Confidential information policies not up to scratch

by Iain Hopkins21 Nov 2012
Employers have been so concerned about limiting access to social media during work hours that they may have dropped the ball when it comes to something far more serious happening under their noses: the leakage of confidential information in an age of Bring Your Own Device (BYOD) and social media channels such as LinkedIn.

A comprehensive research study conducted by DLA Piper’s employment, pensions and benefits group has indicated that 61% of employers do not have a social media policy of any kind, while 60% of employers either allow or require employees to use their personal mobile devices for work purposes. A further 36% of employers allow employees to store business contacts on databases which the employer does not own or control.

The research, conducted via interviews with 250 senior business decision makers working in UK businesses of 250+ employees, also found:

  • 19% of employers said the most damaging loss of information would be loss of customer details.
  • 25% of employers that include restrictive covenants in their contracts of employment do not have any confidence they are enforceable.
  • 48% of employers have not reviewed their contracts in the last 12 months to keep up with the pace of technological change, and
  • 49% have not reviewed their email, internet or social media policies.
Tim Marshall, joint global leader and international group head of the employment, pensions and benefits group at DLA Piper told HC that many organisations had struggled to keep pace with change. “You have all your standard policies and what you do to protect confidential information – restricted covenants in a contract, for example – but a lot of these now are out of date. This is new territory.”

It’s not just company policies but legislation and case law struggling to keep up. Marshall conceded there is a “slight bit of guesswork” required, as social media has grown at a pace which has outstripped the development of case law to answer the question of who owns what when it comes to contacts stored and developed on sites like LinkedIn.

With so many employers now requiring employees to gather professional contacts, the question of ownership is increasingly being raised, Marshall said. “To what extent are those contacts the employee’s own contacts? That’s where you want this to be completely defined upfront: this book [of contacts] will be ours, that book will be yours; we do actually want access to your LinkedIn account, we want the password, we want the details – so you move away from that hotchpotch approach.”
However, Pattie Walsh, partner, head of employment, pensions & benefits, Asia Pacific at DLA Piper added there are steps that can be taken. The first is to set expectations early. “It’s too late when an employee is leaving to start worrying about this. What have you done upfront? How have you managed expectations? What’s been the agreed contract between you and the employee? That’s why the absence of policies is so shocking for us,” she said.

Marshall added there are “gray areas” when it comes to confidentiality. The term ‘confidential information’ might include, at the top of the hierarchy, trade secrets such as the formula for Coca-Cola. Under that would be strategic plans, pricing structures, and then beneath that would be things like contact lists. There’s a question around how easily that information could be gleaned in the public domain. The next question is what’s actually in an employee’s skill and knowledge base.

Here’s a summary:

Trade secrets
A trade secret is likely to be information in respect of which an employer has sought to limit dissemination and which, if disclosed to a competitor, would cause real damage to the business. Examples could include chemical formulae, designs or special methods of construction, plans for the development of new products or any other information which is of a sufficiently high degree of confidentiality as to amount to a trade secret.

Legal impact
A trade secret can be protected by a business both during and after an employee’s employment. The employer does not have to use express contractual provisions to protect the secret.

Mere confidential information
Mere confidential information is likely to be information which employees are required to treat as confidential because they have been told by their employer that the information is confidential or because it is obvious that it is confidential. This will differ from business to business but may include, for example, business plans, customer contacts and marketing strategies.

Legal impact
Mere confidential information cannot be used or disclosed by an employee during the course of their employment. Once employment has terminated, however, the employee is free to use the information for his or her own benefit, unless the employee has entered into express confidentiality provisions not to do so.

Skill and knowledge of the employee
The skill and knowledge of the employee is likely to be information which an employee has acquired through experience of the organisation and management of a business. Examples might include methods of production and organisational structure.
Legal impact
An employee’s skill and knowledge is deemed to belong to the employee and is theirs to do what they like with. An employer cannot interfere with the employee’s use of that skill or knowledge.

Public information
Public information is information which is in the public domain.

Legal impact
Public information, by its very nature, is not confidential information and it cannot be protected by an employer.

Walsh said in some ways although technology has complicated matters, with sites like LinkedIn contacts being a more sophisticated version of the exchange of business cards, the concept remains the same. Even in the pre-social media age, businesses often didn’t recognise how important their confidential information was until it was threatened.

“There’s been a laxness about being absolutely clear to say: let there be no debate about this, this is our information. So you get some highly sensitive projects where everyone gets that it’s secret and there are incriptions, codes and all of that. But there’s less clarity around day to day stuff: pricing, how much people are paid, the contact lists, who the suppliers are and what discount they are given. I’ve always said to clients, what are your crown jewels?”

Where do employers stand legally in terms of safeguarding confidential information?

“It’s one of the questions I often get asked: Is it the contract? Is it the offer letter? Is it the policy? It’s basically whatever you decided to build your relationship together as employer and employee – and that can be multi-faceted. You would expect to have very clear obligations vis-a-vis confidential information, ideally spelling out what’s important for your business. This will be different for different businesses.

“You can do it in different ways: you may have a policy that sits alongside that; you may have a contract that refers to a policy. But it’s fundamental that you’ve got specific guidance about what’s confidential and also what that means. It’s not just about saying, ‘ok that’s confidential’, but what does it mean if you suspect there’s been a breach of that confidential information? What’s your duty as an employee? And then obviously what happens at the end [of the employment relationship], who owns what, what comes back to the employer.”

Just like other areas of business, Walsh said it’s crucial to establish expectations upfront. For example, make it clear that using a personal device for work matters is fine, but emphasise there will be a protocol to be followed when the employee leaves the company whereby that person will come in, sit down, and both parties will work through and clear off what’s personal and what’s business.

“That’s one of the things we get on the personal device front: ‘but it’s mine’. So you need to be clear about what it is you’re expecting, even if ultimately you may not be able to enforce it and can’t get an injunction.”

Walsh added that it’s crucial to manage expectations when it comes to covenants, particularly for senior executive roles. “If we say we have the right to ensure you don’t change your LinkedIn profile or notify all the social media networks that you’re leaving [the current place of employment], or we can hold you to that during your garden leave, or XYZ, whatever it may be, make that clear upfront. It’s all about giving yourself a negotiating platform for the exit.”

Employers can minimise damage caused by loss of trade secrets, confidential information and business contacts by taking the following steps:
  • Put in place a tailored contract, including confidentiality provisions, restrictive covenants and a garden leave clause.
  • Use physical and electronic security methods.
  • Limit access to information.
  • Label documents.
  • Put in place a social media policy.
  • Do not publish company trade secrets.
  • Include a confidentiality policy in the staff handbook.
  • Carry out training.
  • Require third party non-disclosure agreements.
  • Investigate any suspicion.
  • Implement a strict electronic communications policy.


Most Read