When Teams Resign: How Private Equity Sponsors Investigating Breaches Can Create New Ones

The investigation paradox

In our last two posts, we've covered the immediate response to coordinated employee departures (garden leave, IT lockdown, device collection, client protection, employee interviews) and how forensic investigations should be conducted to identify evidence of breaches. The employer has followed the playbook and access has been suspended, emails reviewed, download logs analysed, and comprehensive client lists requested.

But there's an uncomfortable irony that emerges at this stage: the very act of investigating suspected breaches of restrictive covenants may itself create regulatory breaches if data protection obligations are mishandled. And in making allegations against employees, the employer may itself inadvertently breach its confidentiality obligations.

For PE sponsors whose portfolio companies operate in financial services, the stakes are particularly high. In this post, we will therefore address how to investigate employee breaches without creating new and unanticipated problems.

The GDPR dimension

When departing employees take client data, the employer faces potential GDPR breaches. If clients are natural persons, the employer must assess whether to self-report to the Information Commissioner’s Office (“ICO”). Any such report may have cascading effects, as ICO notifications may trigger reporting obligations to the FCA, and any data breaches may need to be disclosed in regulatory references if departing employees are senior managers under the Senior Managers and Certification Regime (“SMCR”).

The temptation is to conduct a thorough investigation before deciding whether to report. But delay itself may be a breach if there has been a notifiable incident. Data protection advice should be sought from specialist counsel at an early stage if client personal data has been compromised.

Sharing data with external investigators: proceed carefully

Your forensic investigation may require sharing employee data with external e-disclosure vendors or investigators. But employees' personal data — home addresses, email content, device logs — is protected. The question is: what legal basis permits you to share it?

In such cases, the employer’s starting point should be to consider the employee’s employment contract. Does it contain or incorporate data protection policies that explicitly authorise sharing employee data with external advisers for investigating suspected breaches? If so, the employer should ensure that it has complete records of which policy version applied when each employee signed their contract. Relying on policies that weren't actually incorporated could itself be a breach.

If the employee’s employment contract is silent, Article 9(2)(f) of UK GDPR may provide a lawful basis where processing is necessary for the establishment, exercise, or defence of legal claims. But the specific types of data and processing purposes must be defensible as necessary and proportionate. Sharing an employee's work inbox with a forensic analyst is qualitatively different from sharing personal contact details with investigators examining their broader network. Keep an audit trail of these decisions.

Consider also the location of external recipients and their servers. Data transfers to non-GDPR compliant jurisdictions will require additional safeguards.

The confidentiality boomerang

In the employer’s eagerness to establish that employees breached confidentiality obligations, it may inadvertently breach confidence itself. The risk of this occurring may be particularly acute in the context of pre-action correspondence.

Example: it appears that departing employees are aware of internal developments that occurred after their resignation while they were prohibited from contacting other employees. If the employer sends identical letters to multiple leavers alleging this, it may disclose confidential information to leavers who didn't previously know about those developments. In those circumstances, they may credibly claim that the employer breached confidence in its correspondence.

The solution: maintain strict communication trails for each leaver separately. Tailor allegations to specific evidence against specific individuals. Never send blanket communications to groups of leavers that might disclose confidential information some of them didn't already have.

FCA considerations

Employers in the financial services sector should remember that the manner in which they handle client data during an investigation may itself require disclosure to the FCA. The regulator expects firms to demonstrate lawful processing, fair treatment of clients, and adequate systems. It follows that even where an employer’s substantive case against an employee is strong, an investigation that is not conducted consistently with data protection rules may create a separate regulatory problem.

Practical guidance for sponsors

Ensure portfolio company management understands that investigations into employee breaches must be conducted properly. The investigation itself must comply with data protection law, contractual confidentiality obligations, and regulatory requirements. External lawyers and forensic vendors should advise on appropriate data handling, and every processing decision should be properly documented.

In our next post, we'll address why an employer’s restrictive covenants may be unenforceable if they're inconsistent across a departing team.