As a new report of computer hacking seems to hit the news every few days, employers should take care to protect their own and their employees’ confidential information, whether stored in hardcopy form or, more likely, electronically. There are several steps employers can take to protect confidential company information:
- Confidentiality policies and procedures. Employers should develop policies and procedures to identify confidential information and documents, mark them as confidential and restrict access. If the company does not treat something as confidential, a court is not going to do so. Employers should consistently enforce their confidentiality policies, and regularly review and revise policies as needed to address new technology and modes of storing and communicating information.
- Train employees and managers. Employers should provide training to their employees on handling confidential information.
- Confidentiality agreements. Employers should require all employees to sign confidentiality agreements as part of their employment contracts or in discrete documents. The agreements should define what is confidential, prohibit current and former employees from unauthorized use or disclosure of confidential information, and specify the remedies available to the company in the result of an employee’s breach. Confidentiality agreements may include non-competition provisions, which restrict an employee’s ability to work for a competitor, and non-solicitation provisions, which restrict employees from enticing the company’s current or potential clients or customers to a competitor or encouraging clients/customers to cease doing business with the company.
- Acceptable use of electronic equipment policies. Employers may limit the use of the company’s computer, phones, email systems and internet to company business, or limit the acceptable personal use of those devices and systems. Confidential information is often misappropriated through improper use of this equipment and policies should be written to specify permissible actions.
- Monitoring. The law generally permits monitoring of employees’ data usage and access on company-owned equipment, such as telephones, computers, laptops and smartphones. Company handbooks should specify that the employer has the right to monitor use and access on company-owned equipment. Because some states require specific notice of any monitoring of telephone, email, or internet use, a best practice is to provide notice, which may appear when the employee logs on to the employer-owned device, or to obtained signed consent forms recognizing potential monitoring.
- Exit interviews and separations. Upon an employee’s separation from the company, the employer should conduct an exit interview to ensure that the employee has returned all company documents and equipment, as well as any confidential information. If the employee used personal computers, laptops or smartphones for business, the employer should ensure that any company information on those devices is deleted or returned. The employer should disable any remote access by the employee to the company server, and may want to check any paper or electronic files that the employee takes with him or her at the time of departure.
- Enforce Agreement Violations. Should the company learn a former employee has violated his or her confidentiality agreement, actions should be taken promptly. A failure to do so could be used against the company to demonstrate that the information was not confidential/was not important or the company would have taken immediate action to protect it.