The saying "an ounce of prevention is worth a pound of cure" certainly rings true when it comes to protecting an employer's confidential information from misuse.
In brief: The saying "an ounce of prevention is worth a pound of cure" certainly rings true when it comes to protecting an employer's confidential information from misuse. Confidential information can be one of the more valuable assets of a business and often, once the information is misused, the damage is already done. As such, it is important for employers to implement proactive measures at the 'front end' to prevent the misuse of confidential information at the 'back end'.
WHAT YOU NEED TO KNOW
- Misuse of confidential information can lead to loss of competitive advantage, impact upon client/customer relationships, financial loss, and/or privacy implications.
- Often, once confidential information is misused, the damage is already done. As a result, it is important for employers to implement a number of measures to prevent the misuse of confidential information.
- The preventative steps that employers can take may include monitoring internet and email usage, restricting access and effectively utilising employment contracts and policies.
Here are six preventative measures that employers can implement to avoid the misuse of confidential information.
Effective Employment Contracts
Aside from clearly setting out the terms and conditions of employment, well-drafted employment contracts protect an employer from a number of employment related risks – including the misuse of confidential information.
To protect the confidential information of a business, employment contracts should contain a number of tailored (i.e. appropriate and relevant) clauses which aim to prevent any breaches from occurring, including the following:
- Confidential Information
A specific and appropriate confidential information clause will provide an important layer of protection to an employer. However, one size most definitely does not fit all with respect to confidential information clauses.
In fact, one thing that we see time and time again is template confidential information clauses that are not specific to the employer's business and do not extend to the confidential information that the employer wants to protect. As an example, we occasionally see confidential information clauses protecting information contained on, of all things, floppy disks! Now, I don't know about you, but I haven't used a floppy disk since the 1990s.
This indicates that the clause is from an out-of-date template – particularly if it does not refer to USB devices. This is less than ideal in circumstances where the confidential information of the business is more likely to be stored on USB devices rather than floppy disks.
To be enforceable, confidential information clauses must satisfy a number of legal requirements. As such, beware of template confidential information clauses and ensure you have it reviewed by a legal professional.
- Obligations upon termination
Employment contracts should contain a clause which requires employees to return all company property and confidential information and/or to destroy all electronic copies of confidential information upon termination.
As a tip, ensure that a time period is specified (i.e. within 24 hours of the termination of the employee's employment) and also, make certain that you remind the employee of his/her obligations at the time of termination. Finally, ensure that the employee actually does return the company property and confidential information!
- Requiring compliance with the employer's policies
Another useful clause is one which requires an employee to comply with the employer's policies (without actually incorporating the employer's policies into the contract) – particularly if you have an Internet and Email Use Policy.
Internet and Email Use Policy
An Internet and Email Use Policy is an important tool to utilise in protecting the misuse of confidential information. Specific to confidential information, the policy should clearly specify:
- what employees are and are not permitted to do with respect to using and/or disseminating confidential information;
- that email and internet usage may be monitored by the employer; and
- the possible consequences of breaching the policy (i.e. disciplinary action up to and including termination of employment).
Keep in mind that it is not enough to simply develop a policy – the existence of the policy needs to be clearly communicated to employees on an ongoing basis.
Monitoring Internet and Email Use
One of the common scenarios encountered by employers is where a departing employee downloads confidential information on a USB device or sends it to a personal email address. Often, this is only discovered after the employee has permanently departed from the workplace.
The best preventative measure for employers to take in these situations is to monitor the email and internet usage of all employees (particularly the usage of departing employees) and then, if any such conduct is discovered, address it immediately
In Victoria, employers are permitted to monitor internet and email usage. From a 'best practice' standpoint, we recommend that:
- any monitoring that you do perform should be in accordance with any relevant polices or procedures; and
- the polices or procedures directly state that the employer does monitor email and internet usage.
This is where a well drafted Internet and Email Use Policy becomes extremely useful.
Employers outside of Victoria should be aware that the laws surrounding surveillance of email and internet usage in the workplace may differ. As such, any employers outside Victoria should seek advice regarding the monitoring of email and internet use in their State/Territory.
Implement a "need to know" Standard
Employers should consider whether all employees "need to know" all confidential information of the employer in order to enable them to perform their duties. It may be that some employees "need to know" some confidential information, whereas others don't "need to know" any confidential information at all.
Employers should be extremely careful to restrict full access to the confidential information of the business to those employees that really do "need to know" all such information in order to perform their job. Most of these employees will be senior and/or executive level employees who owe fiduciary obligations to their employer in respect of confidential information which the less senior employees generally do not owe.
Another important step to take is to ensure that access to confidential information is restricted or only partial access is provided so that only those employees that "need to know" are able to do so to the exclusion of others.
Take a Stand
Importantly, if you do discover any employees misusing confidential information, make sure you immediately address it! If the employee is still employed, the steps that you take to address the conduct may include disciplinary action and/or dismissal, reminding the workforce of the existence of the policy and/or implementing training on the policy.
You should note that immediately addressing the conduct sends out a very strong message to the workforce that you will not accept any breach of this nature.
If an ex-employee misuses the confidential information of the business, the action that you may take could include requesting formal undertakings and/or issuing proceedings. Again, taking any such action sends a strong message to the workforce that you will not accept any breach, which is a good deterrent.
It is important for employers to implement proactive measures to prevent the misuse of confidential information. The above steps outline a number of measures that may assist in preventing any misuse of confidential information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Madgwicks is a member of Meritas, one of the world's largest law firm alliances.