Court case highlights importance of robust offboarding and device policies to prevent data breaches
When an employee with access to sensitive company data leaves, the risks of data loss or misuse can escalate—especially if that employee is located outside Canada.
A recent U.S. court decision involving Pliteq, a Canadian company, and a former executive based in Dubai, underscores the challenges and best practices for HR professionals managing offboarding in a global context.
The Pliteq v. Mostafa case, heard in a District Court in Florida, revolved around allegations of trade secret misappropriation and breach of confidentiality following the executive’s termination.
The court ultimately denied Pliteq’s request for a preliminary injunction, in part because the company could not demonstrate imminent, irreparable harm, and because enforcement across borders is inherently complex.
Looking at the case from a Canadian employment law perspective, Jenson Leung, employment lawyer at KSW Lawyers in Vancouver, explains the complications involved in enforcing data breach compensation from employees in other jurisdictions.
“The company would need to retain a lawyer in that other country to take steps to enforce on the judgment that they've received in Canada,” he explains.
“Basically, it adds to the cost and complexity of the case, and it also makes recovery a bigger question mark, as opposed to if they're dealing with a Canadian employee that, for example, has a house here in Canada.”
Device policies and digital safeguards
The Pliteq decision detailed how the company’s data was stored in cloud-based systems, but also revealed gaps in device control and employee offboarding policies. The executive in question had broad access to confidential files, which were downloaded to a personal laptop and synced to personal cloud accounts.
Leung explains how the mingling of work and personal data complicated both the investigation and the company’s ability to recover its information – he advises how policies around device use can be helpful to mitigate.
“Policies where, depending on the size of organization or the type of role, sometimes it's a perfectly valid approach to say that all work-related information can only be kept on work issue devices,” he says.
“That way, the company and their internal IT has full control over who can access or alter that data. You can have a lot more in terms of digital safeguards in place if it's on a work device, compared to if someone's using a device for both work and personal.”
Tailoring policies to organizational needs
The court’s analysis also emphasized the need for companies to take “reasonable steps” to protect trade secrets, including limiting access, enforcing strong passwords, and promptly terminating access upon departure.
However, since the effectiveness of these measures depends on the organization’s size, sector, and the sensitivity of the data involved, Leung cautions against a one-size-fits-all approach.
“Different organizations, both in terms of size and in terms of what they do and what data they handle, are going to have very different risks that they need to deal with,” he says.
“The main general advice I would give is to not rely blindly on a one-size-fits-all template policy, and to not blindly apply policy without actually thinking through the implications or implementation of that policy in their organization.”
Timing and process: cutting off access
A key lesson from the Pliteq case is the importance of timing in offboarding procedures. The company discovered the data download after the executive had already left, and its efforts to recover or verify deletion of the data were hampered by delays and lack of direct control over the devices.
To counter this, Leung recommends limits on employee access to data as a basic best practice. Immediate revocation of access can prevent unauthorized downloads or transfers at the critical moment of departure.
“Having procedures in place for making sure that, for example, data is cut off ideally right before a termination letter is sent out, is probably one of the basic best practices.”
Seniority and legal response
The Pliteq decision detailed that the executive’s seniority and broad access heightened the company’s concerns. Leung notes that courts may be more willing to intervene when high-level employees are involved, but only if there is clear evidence of misuse or imminent risk.
“As a general rule, the more senior the employee is who's misusing the information or taking the information, the more likely it is that the courts will be likely to step in and to prevent that, or to punish that after it's happened,” he says, adding that early legal advice can help employers act quickly and effectively.
“I would say that the earlier that a lawyer is involved in that process, the more options might be available to the employer.”
Investigation, monitoring, and prevention
The court heard forensic evidence about cloud syncs and deletions, but ultimately found no proof of ongoing misuse or imminent harm. According to Leung, the intersection of IT and HR is increasingly important in managing data risks. For HR, he says, this means working closely with IT to monitor for unusual activity and to investigate potential breaches.
“Sometimes there's quite a bit of overlap between the IT side of things, which is what safeguards they can implement to even flag that type of behaviour in the first place, and then the employment law perspective, which is what employers can do to prevent and also to deal with it,” says Leung.
Ultimately, the Pliteq case demonstrates that prevention is far more effective and less costly than trying to recover data or enforce judgments after the fact, especially across borders.
“At the end of the day, prevention in the form of contracts and policies, and even having proper offboarding procedures – all of those are going to do a lot of the legwork,” he says.
“They're well worth the investment compared to the amount that it would cost to try and deal with the damage after it's already started.”
