Locking yourself out of a digital account is one of the banes of modern existence at home and work alike. Where a business relies on individual employees’ personal accounts for access to its digital assets, the potential to lose access and control presents significant operational and reputational risks.
The recent case of Grow MF Pty Ltd v Parthy [2023] FCA 442 is a timely reminder. The respondent had been the Chief Technology Officer of the applicant, a software development and services business, and controlled various of the business’ digital assets through personal accounts and administrator access. Upon leaving, amidst allegations of ‘gross misconduct’, the former employee removed access for the business’ staff to critical assets, including the business’ GitHub source code repository and development environment.
Aren’t we just talking about logins here?
The applicant business in Grow MF v Parthy submitted to the court that its inability to access its accounts was putting at risk a prospective deal worth $500,000 to $750,000 and otherwise preventing the business accessing critical operational tools. While the former employee made certain claims relating to his intellectual property rights, the court was satisfied that regardless of the outcome of those claims, he had no right to prevent the applicant from accessing the various business accounts. The court granted detailed interlocutory orders to enable the business to regain control over the accounts.
The Federal Court of Australia file relating to the case shows the business received the interlocutory injunction orders two days after filing its first application to the Court, with the former employee having a further two days to comply. Assuming some time to consult legal counsel and prepare the application, this amounts to at least one week in which core business assets were unavailable.
In this case, it appears that the business’ assets remain in place and can be restored to the business. But it only takes a small leap to imagine a disgruntled employee destroying data, publishing a damaging social media campaign or spreading misinformation to customers or prospects.
Where to look for personal accounts
Cloud-based platforms
Businesses increasingly use externally hosted platforms to store, access and use critical, day-to-day information and tools. The founders or early staff of a startup or SME may very well have used personal details or accounts to establish the business on such platforms. As demonstrated by Grow MF v Parthy, an individual in this position holds considerable power over the business if they walk – or are pushed – out.
Recovering those assets may necessitate seeking a costly and time-intensive court order. If the court cannot be satisfied that there is an urgent need for the accounts to be handed over, it may refuse to grant an interlocutory order, meaning those assets may remain inaccessible until the completion of a full trial process.
Social media accounts
Many businesses build significant brand presence via social media platforms, but social media accounts are frequently controlled exclusively by a marketing or social media manager. That individual then has control over the account name, profile and content of the feed.
Although the capabilities for reporting content to social media platforms has certainly improved in last 5-10 years, the timing, quality of response, and extent of action taken by each platform varies, and a company may have little recourse to the platform if the issue has arisen from an internal dispute (ie an individual abusing their role).
Domain name registration
Domain names are managed by businesses called Registrars, with the holder/licensee of a domain names being the domain name Registrant. Domain names are very commonly registered/licensed in the name of the founder, IT manager, or even an external IT consultant or web designer to a domain name, and practically controlled through a Registrar account, usually with one primary login.
If the individual in charge of your domain name portfolio ceases to be involved with your business, then you may encounter issues with:
- proving you have rights to the relevant domain name licences;
- updating your domain names to list the company/another individual as the Registrant (noting that this generally requires access to a Registrant email address); and/or
- practically controlling your domain names in the Registrar account, noting that your domain name portfolio could also potentially span across multiple Registrars.
Practical steps to protect your digital assets
It is difficult to avoid all personnel risk, particularly when an individual is acting in bad faith, however these practical steps can mitigate your business’ exposure:
- Document and distribute clear policies requiring all digital assets to be:
- where possible, held in the name of the company not an individual;
- registered using generic company email addresses so that any ‘forgot password’ emails or attempts to update old employee details can be accessed centrally;
- under the control of at least two administrators, with passwords reset immediately on departure of any administrator;
- in respect of domain names, managed by one Registrar (where possible);
- Conduct regular audits of your online presence to determine the extent of accounts which are being used/purporting to be used in connection with your business to ensure they comply with policy;
- Check employment contracts to ensure they require compliance with company policies, including in relation to digital assets; and
- Obtain written assignments of any individual rights in works underpinning your brand.
HWL Ebsworth’s IP and Technology teams have extensive experience in advising and assisting clients with management of their digital assets, social media accounts and domain name registrations. If you would like assistance ensuring appropriate control over the digital assets in your business, please get in touch to discuss.
This article was written by Nikki Macor Heath, Special Counsel and Annabel Bramley, Solicitor and reviewed by Luke Dale, Partner.
