02 Mar 2016

CU LAB: When employees walk, does your confidential information go with them?

There are ways to minimise the risk to your corporate confidential information, says Richard Hoad.

Related Knowledge

Get in Touch

Get in touch information is loading


Clayton Utz communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication. Persons listed may not be admitted in all States and Territories.


Employees taking confidential information when they leave a business is a real threat and it's a threat that's really increased over recent years. The reason for that is essentially technology but the advent of a "bring your own device" approach to workplace communications has been significant in this regard.

It's not something we can really move away from but the reality is it's brought with it an ability to take confidential information that's been not present to the same extent in years before. Every employee will have a mobile phone, a tablet or a laptop or even just access to USBs that make removal of confidential corporate information much easier than it's ever been. There was a survey a few years ago that indicated that as many as 50% of people admit to emailing confidential corporate information to their personal email accounts, 41% admitted to doing it on a weekly basis, so that's obviously significant. Fifty percent of people admit they download corporate information to their personal devices and 50% of people admit that they will take confidential information from their employer when they leave the business and 40% say they'll actually use that information for their new employer.

While there are some things that you can do to protect your confidential information but the flipside of the ability of employees to take things easily is that it's easy to monitor that as well. But it's obviously much more preferable to be proactive rather than reactive and there are some things that you can do to try and protect your business.

The key to it really is to treat confidential information in a secure manner. You should build a fence around your corporate confidential information and keep access to the gate under control. There are a number of ways you can do that. The first is to actually know what you've got inside the gate so you should do an audit on a regular basis to work out what confidential information you have in the business and you should control access to it as well. It's important that you take advantage of the technology so to use access controls on documents and to monitor them as well, to actually check what access has been had, to use security controls to make sure certain documents are only accessed by certain people. You should do the simple things as well, so if a document's confidential mark it as such rather than just assuming everyone will recognise it as that. The way you treat confidential information in your business will be relevant. Hopefully this will never get to a court, but if it did it would be relevant to how a court would consider the information and whether it would be treated as confidential.

The final thing you should do is really to review your corporate policies and employment contracts. You should make sure that the employment contracts are actually tailored to the individual. One size doesn't fit all and the way you describe confidential information should be relevant for the person's role that they perform in your business, so not generic and the same applies for restraints on competition and non-solicitation clauses preventing someone from soliciting employees and clients. They should be tailored to the individual and the responsibilities they perform partly to reinforce the enforceability of those obligations but also to make sure that everyone knows where they stand.

Before an employee leaves you should make sure that your corporate systems are in place to deal with people who leave when they've had access to confidential information. The first thing you should do when someone leaves is to have an exit interview with them, and remind them of their obligations of confidence and make sure that they understand their obligations. You should remove from them any corporate mobile communications devices, whether they're laptops or smartphones or tablets, and if they are under a "bring your own device" policy and use their own devices you should take that from them, remove the corporate confidential information from it and hand it back to them.

The third thing you should do is once you've done that is quarantine that information that you've removed, and quarantine the systems that they use, the communications devices they use, the computer they use, because that could become very relevant down the track if you do become concerned about activity they've been involved in.

The final thing is if you do become concerned to act on those concerns. Don't let it slide, actually take action. Do so swiftly because the sooner you can take action the more likely you are to contain the problem if there is one.