'Many companies don't classify their data properly or understand where their data is': experts explain risks amid Deel, Rippling lawsuit
A dramatic legal dispute between HR tech giants Deel and Rippling has highlighted a problem that could hit closer to home than many Canadian employers might realize.
The lawsuit, filed in California last week, has Rippling alleging that an employee, acting on behalf of Deel, accessed sensitive internal documents over several months.
The claim alleges the employee was caught by a “honeypot” scheme posed by Rippling’s security team, and further details how he dramatically fled the scene when faced with a court-ordered seizure of his phone.
The case drew a lot of attention — and also serves as a reminder that corporate spying is a real threat even north of the border.
“In terms of employees taking confidential information or collecting information to use to compete, it certainly has happened in Canada, it certainly does happen,” says Michael Comartin, partner at Ogletree Deakins in Toronto.
“I think one of the things that's likely is that it's more technologically focused, but you have case law going back more than a decade of employees setting up competitor companies based on taking client relationships.”
Addressing risk through contracts and clarity
One of the most effective tools for preventing corporate espionage is the employment agreement itself, Comartin says. Yet, not all agreements are created equally – especially when dealing with contractors.
“The implied duties of a contractor under Canadian common law are very different than the implied duties of an employee,” he explains.
“The implied duties of employee would include that you not misappropriate your employer's confidential information. A contractor is not quite as clear.”
For this reason, employers need to ensure from the outset that contractor and employment agreements are classifying individuals properly, as getting it wrong could lead to complications down the line. This is more than a matter of legal formality, Comartin stresses – it determines whether an employer will have legal recourse if a contractor walks off with sensitive data.
“Address the relationship correctly at the start, to make sure that we've got in place the right contractual terms,” he says, “also understanding what terms will or won't be applied to that kind of relationship.”
Clear written agreements make all the difference
For both employees and contractors, strong written agreements set clear expectations and provide enforceable protections if things go wrong; beyond classification, specific terms of confidentiality and disclosures should be closely detailed to avoid legal vulnerability.
“The written agreement, whether you're dealing with employees or contractors, is really important, because it helps set out exactly what the employer’s protection rights are for confidential information, client information, things like that,” says Comartin.
In some cases, even if there isn’t an express clause, courts may still impose certain obligations in the employer’s favour, especially in traditional employee relationships.
However, Comartin warns against relying on implied terms or common laws can leave employers vulnerable, especially with contractors: “This is one of the rare situations in which it’s actually better from the employer’s perspective to be in an employment relationship, as opposed to a contractor relationship, if there’s nothing in the written agreement about the protection of confidential information.”
Why training is just as important as technology
While contracts provide a legal backstop for corporate spying in Canada, day-to-day vigilance often depends on employee awareness. That’s where Ivan Veljkovic, cybersecurity specialist based in Vancouver, says HR plays a key role in corporate hacking prevention.
“One of the key things I’d highlight for employers to know is the importance of robust security and awareness measures, particularly for sensitive and critical data, employees, security awareness, and third-party vendors and contractors,” says Veljkovic.
“Beyond just using technology like firewalls and encryption, companies should be training employees regularly to recognize phishing attempts which are becoming increasingly more advanced, thanks to AI.”
Going beyond basic principles, HR should be training all employees on every day cyber hygiene, including how to identify and report cyber threats. This kind of proactive training, says Veljkovic, can help stop insider threats, whether malicious or simply caused by carelessness: “Humans are often the weakest link,” he says.
Vetting employees and contractors for cyber threat prevention
In the Rippling case, the alleged informant was a regular employee based in Ireland, who signed more than one agreement upon hire outlining various obligations of confidentiality.
Veljkovic points out that internal actors – whether permanent staff or external contractors – can create serious risks if not properly vetted. He points to a chilling real-world example: “There's a recent example of North Korean hackers working as contractors for Fortune 100 companies.”
These cases, he says, show just how far nation-state actors are willing to go – and how convincing malicious insiders can appear. Even with robust contracts and seemingly airtight security in place, vetting and monitoring must still remain essential frontline defenses, he says.
Flagging vendors and contractors as another weak link, Veljkovic adds: “There are growing concerns locally about third-party vendors and contractors who may have access to sensitive data but aren’t always as stringent with security protocols as employers might expect.”
Breaches through third parties can lead to a “cascade” effect, he says, exposing the organization to even more risk. Therefore, he notes, “it’s crucial to thoroughly vet these partners and contractors through dedicated security and privacy assessments, and enforce strict security standards.”
Watching the walls: access monitoring and cloud risks
When an internal threat does emerge, it’s crucial that employers know who is accessing what, and why – a point where many fall short, says Veljkovic. He notes that foreign agencies, including governments, have targeted Canadian businesses in recent cyber attacks.
“Various foreign governments, including Chinese state-backed actors, have targeted Canadian government agencies, critical infrastructure, and businesses … engaging in espionage, intellectual property theft, and other malicious activities,” he says.
“With the rise of cloud technology, many companies don’t classify their data properly and may not understand where their data is or who has access to it, which leaves them exposed to serious risk.”
Acting in good faith: corporate spying investigations and enforcement
If insider misconduct is suspected, HR’s next steps must be deliberate and legally sound, says Comartin, warning employers against rushing to judgment.
“If the employer simply goes, ‘Well, this person's downloading a bunch of contracts, they must be intending to compete against us, or they're stealing something or whatever,’ and fires that person, they're going to have a really nasty wrongful dismissal allegation against them,” he says.
Instead, he emphasizes the importance of sticking to a strictly enforced investigation procedure.
“The first thing you'd have to do is actually gather evidence before making accusations. The second thing you would want to consider is making sure that the individual who is accused of doing these things is given an opportunity to respond to these allegations,” Comartin says.
He stresses that this process is not only crucial to maintaining legal integrity for the employer, but also for demonstrating good faith, even if a security team is certain the employee is guilty. Although a honeypot strategy or something like it may seem exciting to execute, taking Canadian employment laws into account, it’s not recommended.
“Sometimes there is an explanation for this that is innocent,” Comartin says.
“And if it's not an innocent explanation, and they find somebody who actually has done something wrong, then the employer, at the very least, has demonstrated that they acted in good faith and that they did their best to determine what actually happened.”
