In a recently filed case before the US District Court in the Middle District of Florida, Seacoast Banking Corp. alleges that an en masse resignation of top-level executives included those executives taking key customer information with them to their new employer, One Florida Bank. As stated at Paragraph 129 of the Complaint,
“129. While the majority of Seacoast’s customers are based in Florida, some are not. Moreover, many of Seacoast’s Florida-based customers do business in, or have operations in,other states, or even internationally. Through its commercial lending activity, Seacoast also finances numerous customer activities related to foreign and interstate commerce. For these and other reasons, the trade secrets contained in RPS about Seacoast’s customers include trade secrets related to products or services used in, or intended for use in, foreign or interstate commerce.” (Emphasis added)
While Seacoast is rightly taking urgent steps to protect its proprietary trade secret information, they may be neglecting the requirements of General Data Protection Regulation (GDPR) with respect to the personal data breach of its customer information. Left unaddressed, this could open the door to fines and compensation under the GDPR.
Consider the following. If a customer whose name was in the Seacoast RPS system is a resident of the EU, then Seacoast would be considered a data controller of the customer’s personal data. GDPR has a stringent 72-hour notification timeline in which a data controller must notify the relevant national data protection authorities. Failure to do so would put Seacoast at risk of noncompliance. This risk is significant, since fines and compensation under GDPR could reach as much as 4 percent of global annual revenue! The monetary risk may be mitigated by the fact that the data breach was the result of actions for which they were not responsible, but this does not exempt them from the notice requirement.
Even more to the point, it is alleged in the complaint that One Florida Bank paid their new employees over $1.4 million in signing bonuses, but their liability for whatever role they may have played in the data breach that preceded the hiring of their new employees may be considerably higher. Finally, the individual employees themselves could face fines and compensation claims for initiating the breach.
This case highlights the need for a multi-pronged approach to data breaches. Not only does it require immediate action to limit the extent of any disclosures that could damage an organization’s IP portfolio, it also should include a notification process that is both rapid and comprehensive. On the opposite side, this case shows that coordination between the legal/IP function and the HR function is critical in order to avoid hiring decisions that can damage an organization far more than they can help.
