Losing an employee, whether by dismissal or resignation, is never easy. But it’s even harder when the employee walks out the door with a head (and possibly a briefcase or USB) full of your confidential information.
Confidential information comes in many forms. For some businesses, their most important confidential information are their client lists and order history. For other businesses, they might value computer code or designs. And other businesses might value their price list or tender documents. Every business will have a combination of confidential information and trade secrets that need protecting.
Unfortunately, one of the biggest threats to the security of your confidential information is from inside. Your employees get a front row seat to all the information, because they need it to do their job while they are working for your business. However, once they stop working for you (and sometimes even beforehand), there is a very real risk that they might leak the information to your competitors or take the information for their own benefit.
There are several avenues available to business owners to keep employees on a tight leash when it comes to confidential information. We discuss some of the more effective options in this article.
An employee’s contract is the best place to lay all the ground rules for their employment, and for the protection of your confidential information.
We recommend including a comprehensive clause that sets out your requirements regarding:
- Ownership of information (pre-existing and newly created);
- Storage of information;
- Accessing of information;
- Use of information; and
- Destruction or return of information.
We also recommend that the contract set out your expectations regarding use of software, databases and email addresses used by an employee. Most instances of theft of confidential information are now electronic, so having clear guidelines can give you more power to monitor and enforce inappropriate use.
Depending on the nature of the employee’s job role, it might also be appropriate to include a non-compete or non-solicitation clause in their contract. This gives an extra layer of protection because it provides clearer financial recourse against an employee who steals your information to set up their own business or to assist a competitor.
Some business owners like to take it to the next level by having employees sign a deed dedicated to protecting confidential information. This is a great option if your confidential information is paramount to your business. It is also a good option if the rules recorded in your employees’ existing contracts are less than perfect.
A Confidentiality Deed allows you to set out in detail what you expect from your employees regarding use of your business’ confidential information. By signing the deed your employees agree to be contractually bound to its provisions, which makes it enforceable against them if needed later.
The sorts of things a Confidentiality Deed should cover are similar to in an employment contract. However, a Confidentiality Deed can go into more detail because it is a more specialised document. And whereas an employment contract is generally only signed once at the very start of the employment relationship, a Confidentiality Deed can be entered into at any time. This gives the document more flexibility, as it can be varied or replaced as needed. It can also be updated to reflect different specific confidentiality issues, for example for particular projects or customers.
Confidential Information Policy
Workplace policies are your rules and guidelines that set behavioural standards (i.e. acceptable and unacceptable behaviour) for your employees. Policies help you manage your employees by clearly articulating your standards of behaviour, and then holding them accountable to those standards. A Confidential Information Policy is a tailored and comprehensive policy specifically on the issue of access to and management and protection of a business’ confidential information.
A Confidential Information Policy is a more flexible tool for governing how confidential information will be protected in your workplace. It can be updated frequently to cater for changes in technology, software and intellectual property used in your business. It also ensures there is a consistent set of rules that apply to all employees who are notified of the policy, which gives the business greater protection.
A good Confidential Information Policy will clearly define the expectations, set out how breaches will be investigated and dealt with, and detail the consequences of repeated or serious breach.
Owning accounts and restricting access
As they say, prevention is better than cure. Restricting access to confidential information via management of software and online accounts is a practical and effective way to prevent departing employees from having ongoing access to the data.
Many software programs and online accounts now allow business owners to use different levels of access to the account. For example, the business owners may have ‘administrator’ access, while employees can be granted only ‘user’ access which restricts how much they can view and edit through the account. The benefit of this is it is usually open to the administrator to suspend and cancel user accounts as needed, so an employee’s account access can be terminated at short notice.
Password management is another way that employee access can be limited. There are now programs that facilitate the storage and auto-generation of passwords which ensure that passwords are temporary and almost impossible to remember. All passwords are accessed and generated through an account with a user-chosen password. On termination of the employee’s employment, the user-chosen password can be immediately changed by the business owner to ensure that the employee can no longer access the various accounts of the business.
Lastly, an employee’s work email address is an incredibly important source of business confidential information. An employee’s access to their work emails should be terminated immediately when they leave the business. It can also be a good idea to redirect those emails or monitor the inbox for a period of 2-3 months after the employee departs. Monitoring of emails received after the employee’s termination can provide an insight into whether the employee has had inappropriate contact with your clients. It also ensures that you can promptly respond to any work requests or enquiries, to reduce the risk of your clients being poached by the departing employee.
The few months after a key employee leaves are generally when they can do the most damage to your business by using your confidential information for their own benefit. Accordingly, during this window you should keep your ear to the ground for any reports from clients, suppliers or staff of contact or marketing materials from the former employee.
Social media provides an excellent opportunity to monitor a former employee’s next move, as they will often use sites like LinkedIn and Facebook to publicise their new job or business. You should also keep an eye out for mass email send-outs and advertisements on industry websites.
If you become aware of any actions by your former employee that indicate theft of your confidential information, you should act fast. The longer you leave the situation, the more difficult it will be to enforce your rights and limit or repair the damage.
If you would like help to protect your business’ confidential information, please contact Andrew or Louise on 1300 654 590.