Who’d have thought an 18th century legal case would be relevant to 21st century database theft? We have a relatively recent law on ownership of databases, The Copyright and Rights in Databases Regulations 1997, another part of the infosec legal thicket. This law formed the basis of a successful claim for damages against a salesman who pinched customer data from his employer and used it to solicit customers to a competitor. That’s worth knowing about in itself, as a reminder that you can protect yourself legally against this kind of theft, but what tickled my fancy was that the judge cited Armory v. Delamire from 1722 when assessing the damages.
It’s a short read, but the tl;dr summary is that a chimney-sweep’s boy (yes, really) found a ring in the street, took it to a jewelers and they tried to diddle him out of the value of the stone set in it. The judge found for the sweep’s lad, and since the jewelers had pinched the stone, he decided they should pay the value of the best possible stone that could have been set in the ring, unless they actually produced the missing stone. Nice to see the courts sticking up for the little guy back in 1722.
The point? In a claim of this sort, the damages assessed will be the maximum possible unless the defendant can prove otherwise. So on the one hand, if an employee walks off with your prospect database you can potentially claim for the whole value of the pipeline, since they can’t prove you wouldn’t have won it, and on the other hand, if you’re ever tempted to ‘acquire’ someone else’s customer database, don’t – it’s not just unethical, and illegal, it’s potentially ruinous.
There’s another interesting point about staff walking off with your data. It may be more than just one kind of theft. The ICO clarified this last year, again citing a legal judgement: taking personally-identifiable information from your employer is a criminal offence under the Data Protection Act. The fines for individuals aren’t in themselves all that substantial, but the criminal record should be an effective deterrent. It’s worth updating your employee handbook to make this clear, and to remind people that pinching the customer database is criminal from more than just one angle.