Employee Theft Gives A Lesson In Data Security

Written by: Richard Sheinis, Esq.

The Georgia Court of Appeals just issued an opinion in a case that provides a good lesson on the importance of protecting data against employee theft. In Lyman v. Cellchem Int’l, LLC,¹ two former employees of Cellchem were accused of using a thumb drive to copy confidential computer files, including financial data stored in QuickBooks, from a laptop provided to one of the employees by Cellchem.
Whenever an incident like this occurs the question to be asked is could the business have done anything to prevent this theft. Every business is different because of various logistical, operational, budgetary and industry considerations and limitations. The problem that I often see when talking with businesses is that very few even consider employee theft as part of a data security program. All the data, whether it be customer data, credit card data, intellectual property, is open to everyone in the business without segregation or access limitations. The complaint I often hear is that the business cannot operate if restrictions are placed on data access.

The underlying lesson is to consider the potential of employee theft of data as part of any data security plan. Creating a data security plan is a fine balancing act between security, and business operations. Data security should not be so strict that it chokes the business’ ability to operate. That being said, a business should consider limiting employee access to just the data needed for the employee to perform their job. In our mobile environment when it is so easy to download and transport huge amounts of data on portable devices and media, think about how this type of theft can be prevented by disabling USB ports, monitoring downloads, or allowing downloads only on encrypted media, which can then only be decrypted by certain devices owned by the business.

Creating a good data security plan that considers the possibility of employee theft might seem like a “hassle” on top of all the other demands of running a business, but it is certainly better than ending up like Cellchem.

1. Lyman v. Cellchem Int’l, LLC, A15A1282 (January 5, 2016).