The cuckoo in the nest: how to protect against employee information theft
At the end of the day, the impact of not taking steps to protect confidential company information might prove more costly than you think.
Employers often face the predicament of how to best protect confidential company information. The concerning reality is that all too often employers focus their efforts on protecting their information from outsiders while valuable trade secrets and sensitive information are stolen from within by their own employees.
However there are many practical and legal steps that an employer can take to minimise their risk and proactively protect this valuable corporate information.
Pre-employment: secure the contract
One of the best ways that an employer can secure company information from employee theft is by having a robust employment contract that prohibits its misuse. At a minimum, employers should ensure that their employment contracts contain clauses in relation to confidentiality, intellectual property, restraint of trade and gardening leave.
Confidentiality clause
A confidentiality clause should contain an express prohibition on the use of confidential information, both during and after employment. The clause itself should clearly define what information is confidential so that employees are in no doubt as to what is and what isn’t confidential information (and what will therefore be protected).
Employers should also themselves act consistently in this regard and actually treat the information as confidential within day-to-day operations.
Employers can also minimise the risk of departing employees stealing company information for use in their next job by expressly extending the prohibition on use of confidential information to include the period after they leave.
Intellectual property clause
An intellectual property clause seeks to ensure that the company retains possession of the intellectual property of all documents and work produced by employees during their employment. Employers should ensure that an intellectual property clause is included in every employee's contract to avoid potential disputes as to ownership of work created during the course of employment.
Restraint of trade clause
A well drafted restraint of trade clause can restrain a former employee from certain conduct, such as joining a competitor, as well as protecting against the misuse of confidential information, for a certain period once they have ended employment with a company.
However, care should be taken with the drafting as a court may declare them to be unenforceable if it goes beyond what is "reasonably necessary" to protect the employer's "legitimate business interests". Restraint of trade provisions can protect an employer's genuine trade secrets, confidential information, customer connections and staff relationships.
However, an employer cannot prevent competition from former employees, including a former employee using expertise acquired during his or her former employer in legitimate competition (ie. joining a competitor company or forming a new company).
Gardening leave clause
A gardening leave clause allows an employer to place an employee who has given notice of his or her resignation on "gardening leave", and essentially keep them away from work during the notice period, while still remaining an employee, and therefore subject to their continuing obligations to act in their employer's best interests.
It is best to ensure you have a clear contractual right to place to employee on gardening leave to avoid potential arguments that the employer has repudiated the contract and constructively dismissed the employee - this could also result in any post-employment restraints being declared void.
During employment: protect confidential information
During employment, communication is key. It is important to set expectations for employees from the outset as to what is and what isn't acceptable regarding the use of confidential information.
Employers should provide employees with:
- comprehensive company policies regarding access and use of sensitive company information;
- training on how to maintain and protect sensitive company information; and
- the consequences of information theft.
Employers should also emphasise to new employees that information theft is not tolerated, and outline the consequences of engaging in information theft early on in their employment.
It is also useful to clearly establish what information employees are allowed to access. Setting clear expectations on employees may help prevent unintentional access of confidential information and will also assist in prosecuting an employee who has committed theft. (For example employers may face difficulty in persuading a court that stolen information is truly confidential if all employees were easily able to access that information during their employment.)
Employers should also take practical steps within the company to protect sensitive information including putting systems in place that restrict access to confidential information and monitoring access and use of confidential information. Employers could consider investing in data protection software or encryption technology to prevent external parties from receiving company data.
Employers should flag confidential documents and only share sensitive information as appropriate. Access to confidential documents should only be given to those who need to know and be as limited as possible.
On resignation: reiterate your terms
When an employee resigns, it is important that employers have a standard procedure in place for their departure. This should include:
- immediately considering whether an employee should be placed on gardening leave given the nature of their role, the type of information they have access to and their client/customer contact;
- conducting a review of IT systems and/or personal electronic devices if an employer suspects the employee is joining a competitor or if they are exhibiting suspicious behaviour;
- monitoring all outgoing emails after resignation and prior to departure, and flagging any that contain company information;
- requiring a confirmation that the employee has returned all information and intellectual property back to the company prior to departure;
- requiring the employee hand over personal electronic devices (computers, laptops, tablets, smartphones etc.) prior to departure; and
- an exit interview, where the employee should be reminded of his or her ongoing, post-employment confidentiality obligations and the consequences of a breach of those obligations.
Help, I've been robbed!
Lastly, if you suspect that an employee has accessed or stolen company information, it is crucial that you act quickly to investigate concerns and take swift action to minimise damage.
Employers should immediately quarantine the employee's personal electronic devices following their departure and undertake a forensic analysis of those devices to confirm whether information has been accessed. If an employee has taken computer files, a forensic expert can examine their devices to determine whether the employee downloaded or copied files in the lead up to their departure.
Evidence uncovered by a forensic expert can then be used to seek an injunction to prevent disclosure of confidential information and to support a claim for damages or an account of profits in the future.
If evidence of information theft is discovered before the employee has departed, employers can discipline or summarily terminate their employment for breach of contract. This sets an example for other employees that such behaviour is not tolerated by the company.
If the confidential information has been disclosed or utilised (or you suspect it will be) by the employee, employers should commence litigation and can seek an injunction to prevent the misuse of this information and in certain circumstances take steps to prevent an employee joining a competitor in breach of a restraint of trade provisions. Litigation is also possible to recoup any monetary damages for breaches of the Copyright Act, Corporations Act, employment contract and the equitable duty of confidence, however these damages will need to be able to be substantiated.
Summary
Preventing employee information theft before it occurs is the best option, and employers should seek to implement any or all of the measures outlined above to protect themselves from the often ignored threat within. However, if you are concerned that an employee has taken confidential information, you should seek legal advice and take action immediately.
At the end of the day, the impact of not taking steps to protect confidential company information might prove more costly than you think.