Corporate Espionage: Spying on Your Own Employees

In a recent case, (Iskandar Salman v. Ihab Alimi) the Labor Court ruled that an accountant, who discovered that he was being filmed in his office by his employer and without his knowledge for the last 7 years, was, despite his resignation, entitled to severance pay.

The plaintiff claimed that after 11 years of working for the defendant, the last 7 of which occurred under surveillance, he no longer trusted his employer and the fact that his employer surreptitiously filmed him at work constituted a deterioration of the workplace environment such that his resignation should be considered the equivalent of a dismissal and he should thus be entitled to severance pay in respect of the years of service to the employer. The Severance Pay Law- 1963 states that "Where an employee resigns by reasons of an appreciable deterioration of his conditions of employment, or in view of other matters of labor relations affecting him and because of which he cannot be expected to continue in his employment, the resignation shall, for the purposes of this Law, be deemed to be dismissal."

The plaintiff also sued for emotional distress caused by the invasion of privacy. (In case you are curious, the plaintiff learned of the existence of the camera after the employer returned from his vacation, viewed tapes of the other employees not performing their assigned tasks properly- whatever that means- and called them into his office to reprimand them. It was then that the secret filming was revealed. The employer claimed this was the first time he had ever reviewed the tapes.)

Proposed Amendments to the Protection of Privacy Law (1981)

Amendments to the Protection of Privacy Law (1981) have been proposed in the Knesset.

The new amendments will provide that:

• acts done by parents or guardians that would otherwise be a breach of the privacy of a child will not be considered a breach if done for the benefit of the child;
• "child" shall be defined as one up to and including 13 years of age;
• someone who purposely breaches the privacy of a minor can be punished by up to 7 years in jail;
• a person requesting information  from a child for inclusion in a database must first receive the consent of the child's parent or guardian;
• direct mail may not be sent to a child without prior permission from a parent or guardian;
• requesting information from a child or sending him direct mail without prior consent from a parent or guardian is punishable by up to 3 years in jail.

And an amendment to the Consumer Protection Law (1981) would prevent anyone from exploiting the age of a counterparty to a transaction.

I must say, I think the proposed jail terms seem a bit excessive especially when according to the notes to the proposed amendment convictions under the law do not require a showing of intent or negligence.


It is interesting that "child" is defined as up to and including 13 years old. First, that is the age of adulthood for boys in Jewish law. Second, Facebook does not allow anyone under the age of 13 to create an account but 13-year-olds are permitted. So under this law, Israeli teens will have a one year waiting period until they are Facebook legal.

New Draft Regulations for the Protection of Databases

Trade Secret Theft, Corporate Espionage or anything else you want to call it has been getting a lot of press recently. (See here and here.) C. Frank Figliuzzi, the head of the U.S. Federal Bureau of Investigation’s counterintelligence division, testified that based on the FBI data, "economic espionage losses to the American economy total more than $13 billion." See article here. The Center for Responsible Enterprise and Trade (CREATE) recently issued a white paper detailing some of the problems and possible solutions to trade secret theft.

There are a number of weak links in corporations that allow bad actors to steal company secrets: unencrypted networks and databases, hack attacks, and theft of data by employees or contractors. Some companies refuse to completely outsource operations due to the threat of data theft by companies located in the home country of the outsourced plant, so they are choosing captive sourcing instead. In captive sourcing the parent company builds and operates the plant in another jurisdiction but they are still subject to threat of competitors hiring their employees away and with them, valuable trade secrets. Many countries do not have robust legislation making trade secret theft illegal, giving companies little recourse after being victimized. CREATE has a number of suggestions for companies to help prevent trade secret theft. They suggest that companies:

1. Conduct a strategic assessment of the company's trade secrets.
2. Undertake appropriate pre-contractual due diligence.
3. Employ strong contractual protections.
4. Utilize appropriate operational and security measures.
5. Take appropriate action after a business relationship has ended.

Some of the specific suggestions include clearly identifying in contracts what information the company deems confidential and requiring the counterparty to restrict, monitor, and record employee access to sensitive information, and specifying that the company has a right to audit the counterparty to measure compliance. Also, depending on the country it may be important to have a forum selection clause identifying a friendly forum for any IP or trade secret disputes. Because some countries do not recognize the concept of a third-party beneficiary, companies should also consider entering into confidentiality agreements with key employees of the counterparty. If subcontractors will be used, the company might want to retain approval rights and ensure that any confidentiality agreements flow down to the subcontractor and any violation is the responsibility of the contractor. Other security measures such as monitored physical access to confidential data, encrypted or expiring files, separate computer systems for sensitive information, keeping certain systems disconnected from the internet, and instituting computer use policies to allow the monitoring of data transmissions.


It is interesting to note that in its second version of draft regulations regarding the protection of privacy, ILITA, the Israeli Law, Information and Technology Authority (Israel’s data protection authority) recommended many of the same security measures regarding the protection of sensitive information stored in databases. If formally implemented, the regulations will require companies to:

1. institute a data security protocol that describes the database structure, access privileges, security measures, provisions for periodic audits and what access privileges subcontractors have been granted.
2. ensure that its systems are kept in a secure location which prevents access for unauthorized users; Owners of medium and high security databases must document all entries and departures from database system facilities as well as all equipment that is taken into or out of those sites;
3. conduct a security audit at least once every two years to certify compliance;
4. tightly control Employee access to data and passwords must be changed immediately upon termination of an employee;
5. conduct periodic training sessions for employees, commensurate with the scope of their duties, on database settings, security procedures, and the data security provisions under the law;
6. implement a mechanism for automatic documentation that will enable inspection of all login attempts to the system including: username, date and time, scope of access, and components accessed, to be kept for 24 months;
7. implement automatic documentation of events that raise suspicions of data breaches or unauthorized access;
8. report serious security events to the Registrar of Databases as well as any steps taken in remediation;
9. implement security measures that take into account the special vulnerabilities of mobile devices;
10. disconnect the database system from the Internet or other public network unless appropriate measures are taken to protect against unauthorized intrusion or malware that can cause damage or disruption to the system;
11. encrypt the transfer of information over a wireless network, public network or the Internet using conventional encryption methods;
12. segregate systems that access the database from other systems used by the database owner;
13. explicitly list in a contract with the subcontractor:

a. The data and systems that the subcontractor may access and for what purpose;

b. The types of activities the subcontractor may perform on the data;

c. The term of the relationship with the subcontractor and the subcontractor’s requirement to return and destroy any data upon termination;

d. The subcontractor’s data security obligations under these Regulations;

e. That the subcontractor’s employees must sign non-disclosure agreements to protect the security of the data;

f. The subcontractor’s obligation to include all of the relevant provisions of the Regulations in any contract with any subcontractor of his;

g. The subcontractor’s obligation to report to the database owner, at least once a year, of his execution of his obligations under these Regulations and to inform the owner of any data security event.