Protecting confidential information in the digital workplace

The world of business is increasingly reliant on technology. So what can firms do to ensure important information is protected? Adam Hartley advises.

Confidential information is often one of the most valuable but overlooked assets of a business. Every company has information it considers invaluable to its competitive edge in the marketplace, but protecting this information is often not given business priority.

In particular, insufficient attention is given to the level of threat from inside the business. Employees often have access to valuable knowledge about customer contacts, financial and strategic business intelligence in the course of their employment, which will be an attractive asset to any competitor.

Trade secrets can be protected both during and after an individual's employment without the need for express contractual provisions. Genuine trade secrets, however, are rare, and much of the information that an employer regards as a trade secret may simply be confidential information - for example, business plans, customer contacts and marketing strategies.

Confidential information cannot be disclosed by an individual during their employment, but once this has terminated the employee is free to use the information for his or her own benefit, unless they have entered into express contractual restrictions not to do so.

This means that taking action to protect confidential information must begin at the outset of the employment relationship. There are five key methods that employers need to consider in order to ensure adequate protection for mere confidential information:

  • contracts;
  • policies;
  • training;
  • monitoring; and
  • enforcement.

Employers should include comprehensive confidentiality provisions in the contract of employment, which focus on the confidential information that is relevant to the company. It is essential that careful thought is given to these provisions and that they are tailored to the particular requirements of the company.

The contract should clearly set out the precise types of information the employer deems to be confidential, and the restrictions that the company wishes to place on its use both during employment and post-termination. Employers should also consider including restrictive covenants in contracts of employment.

Any covenants imposed must be no wider in terms of time span and geographical scope than is reasonably necessary to protect legitimate business interests. Employers will need to consider the "shelf life" of the confidential information - for example, how long will it be before the company's pricing structures change, at which point the ex-employee's knowledge of those structures becomes obsolete and will no longer offer a competitive benefit to a competitor?

Specific geographical areas

Employers also need to give thought to the relationship between the confidential information and any specific geographical area. Is the nature of the confidential information such that it is appropriate to prevent the employee from competing with the employer in a specific region only, or does the protection need to extend beyond that in order to be effective?

Employers should also take care to ensure that they own all intellectual property (IP) in the employee's work products: customer lists, for example, may be the subject of database rights, and other confidential documents are likely to be protected by copyright. Such IP rights can add additional protection to that afforded by the law of confidence. IP in materials created in the course of employment generally automatically belongs to the employer. However, it is important to ensure an employee's job description is sufficiently wide and comprehensive that the employee cannot later argue that the key IP-protected material was created outside the course of employment.

Keeping contracts up to date

It is important to review the confidentiality contract at regular intervals to ensure that it still provides appropriate protection. If not, employers may be able to take advantage of opportunities such as a promotion to impose new contractual terms.

The contract should be backed up by comprehensive policies that set out clear rules about the disclosure and use of confidential information, together with the sanctions that will apply if the rules are broken.

This should include a confidentiality policy, an electronic communications policy that clearly distinguishes between the rules for personal and business use, and a social media policy that sets out clear rules on the use of social media sites.

Any policies must be properly communicated to the workforce and complemented by regular training. This should assist in demonstrating employee awareness of the information the employer deems to be confidential, and knowledge of the rules regulating its use and disclosure should any future disputes arise.

Effective control of confidential information will inevitably require employers to engage in monitoring employee activity. Monitoring may, however, open the employer up to legal liabilities as it can intrude into employees' private lives, breach their rights under data protection law and interfere with the relationship of trust and confidence.

Adapting to the digital landscape

All of these steps will assist employers in protecting their confidential information, but the emergence of the socalled "digital workplace" has given rise to additional challenges. Developments in data-storage technology have increased storage capacity, simplified high-speed data transfer and increased device portability. Smartphones can store a similar amount of data to the average desktop hard drive, and entire databases can be copied to the device in minutes.

Unauthorised use of these devices is hard to detect and prevent. They are easy to conceal, and increasingly many employees will have legitimate reasons for using them in the workplace as the trend to "bring your own device" (BYOD) has taken off. BYOD is the practice whereby employees connect their own mobile devices to corporate networks instead of using employer-issued devices. BYOD creates potentially uncontrolled access to the employer's networks, allowing information to be obtained and removed at will.

The growth of social media also presents challenges to employers seeking to protect confidential information. Employees may post confidential information online, either intentionally or without thought. This might include supplier and customer lists, which can be stored as contacts or connections on social media sites. As well as the risk of inadvertent disclosure, this creates issues relating to ownership. Customer contact information has largely migrated to a digital medium, whether in a specialist database or as a contact list in an email program such as Outlook. BYOD encourages the crossover of the employee's personal contact information with the employer's customer and other business contact details. This can create significant difficulties for employers in maintaining control over their confidential customer information. Social media adds a new layer of complexity.

Social media concerns

An employee using a social networking site such as LinkedIn in a professional capacity will generally build up a database of contacts, which will contain a mixture of connections - some derived solely from the employer's contact database, some created during employment as a result of personal contact by the employee whether in a business or social context, and some that the employee brought with them from a former role or from personal acquaintance.

Building a network of contacts in this way may even be encouraged by the employer during employment. Who owns these contacts? Social media has grown at a pace that has outstripped the development of case law to answer this question. The best advice to employers is to ensure that the organisation's policies and employment contracts clearly address the issues of acceptable social media behaviour and who owns LinkedIn connections and Twitter handles, although the validity of these types of restrictions has yet to be tested in the courts.

It remains to be seen whether "standard" restrictive covenants are fit for purpose in this context. A typical non-solicitation covenant will seek to prevent an exemployee from soliciting or canvassing the business of a customer or client of the former employer for a period following termination of employment. Will this restrict an employee from changing his profile on LinkedIn?

Employers may wish to consider imposing contractual terms that if the employee enters into employment with a competitive business they will not update their status on social media sites to identify their new employer until the end of the covenant period. Employers could also seek to impose contractual obligations requiring an ex-employee to delete and not restore their business connections for a period after termination of employment.

Companies should take a careful look at the information they are concerned to protect, conduct an assessment of the risks that may result in its disclosure or loss and consider the measures that they need to take to achieve effective protection. In the current economic climate, employers cannot afford to be complacent - now is the time to equip the business with the tools it needs to protect its assets and limit its exposure to legal risks. A proactive approach together with a regular review process should be the cornerstone of any strategy.

Adam Hartley is a partner in the employment, pensions and benefits division at DLA Piper.