This article is the first piece in a three part series of blogs on how organisations can effectively protect themselves against employees stealing confidential information. Whilst this article focuses on both surveillance policies and restraint of trade clauses, parts two and three will focus on solutions to potential issues surrounding employees notice period.
Employment relationships are just like any other relationship: the only certainty is that they will eventually come to an end.
One unfortunate reality is that departing employees often pose the greatest risk to the future goodwill of a business, as they have had the opportunity to form relationships with the client base and supplier network. Similarly, employees will often have had widespread access to commercially sensitive documents and information, and have received training on how best to exploit it, at least for the benefit of the company.
One common way for businesses to try to protect their goodwill and prevent former employees from either poaching clients or setting up businesses in competition, is to include broad confidentiality terms and restraint of trade clauses in their contracts of employment.
Another unfortunate reality is that the most common obstacles faced by employers when seeking to enforce post-employment obligations are self-inflicted, usually coming as a result of a lack of evidence caused by poor planning and administrative oversights.
Reasonably drafted confidentiality and restraint of trade terms can be extremely effective, however courts will be reluctant to make orders to enforce contractual restraints if the company cannot demonstrate that the contract was properly entered into, and that the employee, through their conduct in breach of the contract, poses a genuine risk to a legitimate interest of the company.
With that in mind, businesses need to plan for the inevitable employee break-up from day one of their time with the company, and there are a few simple steps that businesses can take to give their contracts the best chance of being enforceable if their staff do run off and try to take the business with them.
Risk Management: From Day One
Obtain professional legal advice with regard to the employment contract. Restraint of trade terms can be particularly tricky to navigate, and will be closely scrutinised by a court. Be careful of using templates, as restraint terms should be tailored to each employee.
Ensure that a signed copy of the employee's contract is scanned and saved to a dedicated location on the company's computer system. A signed contract is the best evidence that an employer can have in proving to a court that an employee did agree to be bound to their post-employment obligations. Without a signed contract, it is possible that an application to enforce a restraint of trade term might be dismissed.
A couple of recent examples from my own experience illustrate just how easily this problem can occur, and similarly, how easily these issues could be avoided:
- The company issues the contract to the employee via email and the employee turns up to work without returning a signed copy. The company do not have a follow-up procedure in place.
- The company is attempting to enforce post-employment obligations against an employee who commenced with the company 10 years earlier. When employee started with the company, the responsibility for storing employment contracts had been given to an individual administrative officer who is no longer employed by the company. Now, nobody knows where the contracts were previously kept.
It is critical that employers have and maintain a comprehensive workplace surveillance policy.
Workplace surveillance by a company is largely prohibited throughout NSW and ACT unless the company has a policy in place which explains:
- the nature of any surveillance being carried out; and
- the purpose for which the surveillance may be used.
In the context of enforcing post-employment obligations, evidence obtained by an employer through unlawful surveillance, i.e. without a proper policy in place (such as evidence of emailing documents to themselves or secretly contacting customers) is likely to be inadmissible in court proceedings. Carrying out unlawful workplace surveillance may also attract civil, or potentially criminal penalties.
Businesses should recognise that even if they are told not to, employees will use their personal devices for work, unless they are given an alternative. Allowing staff to use their own devices can save a company money, but does also create risk. Providing staff with a company phone or laptop comes at a cost, but can have a number of potential benefits with regard to the protection of confidential information.
As an example, many people can and do access their company email account from their phone. Senior employees, and technical or sales staff will regularly send and receive commercially sensitive information via email. If staff are allowed to use their personal devices to access their company email accounts, company documents sent as attachments will find their way into personal cloud storage services such as Dropbox, Google Drive or iCloud. Another problem is that staff will use their personal phones to communicate with clients. Once an employee leaves the company, their contacts and text messages will go with them.
A company issued device on the other hand:
- can be configured to control access to the company network and mail server;
- can be monitored remotely to identify suspicious activity; and
- belongs to the company and therefore the device, and the data stored on it belongs to the company and must be returned when the employee leaves.
It is important to maintain strict IT security with proper controls, particularly over sensitive business information. Similarly, your company should make sure to regularly back-up emails, document management and accounting systems, and use continual monitoring of email and data usage.
It is wise for businesses that utilise cloud storage services not to authorise staff to use their personal accounts, and instead, to consider setting up a corporate account and providing individual user access credentials for each staff member. This way, when a staff member does leave, their access to the storage account can be removed by the company.
Some cloud storage accounts do contain logs which can be useful in identifying download activity, as well as any devices and IP addresses that have connected to the account. These logs often provide useful evidence of misappropriation of confidential information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.