The protection of confidential information is a critical concern for all businesses. In today's digital world, where employees can access and transfer vast amounts of data in seconds, the risk of information theft by departing employees is higher than ever. A recent Singapore High Court decision, Hayate Partners Pte Ltd v Rajan Sunil Kumar [2025] SGHC 41, provides crucial insights into the legal protections available to employers and offers a stark reminder of the practical steps needed to safeguard company data.
This update summarises the Court's decision and highlights the key takeaways for your business.
The facts: A familiar story
The case involved a fund management company, Hayate Partners, and its former "Head of Investor Relations", Mr. Rajan. Mr. Rajan's employment contract required him to return all company property and information upon termination and prohibited him from using or revealing confidential information.
Despite the company having IT Security Guidelines prohibiting downloads to personal devices, Mr. Rajan regularly used his personal MacBook and Iphone for work. There was also a dispute between parties as to whether the IT guidelines were brought sufficiently to the employee's attention. Just before resigning, he downloaded approximately 4,500 files from the company's Google Drive. In the days following his resignation, he downloaded hundreds more files and his entire work Skype chat history.
The downloaded information was extensive, covering investment strategies, client data, business development materials, operational materials, and legal advice. When confronted, Mr. Rajan offered several explanations:
- He downloaded the bulk of the files to search for his payslips, which he claimed the company had failed to provide.
- He downloaded another set of files to ensure a smooth handover, even though no handover was requested.
- He downloaded the Skype logs to gather evidence for a complaint to the authorities against the company.
Hayate sued Mr. Rajan for breach of his contractual duties and for breach of confidence in equity.
The High Court's decision
The High Court found largely in favour of the employer, Hayate. The judgment clarified the interplay between contractual and equitable duties of confidence and demonstrated the court's pragmatic approach to evidence in cases of data theft.
Breach of contract
The Court found that Mr. Rajan had breached his employment contract. Interestingly, the breach was not based on the clause prohibiting the "use" or "revelation" of information, as the Court found that accessing and downloading documents were not prevented under the confidentiality clause.
Instead, the breach was of Clause 6, which required him to "deliver to the Company all... documents, papers, materials... and other property and information" upon termination. By failing to do so (i.e., by retaining the information on his personal laptop after his employment ended), he was in breach.
After Hayate obtained a court order for the inspection of his devices, Mr. Rajan deleted numerous applications, wiping away crucial metadata that would have shown when he deleted the downloaded files. The Court drew an adverse inference from this act of "tampering," concluding it was more likely than not that he had retained the files post-employment to conceal his wrongdoing.
Breach of confidence in equity
The Court also found Mr. Rajan liable for breaching his equitable duty of confidence. This is a significant finding for employers, as it shows that even where a contract is not perfectly drafted, equity can step in to protect a company's interests by imposing additional or more extensive obligations of confidentiality in equity.
The Court established a key two-step inquiry:
- Does the contract define the confidentiality obligations? If so, the court will not ordinarily impose more extensive obligations.
- However, even if defined in contract, would it offend a "reasonable man's conscience" to impose wider duties? If it does not, equity may still intervene.
Here, the contract did not expressly prohibit accessing and downloading information for non-work purposes. The Court ruled that it would be unconscionable not to impose such an obligation. An employee's authority to access company data is strictly for work purposes, and nothing more. In other words, an employee who access and downloads confidential information, when he is not authorised to do so, is a taker and will bear the burden of showing that his conscience is unaffected. Similarly, retaining the confidential information beyond employment would also qualify the employee as a taker.
Under the equitable "wrongful loss" framework, once the employer shows that confidential information was taken, the legal burden shifts to the employee to prove their "conscience was not affected." Mr. Rajan failed to do this:
- His excuse for downloading documents to find his "payslip" excuse was deemed unbelievable, as he downloaded thousands of unrelated sensitive files from shared drives where personal payslips would obviously not be stored.
- His excuse of gathering evidence was dismissed. The Court noted that he already had screenshots of the relevant conversations and did not need to download the entire chat history. In any event, the proper course to obtain information for any litigation or regulatory complaints would have been to use legal discovery processes, not to engage in self-help.
Key takeaways for employers
This case is a powerful playbook on how to protect your business from departing employees and what to do when a breach occurs.
A. Strengthen your employment contracts
While equity can provide a safety net, you shouldn't rely on it. Your employment agreements should be your first line of defence.
- Define prohibited acts broadly: Don't just prohibit "use" and "disclosure." Explicitly state that employees are forbidden from accessing, downloading, copying, transferring, or retaining confidential information for any purpose unrelated to their duties.
- Define confidential information clearly: Specify what constitutes confidential information, including client lists, financial data, business strategies, operational manuals, and proprietary know-how.
- Include consequences: State clearly that breach of these clauses is grounds for termination and may lead to legal action, including a requirement for the employee to indemnify the company for all forensic and legal costs incurred in an investigation.
B. Implement robust IT and data security policies
The facts show that weak IT governance creates significant risk. Prevention is always better than litigation.
- Restrict access: Implement a "need-to-know" policy. Employees should only have access to the data folders and systems essential for their specific role.
- Control personal devices: Where possible, prohibit the use of personal devices for work and prevent data from being downloaded onto non-company hardware. Implement technical controls (e.g., via Mobile Device Management) to enforce this.
- Monitor and alert: Use systems that monitor access and download activity, with live alerts for unusual behaviour, such as mass downloads or access outside of work hours.
- Incorporate policies into contracts: Ensure your IT Security Policy is not a standalone document. It should be explicitly referenced and incorporated into the employment agreement, and employees should sign an acknowledgment that they have read and understood it.
C. Prioritise training and off-boarding
Policies are useless if employees are unaware of them or if they are not enforced.
- Conduct regular training: Train employees on your data protection and IT security policies. This builds awareness and makes it impossible for an employee to later claim ignorance, as the defendant tried to do in this case.
- Have a clear off-boarding protocol: When an employee resigns, immediately initiate a clear off-boarding process. This should include disabling access to systems and conducting an IT audit of their activity, particularly in the weeks leading up to their resignation.
Safeguarding your business
The Hayate Partners decision reinforces that courts will act to protect businesses from the unconscionable actions of departing employees. However, it also underscores that the primary responsibility lies with the employer. By adopting a multi-pronged strategy of drafting watertight contracts, implementing robust IT policies, and ensuring consistent employee training and management, you can significantly reduce your risk and place your business in the strongest possible position to act decisively if a breach occurs.
We will be happy to work with your company to assess, identify and mitigate the risks of unauthorised data exfiltration or misuse of confidential information in today's complex digital landscape. By offering strategic counsel on intellectual property and data protection, helping you to draft robust employment agreements and IT policies, as well as providing insight on effective operation practices, we will ensure you will be able to safeguard your business operations and proprietary data. Please do not hesitate to get in touch with our team of experts.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
