Hmmm... I'm not sure what the legal situation would be, to be honest. Breach of a contract/confidentiality agreement (if one exists) would be a civil suit, not a criminal one. At least in Germany; company A could sue their employee for damages, but I don't think Germany has a law stating, "You may not sell company secrets!"

Most countries do have rules on corporate espionage, and this situation is almost a textbook example. Depending on the location, and actual charges, there could be jail time involved.

That is corporate espionage and is INSANELY illegal. The criminal charges alone can warrant a massive fine. I think it starts at a hundred grand and goes up from there. For a company in that particular industry, that alone could kill them.

You make dildos.

That's awesome.

Way to focus on the important part...

The phoning around part is certainly ballsy. Now I gotta find a way to make that into a Shadowrun plot...

If not just plain nutz.

Keep on truckin', pilgrim.

After the TJMax and some other big data breaches in the past year, I think the US is starting to bring in Data protection laws, including rules on notifying the customers/people involved if there was a breach, but I'm not positive how many of them are in effect.

If I recall correctly, up here in Canada, we haven't even gone that far yet (as in a company has no requirement to notify if there was a breach), but there have been rumblings about getting a bill with teeth in that respect put in.

Easy. Corp B is actually running the casino (legit or non) as a front for getting employees of the competition in the doors. Once they have someone hooked, they fix the games so they lead them into a big bet that they lose. They then offer the employee looking at losing everything a deal: data for debt . Add in a few armed guards, some data hacking, and some character-specific goals. Boom, game almost writes itself from there. The group is hired to find out how the data is leaking and stop the leaks.

I think the law applicable is theft, a company's data is a valueable asset after all and selling something you don't own, is a sure way to get the book thrown at you. Data protection laws are fairly strict in Germany, see current conflict with facebook.

This is a huge mess for company A, I don't know whether they have notified all their customers, we knew anyway and handed our evidence aka the email we received to the police. Company B is off the market, the owners are on the run, their employees are hunting for new jobs.

The lid is off in the industry, but it hasn't hit the big media, no gore or something involved, that's why I guess. But there is a lot of thinking and revisioning of policies done, I know we do that. But there's only so much you can do, when you have one bad apple with lots of access privileges in the bunch. There is a lot of uneasiness in many IT departments right now, I know our IT guys were a bit unnerved.

Here's a few doses of reality: Unless things have changed and I don't know (possible, but for this case, unlikely), we don't have anything like the data protection act. We also don't have anything that requires notification of breaches that I know of.

Next up, theft: The person, in this case, made a copy of the data, and sold it. Nothing got stolen. The owner of the data was not deprived of property (they still have it, so not deprived).

Corporate espionage is actually much less illegal than most people think. Why do you think so many places have confidentiality agreements and non-disclosure agreements? If corporate espionage were illegal, such agreements would be a non-item. You could already be prosecuted criminally for breaking the law.

The closest you could get to a violation that I'm aware of is for copyright violation. However, any customer database is simply a list of facts, and that cannot be copyrighted in the USA. In order to be copyrighted here, it must have a creative element, and compiling a list has no creativity (I'll get court rulings if you need it, but the short version is this hurt phone books for a while).

Where they might get him is in the computer fraud and abuse act which prohibits unauthorized access to computer systems. As an IT Admin, though, that's going to be tough to argue. He was authorized to get at the data, and needed to be able to do so for his job.

Screening? How would you screen for this? The person might not have ever gambled a day in his life until after starting the job, and then suddenly finds himself in trouble and needing money. You could pre-screen for the worst of it, but you could also miss people like me. I'm terrible about managing my money, but I wouldn't sell customer info, period.

As for hiring, but providing limited access? That's damned near impossible to do with any commercially available operating system. You have to get into government specialized operating systems to get the level of separation you need to let someone manage the computer without being able to access all the data on the computer.

It all comes down to this: Your IT people can be the most dangerous group in your company. Make damned sure you can trust them before you turn over the keys to the kingdom. Yes, that includes dealing with me. I won't object to your insisting on learning to trust me. I'll actually be glad of it, because you're being responsible. Anybody else will either be glad, or be someone you need to watch a lot more carefully.