A number of clients have recently asked for guidance on how to prevent departing employees from taking confidential information with them when they leave. Although intentional security breaches by employees are notoriously difficult to prevent, a carefully-designed (and implemented) data security plan can provide meaningful protection against threats from inside the organization as well as those from outside. Herewith, a few pointers.
Employee agreements and policies
Although employees who would steal your proprietary information may not have any qualms about breaching their contractual obligations, the existence and clear communication of rules is a useful first step in enforcing those rules in court should the need arise. As such, all employees should sign nondisclosure agreements, acknowledging their obligation to comply with company policies for data security. In addition, your company policy handbook should have clear procedures for departing employees, including an explicit statement that an employee’s authorization to access company data terminates immediately upon resignation or termination. Of course, knowledgeable labor and employment counsel should always be involved in any changes to employee handbooks or policies, this is one area in which doing it wrong is often worse than not doing it at all.
Controlling access to confidential material is the obvious first step in protecting it from misappropriation, but security itself is only half of the equation — legal enforcement of confidentiality obligations requires appropriate evidence. Consider reviewing your access controls with an eye to meeting your evidentiary burden in a lawsuit against an ex-employee. Do you prohibit use of “password” and other common passwords, and require employees to change their passwords on a regular basis? If not, the fact that a particular user ID is associated with unauthorized document copying may not be enough to show that the documents were copied by the user associated with that user ID. For smaller companies, consider who in your organization can testify regarding your password policies, and the password history of a particular user. Similarly, do you log access to confidential files, and copying of files to CD, DVD, external hard drive, or flash drive? If not, consider doing so — or prohibiting copying to external media altogether; the increasing availability of cloud-based document management solutions is rendering copying of files to portable media unnecessary.
Outgoing email presents another potential security vulnerability; departing employees may begin emailing themselves confidential documents months before they resign. The accounts to which these emails are directed are almost invariably provided by a free email service such as Hotmail, Gmail, and the like. Even organizations that do not monitor the content of their employee’s emails should consider keeping an eye on outgoing emails with attachments, especially emails with no content and/or no subject lines directed to accounts at free email services. Very little review is usually needed to determine whether a particular document is being sent for a legitimate business purpose.
I rarely think it’s a good idea to litigate just to make a point. Employee data theft — or even unauthorized access — is a notable exception, in the appropriate instance. In my experience, few things are as detrimental to the ultimate security of a company’s data as a failure to take meaningful action when departing or former employees breach their confidentiality obligations. Of course, if you haven’t done the groundwork and can’t prove that the employee took the data, there’s no point in suing. If you can document unauthorized access or copying, though, suing the ex-employee may be appropriate even in the absence of significant damages.
Have a carrot, not just a stick
Taking swift legal action against misappropriation of company information has an even greater impact if it stands in notable contrast to the usual manner in which departing employees are treated; try to avoid overt hostility and suspicion toward departing employees. While some suspicion may be prudent, employees should not feel that they will be treated poorly when they leave regardless of their own conduct vis a vis the company. Remind departing employees of their confidentiality obligations, check their computer and email accounts, but don’t treat them like criminals unless you have good reason to do so.