Devising protocols to protect the lifeblood of a company is a worthwhile investment. To adequately protect confidential information, employees must be deterred from pillaging a company’s valuable information. Equally important, an employer must take adequate steps to protect the information so that it will be deemed confidential and proprietary by a court or arbitrator if litigation ensues.
Proactive Steps to Protect Your Confidential and Proprietary Information
The more measures a business implements to protect its confidential information, the more likely a court will view the information as worthy of protection. Following are recommended practices. Naturally, the practical reality of your business operations may not allow you to implement all of them. But again, the objective is to give your personnel numerous and frequent reminders to deter them from stealing your valuable information and designing a variety of barriers to prevent such theft.
- Require all personnel to sign a restrictive covenant agreement as a condition of employment. There are generally four types of restrictions: non-competition, non-solicitation, assignment of employee inventions, and confidentiality. Which of these you impose, and the breadth of the restrictions, requires careful analysis. When drafting such agreements, make sure that the restrictions are reasonable.
- Allocate separate consideration (e.g., a portion of the individual’s base compensation, a signing bonus, or another benefit to which the individual would not otherwise be entitled) for the signing of the restrictive covenant agreement. Every contract must be supported by adequate consideration, and many states regard mere employment (or, in the case of a current employee, continued employment) to be inadequate to justify upholding restrictions on an individual’s post-employment activities.
- Implement a written policy that mirrors the obligations in the confidentiality covenants signed by personnel. While policies are not contracts, they serve to remind employees of their obligations to protect confidential information, making them less likely to shirk those obligations.
- Periodically meet with all personnel and remind them of the importance of protecting your organization’s confidential information.
- Restrict access to confidential information to personnel with a legitimate business need to know such information. Of those personnel, limit their access to information necessary for the performance of their job duties. In essence, create different levels of access for different categories of personnel.
- Secure electronic information by implementing the following measures:
- Do not allow individuals to use personal laptops in connection with their job duties. Provide a company-issued laptop that the individual must return upon termination of employment.
- Give each individual with access to confidential information a unique login and password to use for each system/database that contains confidential information.
Prohibit personnel from disclosing logins and passwords – whether to other personnel or outsiders.
Require individuals to log out of the system when they leave their work area and/or cause their access to “time out” if there is no activity on their computer terminal for a set period of time. Require a login to resume access.
Whenever individuals log on to the system and/or when they log in to a database containing confidential information, require them to acknowledge a pop-up message that identifies information as confidential and requires their reaffirmation of their commitment to maintain confidentiality as a condition of access.
Prohibit personnel from sending confidential information to their own or others’ personal email accounts.
Restrict individuals’ ability to save documents to thumb drives or other portable storage devices.
Restrict individuals’ ability to print documents, and/or allow documents to be printed only to printers in secure areas.
- Mark “confidential” all electronic and hard-copy documents containing confidential information.
- Require all hard-copy documents containing confidential information to be stored in locked drawers or locked file cabinets.
- When disposing of documents containing confidential information, require personnel to shred (or otherwise permanently destroy) such documents, regardless of where the documents are discarded (e.g., the office, hotel rooms, conference centers, residences, etc.).
- Avoid publishing confidential information on the Internet, and expressly prohibit personnel from doing so – including in blogs, chat rooms, and social media sites.
- Limit disclosure of confidential information to outsiders. If such disclosure is necessary, require outsiders to sign confidentiality agreements, and mark “confidential” all confidential information disclosed.
Protective Measures to Implement Following Termination of Employment
When an individual’s employment is terminated (whether voluntarily or involuntarily), it is imperative that steps be taken proactively to ensure that no confidential or proprietary information has been or will be compromised. Recommended steps include the following:
- Immediately retrieve all computers (including laptops) used by the employee. Prior to removing any data from a computer or reassigning it, create a forensic copy of the computer’s hard drive. An experienced and certified computer forensic professional can adequately acquire the data contained within computers while maintaining the chain of custody that is vital to preserving evidence in the event of litigation.
- Secure all PDA devices used by the employee during employment and purge all company data from employee-owned devices. Prior to purging any data from the devices, create a forensic copy of the PDA or smart phone.
- If the employee had access to a network or server, promptly deactivate the network login, including remote access.
- Deactivate the employee’s voicemail password, change the outgoing voicemail message to explain that the individual is no longer with the company, and redirect callers to another designated employee.
- Alert building security that the former employee should not be given access to the office and disable any electronic key cards provided to the employee.
- Conduct exit interviews with all departing personnel (whether departure is voluntary or involuntary). During the interview, remind the individuals of their obligation to maintain the confidentiality of all company information and the consequences of any breach of that obligation. Seek information regarding their future business plans and require them to return all originals and copies of documents containing confidential information.
- Provide a letter to all departing personnel (whether departure is voluntary or involuntary). Remind them of their obligations under restrictive covenants and include copies of any signed agreements.
- Remind remaining personnel of their obligation to protect the business’ information and not to share such information with outsiders, including former employees.
- If an individual breaches his/her restrictive covenants following separation from employment, promptly send a cease and desist letter (including a copy of the individual’s signed restrictive covenant agreement), and send a copy to the individual’s new employer.
Computer Forensic Considerations Following Termination of Employment
Unfortunately, confidential and proprietary information can be stolen even when you have taken proactive steps and employed protective measures following termination of an employee. When suspicion arises that a former employee may have stolen confidential and proprietary information, it is often necessary to enlist the services of a computer forensic professional, who can assist in a number of ways:
- Upon receipt of a former employee’s computer or PDA device, the IT department should immediately power it down (including the removal of any batteries) and store the device in a secure location.
- A forensic copy of the data contained on the computer or PDA can then be made by an experienced computer forensic expert. This copy is a bit-by-bit image of the data contained on the suspect computer or device and is essential to maintaining a chain of custody that is stringent enough for admission into evidence in a court of law.
- Assuming the computer or device was taken out of service immediately after an employee is terminated, most computer forensic reviews will permit the recovery of files, e-mails, and other data that were “deleted” and placed in the computer’s recycle bin or unallocated space after the recycle bin was cleared out. Also, the Internet history of a computer can be retrieved, providing a potential treasure trove of information. Finally, a forensic review can reveal whether any external devices (such as a USB thumb drive, external hard drive, or iPod™) were attached to the computer, the identity or timing of any files or data that were copied to that specific external device, and the timing of such activities.
- The computer forensic professional is then able to provide expert testimony, during litigation, as to the process and practices used to collect the data, the chain of custody used, and the contents and confidential and proprietary information that may have been stolen by a departing employee.
Whether your organization is a start-up business or a well-established company, implementing these procedures may significantly reduce your risk of losing your most valuable assets and help avoid costly litigation. Working with knowledgeable legal advisors and computer forensic experts is a valuable first step toward identifying and establishing the most effective procedures to fit your organization’s unique needs.
Sheryl Jaffee Halpern