Seizing the Salt, Sparing the Shaker: A User's Guide to Data Protection
Are you wondering if you should do more to protect your trade secrets and confidential information?
Even if you don't think the answer is 'yes' for your organization, it probably should be.
According to a recent survey conducted by Symantec, 50% of employees who left their job in the last 12 months, by choice or by force, left with confidential information; 40% of those people plan to use the information in their next job.
You read that right: one out of every two employees that left their job took important data with them.
How can this be? Is the world really that dishonest that this many people just willy-nilly steal, admit to that theft in surveys, and go on their blissful way without a care in the world?
On Why A Thief Might Become a Thief...
Have you ever seen the one where Ross teaches Chandler how to "find the line between stealing and taking what the hotel owes you"? (I am, of course, talking about an episode of Friends).
In recap, it is not cool to take salt and pepper shakers; it is allowable (but still not "cool" by Chandler's standards) to take the salt and pepper. (Also, please note that the title of this post has just become completely relevant.)
Discussing the Symantec survey results, the Ohio Employer Law Blog pointed out that not only do half of exiting employees take information on the way out, but 62% said that taking the information was not wrong; 56% said it was not a crime; and 44% believe that software developers (which was the example given to respondents in the survey) have at least a partial ownership in their creations.
When most employees "steal" your information, they do not think of it as theft in the same manner that you do. For them, the information/customer list/trade secret they discreetly sneak out the door with them on their last day of work is just like that salt and pepper: simply their attempt to take what the hotel (i.e., you) owes them.
After all, they reason, wasn't it their hard work, time, genius, dedication, and who knows what else that created this confidential information in the first place?
What Can You Do?
Protecting confidential information should start with the recruiting and hiring process and go on until way after the employment relationship ends.
Here's how to ensure that data protection issues are front and center at all stages of the employment relationship (and beyond):
- Discuss invention ownerships, intellectual property rights, and the use of confidential information in the initial job offer. Before the employee even accepts the job, make sure they know what it entails.
- Have NDAs/Nonsolicitation Agreements/Restrictive Covenants in the original employment contract. There are a lot of laws regarding how these documents are handled, but, following all of your state laws, have and enforce these!
- Keep Confidential Information Confidential. Some common sense advice: the fewer people who know something, the less likely it is that that something will become common knowledge.
- Train and Educate. Employees don't know it is wrong to take certain information? Tell them! Show them what qualifies as protected information, how they should use it, and, more importantly, how not to use it.
- Discuss in Exit Interviews. When an employee is leaving, have a conversation with them about what data belongs to the employer. Remind the employee of the employee contract. Make sure they know what is expected of them and that you do mean to enforce the contract.
Maybe the most important thing you can do to protect your confidential information is to enforce your agreements. If you have reason to suspect an employee is inappropriately using your information, check up on this and enforce the contract. This will curtail any damage already caused by the misuse, but it also shows current employees that you are serious.
One last statistic from that scary survey: 51% of employees believe it is okay to take protected information because the employer doesn't enforce policies. Enforce those policies people, and protect yourself from current and future data theft.