14 Mar 2013
How to stop your confidential information departing with your employees
by Richard Hoad
Your business should have standard protections for confidential information and procedures for dealing with departing employees who have access to it.
Departing employees have always presented a real threat to the protection of corporate confidential information. The increasing pervasiveness of personal electronic devices (such as laptops, tablets and smartphones) as well as changes in corporate policy (in particular, the movement to a Bring Your Own Device approach to mobile devices in the workplace), mean that the threat has never been greater. But there are steps that you can take to minimise the risks.
How real is the threat?
A recent study by the Ponemon Institute of intellectual property theft found that:
more than 50% of employees admit to emailing business documents to their personal email accounts (41% say they do so once a week);
41% of employees admit to downloading business documents to their personal tablets or smartphones;
37% of employees admit to using file sharing apps (such as Dropbox or Google Docs) without their employer’s permission;
50% of employees admit to taking confidential information when leaving their employer; and
40% of employees say that they will use a former employer’s confidential information in their new job.
Of course, some of this conduct will be perfectly lawful – at least, at the time it was done. For example, an employee may email documents to their personal email account to work on them from home in the ordinary course of their employment, and their employer may not have a workplace policy which prohibits the employee from doing so. But even in such cases, unless those documents are deleted from the employee’s personal email account when the work is finished, they could be a ticking time bomb: they will be available to the employee well after they have left your employment.
The unfolding threat: social media
A classic example of corporate confidential information is the customer or supplier list. A large proportion of cases which go to court relate to such material.
Of course, it is now commonplace for employees to maintain contact lists in social media accounts (eg. LinkedIn connections and Facebook friends). How the law will treat such lists is an unsettled question. It may well depend upon the employee’s privacy settings: if their connections or friends are visible to anyone who accesses their social media page, it would be difficult to argue that such a list is confidential. This is an issue which should at least be considered in developing corporate social media policies, although it may not be practical for various reasons to impose restrictions on employees in this regard.
Even such an apparently mundane thing as employees updating their social media status with their new employment details could well amount to a breach of a non-compete or non-solicitation agreement. As a number of cases have reminded us recently in different contexts, interactions via social media carry exactly the same ramifications as interactions by more traditional means.
So what can my business do to protect its confidential information?
It’s important to build a fence around corporate confidential information, and keep the gate shut:
- Know what’s in the fence by conducting regular audits. If you don’t know what confidential information is held within your business, you can’t properly develop, commercialise and protect it.
- Do the simple things. If a document is confidential, mark it as such.
- Record and share the confidential information as appropriate. It’s no good having one employee who is too valuable to lose because they hold key confidential information in their head.
- But limit disclosure to those who need to know. The more valuable the confidential information, the more limited its disclosure should be. Put in place systems to restrict access (eg. use password protection or user access controls for electronic data).
- Monitor access and use. It’s no good having systems in place to control access if those systems are not used. Again, the more important the information, the more rigorous the monitoring should be.
- Review employment contracts and policies. It’s important to ensure that employment, contractor and other relevant agreements impose appropriate obligations of confidence. These obligations should be tailored to the employee – one size does not fit all. Generic descriptions of confidential information should always be supported by a schedule setting out specific examples of confidential information to which the particular employee will have access. It is best practice to have a mechanism to update that schedule as new confidential information is developed and as the employee’s role changes – and, of course, remember to update it!
What do I do when an employee resigns?
Your business should have standard procedures for dealing with departing employees. Amongst other things, those procedures need to deal with the issue of corporate confidential information:
- Remind employees of their obligations. At the exit interview, remind the employee of their continuing confidentiality obligations.
- Require employees to hand over devices. Require the employee to hand over personal electronic devices (laptops, tablets and smartphones). If the device is the employee’s, remove corporate confidential information and then return the device to the employee.
- Quarantine systems. Particularly where the employee leaves to go to a competitor or to start up their own competing business, quarantine the former employee’s computer (and corporate laptop, tablet and smartphone) for a short period following their departure. If you later become concerned that the employee may have taken confidential information with them, a forensic analysis of computer systems will be critical in determining what action to take next.
- Investigate concerns and take swift action where appropriate. Importantly, if you are concerned that an employee may have taken confidential information, seek legal advice and take swift action to prevent the information being used or further disclosed. Once the information becomes public, the horse has bolted.
This article is based on a CLE presentation at our Melbourne CLE Intensive, prepared by Chris McLeod, Richard Hoad and James Neil.
You might also be interested in...