How can I deal with a case of data theft?
April 5, 2007 5:51 PM   Subscribe

I do IT stuff for an NGO based in Belgium. One of the things we do is organise conferences. Recently our director and his assistant left our employment. The day after this they came into the building to clear their belongings. They also sent out an invitation email to a conference we were co-organising - but our name was not on the invite, but a new organisation - one the director has secretly set up. This invitation email was sent from our office, using our software and one of our mailing lists. Additionally, they made copies of our database and all out mailing lists. Legally, where do I stand, what actions can we take?
posted by anonymous to Computers & Internet (4 answers total) 3 users marked this as a favorite
IANAL, and especially IANA (International) L, but I think the answer to your question is going to involve the specifics of any contracts your NGO had with those people by way of employment, as well as employment law in Belgium if they worked there, and of any countries from which electronic access and copies of database contents or software were made. Plus, your NGO may have some liabilities to individuals whose email addresses and other personally identifiable information was "stolen copied," based on your failure to secure that information, even from former officers and employees.

I feel sure that there is recourse, legally. But you need to be in touch with the attorney for your organization immediately, and perhaps the police, if the attorney feels that is advisable.
posted by paulsc at 6:11 PM on April 5, 2007


Mailing list snarfing-and-reuse is a crime in all EU member states under EU data protection regs. I imagine the Belgian equivalent of the UK's Information Commissioner is as sick as any of his/her counterparts at the difficulty of prosecuting such cases and would leap at the chance of getting the numbers up with an open-and-shut case.

Of course, since you held the data, there's a half-decent chance they'd ask how the hell you managed to allow private data to leave your org without authorisation, and then fine your tits off.

So take legal advice - were I the recipient of such spam I'd not be wrong in thinking it was your fault as much as theirs.
posted by genghis at 7:19 PM on April 5, 2007

I think you will have to prove that the data was indeed yours. Did you "seed" the list with names that they could not of purchased from another source? Many times, when list are stolen, the thief will purchase a list and then bounce the stolen list off the purchase list thus only using the names that match the one purchased. Also, was there some kind of non-compete agreement with the other party which specifically mentioned that they were not allowed to compete in the same market?
posted by bkeene12 at 7:35 PM on April 5, 2007

(studied law in Belgium, but I'm not your lawyer, obviously)

First, you need a Belgian lawyer (I can point you to a few if you want, e-mail in profile).

The theft and use of a database is a violation of the privacy laws (Wet ter bescherming persoonsgegevens), and is punishable under penal law. If he sent the stuff after his severance, then the fact that he was in the building and using your resources as well may be punishable by law as well.

If he (they) was still on some sort of severance period with pay (usually between one to three months), his offense may give you the right to stop paying him the rest of the period (ontslag op staande voet) under the employment law.
posted by NekulturnY at 3:20 AM on April 6, 2007

« Older How can I monitor changes to an online PDF simply...   |   How can I find out if a song was in a movie? Newer »
This thread is closed to new comments.