remember. One thing I do remember is that they say they checked when she accessed the database and that it was after she left the company (don't they have a duty to protect their clients' data?). I know that on the back of receiving that letter, she emailed the manager to say how sorry she was, that she realises what she did was wrong.

Yep, a minute of bad judgement She's a really lovely lady and I would hate for this to cause her too many problems. She's in bits, imagining all sorts at the moment.

The company holding the data is obliged, under the Data Protection Act 1998, to take steps to ensure that the data is, amongst other things, kept securely and not used for purposes other than for which it was obtained.

The company, therefore, is in breach of the Data Protection Act.

Your friend is possibly guilty of obtaining the information illegally, but could I suppose argue that she had assumed that if she was not supposed to access the information, the company would have taken steps in the month since she left to try and stop her.

I am not in any way qualified though.

True, unless she signed an exit form saying that she was handing in all phones, computers, passwords, etc... Still, the company won't want a big stink about it as it will be bad PR for them. I wonder what they told the person who complained? If they have told them that the list was accessed by a third party, then they look foolish.

Yes, you do have to protect data so that it can't be accessed (easily) by a third party. They did not take reasonable steps to ensure that it could not be viewed/downloaded by a someone outside of the business or not working on behalf of them. But this happens all the time, really it does! Technically, you aren't even supposed to email sensitive data, but everyone does.

I am sure they just want to 'punish' her for puting them in a spot, and won't take it further (hopefully). She must feel terrible but she does need to know what they are planning, now that the ball is in their court. She may want to think about offering to make amends for her 'rash' judgement call (doing something that she now realises was wrong).

I am not a data bod but have worked in financial places using data bases and mailing lists, so know my way around issues. I would be raging if I worked for the company, but wouldn't be out for blood - someone internally will be getting their bums kicked on the back of this.Your friend will know herself if it is the type of company who will want to drag her through the mill or not. To her credit, she didn't offer cheaper services or in any was bad mouth her ex employer, so that can only be in her favour.

Just spoke to my friend. She said that the letter she received this morning stated that it would be investigating an allegation of theft. It referred her to a leavers' letter which outlined all the stuff around NDA, personal data, etc. But friend claims she never received this - I believe her as the admin there is shockingly bad. The letter also stated that it had records showing she access the system a month after she left the company. I agree that this leaves them open to not applying best practice to protect clients' data.

Hopefully Frontpaw is right and this was designed to just put the frighteners up my friend and they won't take it any further.

They would need to produce a signed copy of the letter. What exectly did they say - internal or external investigation? Hopefully they are not going to be vindictive - was any oif the data sensitive?

Potentially her former employer could take it to the police and have her arrested. She probably will get let off with a simple caution but this could cause problems if she ever has to work on projects where full security clearance is required. This happened to a family member - accessed data left on unsecured FTP sites after left company. Was all to support his employment tribunal which he was taking them to for constructive and unfair dismissal. Police turned up at his new place of work and arrested him. They were actually lovely, very understanding when they saw 'why' he did it as like I said, got a simple caution. His old employer chose not to prosecute as we could have had them for soooooo much but it could have turned out much worse. So I think your friend needs to make amends to minimise any chances of them taking it further.

From my law degree days I thought I remembered that you cannot under the Theft Ct 1968 steal information. I even impressed myself by remembering the case that established this - Moss v Oxford. I think she is liable but not under the Theft Act. The fact that the letter refers to an allegation of theft maybe suggests her ex employer is trying to scare her rather than seriously considering any action.