Organisational data and the human risk: how safe is your organisation?

Not so long ago, fraud investigators just had to count the cash, check a few documents, sort out who was responsible and then deal with the individuals. That is no longer the case, because we now have to do consider a wider range of possible eventualities and have available to us a range of tools and capabilities just to put a case together because of the legal environment within which investigations are undertaken.

A recent matter before the New South Wales Supreme Court[1] involved a company (Mirus), a senior and trusted employee (Gage) who was made redundant, and the theft and subsequent destruction of sensitive company data intended to circumvent legal proceedings that had been initiated by Mirus.

Factual overview

Let me try and summarise the key points for you:

1. Mirus provides sophisticated IT cloud based information technology to operators of Aged Care facilities.
2. Gage was employed by Mirus related entities from 2011 and was responsible for building the technical platform that underpinned the Mirus business.
3. Gage was made redundant in August 2015 (along with the head of sales Wilson) and his employment contract contained restraint of trade and confidentiality provisions.
4. After Gage left, Mirus became aware that Gage and Wilson were setting up a new business in Aged Care and sought to enforce the non-compete obligations and demanded delivery of all Mirus confidential information (data) and intellectual property (IP) under threat of legal action. Mirus specifically demanded that all confidential information, and personal electronic storage devices be delivered for inspection and required that there was to be no destruction or tampering with the electronic records.
5. Gage formally responded that he was not in possession of any property or confidential information belonging to Mirus. This was later conceded as incorrect and he admitted some confidential information was held on a personal Google drive account.
6. In September 2015, as a result of ex parte proceedings, Gage consented to and was ordered to deliver a range of computing and storage devices containing data and IP and he was restrained from taking any actions that would delete or impede the recovery of the data or IP.
7. A number of devices and a cloud based file transfer account details were provided by Gage to legal representatives acting on behalf of Mirus.
8. IT consultants (the consultants) were appointed and identified a computer that had not been produced and in further Court orders, Gage was ordered to produce it for examination.
9. The consultants also located a number of occasions when specific and large quantities of Mirus confidential data and IP were downloaded or copied onto a number of the devices produced by Gage.
10. The consultants also identified a number of occasions when the identified Mirus data and IP were either deleted or manipulated to prevent identification by Gage, some of which occurred after the commencement of the legal proceedings.

Gage was subject to charges of contempt of Court and after a detailed examination of the facts and legal precedent, the Court held that it was proven beyond reasonable doubt that some of the deletions occurred after the commencement of proceedings and that the deletions were intentional. Some other elements of the contempt charge failed because the IT consultants were unable to specifically identify when cloud based deletions occurred, in circumstances where it found that there was no doubt that Gage’s intentions was the deliberate destruction of that data.

These contempt issues were within the context of the ultimate litigation issue as to whether the conduct of Gage and Wilson had caused loss and damage to Mirus and if those actions exposed them to legal sanctions because of the disclosure of private client information. The most likely remedy available was therefore pecuniary damages.

The Court expressed a view that Mirus had suffered prejudice to the running of their case as a result of the deletions by Gage, because it impeded their ability to prove how the data was used and this made the quantification of losses more difficult.

Most importantly for Mirus, in these preliminary proceedings, the Court held that Gage should not be allowed to deny the allegations that he was in a competing business or that this was his intention. This resulted in a large part of his defence being excluded which has compromised his ability to defend his position.

Gage is also yet to face a sentencing hearing on his contempt charge and has been ordered to pay Mirus’s costs on an indemnity basis.

What are the issues arising

This is an unusual case because the very basis of Mirus’s business activities was being attacked from within and the entrepreneurial efforts of the founding partners appeared to be at risk.

Whilst undoubtedly the Courts will eventually rule on the legal proceedings, Mirus has expended considerable time and resources to protect their business and this would have necessitated significant funding on legal representation in the NSW Supreme Court, investigation and consultants’ costs, and diversion of company resources to support both the interlocutory proceedings and the ultimate litigation issue which is yet to occur.

Mirus’s ability to recover their costs under an order made against Gage will ultimately depend on available assets against which the order can be enforced.

Mirus  has been successful in trying to protect its data and intellectual property but that is not the end of the matter. Even if they are successful in obtaining damages and costs, they would still be at financial risk unless assets are available to satisfy those orders. This is an inherent risk when defendants are individuals capable of legally restructuring their personal financial affairs or have insufficient assets to actually pay what the Courts have ordered.

What are the lessons arising

Without commenting on the specific matters of this case, there are many lessons to be learned:

1. Companies face huge challenges in controlling access to their sensitive data.
2. Trust is no basis for the management of company property, including data.
3. Data is a monetised commodity in the new world of crime.
4. These issues present a new environment for the conduct of investigations which require high levels of skill and expertise. You need to choose your investigators according to their expertise and capabilities.
5. Determined and motivated corrupt/alienated personnel present a specific risk to an organisation and, in some cases, their ongoing viability.
6. Organisations seeking to enforce legitimate rights to protect their business must accept that this involves costs and there is no certainty that any costs order could be satisfied. This risk exposure is difficult to quantify in the event of ongoing litigation in superior courts.
7. Human Resources risks need to be proactively managed during business restructuring.
8. There are cost effective ways of outsourcing criminal risk and this should be considered as part of business planning.

Centium investigations

Financial and corporate investigations are part of our core business and our advisors are highly experienced and qualified people.

Complex issues such as this require the expertise of competent and experienced investigators and advisors. Centium’s team members have over 20 years experience each across a wide range of skillsets including pre and post loss advisory, investigations, data security and protection, intellectual property management and business resilience.

If this case concerns you and you would like to know your susceptibility to the challenges faced by Mirus, please call our Practice Lead: Fraud & Misconduct Management, or any of Directors. Let us share our expertise with you.

[1] Mirus Australia Pty Ltd v Gage [2017] NSWSC 1046