By Howard Levitt and Puneet Tiwari

In an era where a single data breach can undermine trust and compromise an entire business, vigilance is not optional — it is essential

Since the pandemic made Zoom a household name and the initial default platform for any meeting, workplace technology has made unprecedented advancements. Many employees now perform their duties without ever leaving their homes. With the rise of artificial intelligence and cloud-based software, new systems can be deployed with a few clicks, making it easier than ever to do one’s job from anywhere. But alongside these technological gains, improvements in cybersecurity and employee monitoring have also made it easier for employers to oversee their workforce.

Despite the latter developments, employees continue to access and misuse sensitive workplace information with little deterrence. As technology has evolved, so too has employee creativity — including the ability to establish competing businesses within days, thanks to downloaded trade secrets and client lists.

This new reality highlights the need for employers to remain vigilant in protecting their assets, both physical and electronic. The recent Air Canada gold heist, allegedly carried out by employees, is one high-profile example. The theft or misuse of electronic property is becoming more prevalent, and recent case law demonstrates that it justifies dismissal for cause.

Historically, dismissal for just cause — the employment law equivalent of capital punishment — was reserved for the most egregious offenses: theft, fraud, violence, or breach of trust. Employers and legal professionals have been cautious when recommending dismissal for less overt actions, such as downloading company documents. However, what may seem like an innocuous act — an employee emailing documents to their personal account — can, upon closer inspection, be far more nefarious.

In the case of Arora v. ICICI Bank Canada, the bank’s IT team detected an assistant vice-president, Mr. Arora, sending a large number of emails to his personal account. Upon investigation, it was revealed that these emails contained confidential client information. The subsequent formal investigation uncovered even more alarming conduct. The employee had sent himself proprietary bank information regarding new financial product ideas, incorporated a competing company, offered his services to rival banks and recruited two colleagues to join his venture.

Throughout the investigation, the employee was uncooperative. Based on these findings, the bank concluded that he had breached its policies and code of conduct and terminated his employment for cause.

Following a six-day trial, the court upheld the bank’s decision, concluding that the termination for cause was proportionate to Mr. Arora’s misconduct, even though he was not found to be a fiduciary — i.e., a senior executive owing a particularly high duty of loyalty to the bank. Not only did he receive no compensation, the court ordered Mr. Arora to pay a portion of the bank’s legal costs.

The bank handled this situation by adhering to best practices, beginning with effective security measures. After discovering the security breach, it conducted an investigation, including interviews with Mr. Arora, and ensured that all findings were meticulously documented. These records proved crucial.

For employers, this case offers important lessons:

1. Implement effective security measures

Had the bank’s IT team not detected the unusual volume of emails, the employee might have gotten away with it. The bank’s ability to track what was being sent and how often helped mitigate potential damage. Employers should ensure that they have tools in place to monitor suspicious activity, such as large attachments or emails sent to personal accounts. The days of unrestricted employee email use are long gone, even for smaller companies.

2. Establish and communicate clear policies

Mr. Arora was unable to argue that the bank had condoned his behaviour or that he was unaware of the rules. The bank had clearly defined data security policies, including those governing confidential client information, and these policies had been reviewed with Mr. Arora. He was fully aware that his actions were prohibited, and the bank was able to prove it. Employers must ensure that policies related to sensitive data are well communicated and consistently enforced.

3. Conduct thorough investigations

While some investigations are superficial, this case demonstrates how critical a well-conducted investigation can be. The bank documented its findings and gave Mr. Arora the opportunity to explain his actions. His refusal to co-operate only strengthened the bank’s case, highlighting his dishonesty and untrustworthiness. But, to the point, the investigator should be an internal employee who understands the bank’s IT systems and rules, not an outside lawyer who does not.

In today’s digital landscape, safeguarding sensitive information is not just a matter of operational efficiency — it is essential to maintaining corporate integrity. Physical security measures, such as locking documents in a safe, are no longer sufficient. Employers must implement robust electronic safeguards and develop comprehensive strategies for detecting and investigating breaches of data policies.

Had ICICI Bank of Canada not acted diligently, the outcome could have been detrimental. The judge noted that, without just cause, Mr. Arora would have been entitled to 18 months of reasonable notice — a financial and reputational blow of which this case serves as a stark reminder: the cost of inaction far exceeds the effort required to implement strong internal monitoring systems and conduct thorough investigations. In an era where a single data breach can undermine trust and compromise an entire business, vigilance is not optional — it is essential.