It happens all too frequently in our experiencethe departing employee stays on late, ostensibly to finish something off, but in reality to download the customer database or the list of key contacts to take to the new employer.
In one memorable case we dealt with, two senior employees who were leaving to set up a rival business spent a weekend executing what they termed ‘Operation Scorched Earth’. The term was appropriate: on becoming concerned at the number of clients jumping ship, the employer uncovered a damning email trail evidencing that the employees had downloaded swathes of critical company information over that weekend.
We’ve all heard of employees taking stationery items from the office. In surveys people justify this on the basis that the cost of this to the employer is minimal: what’s the cost of the odd pen here or there? However, research carried out over a decade ago estimated that the cost of these small stationery supplies being stolen across the United States was about $200 million a day.
If that’s not bad enough, a frightening survey carried out by SailPoint across the United States and Great Britain last month revealed that employees are more likely to steal confidential information from their employer than a stapler.
Readers who are employers may wish to sit down at this point. The survey revealed that 52% of British workers would take property away when leaving a job, with 23% confessing that they would take customer data including contact details and 22% saying they would take electronic files. That’s not the only confidential information they’d take – 17% of British workers surveyed admitted they’d take designs, plans and other product information. Indeed, it appears that workers are more likely to steal company information than a stapler. So if the value of the stationery being stolen in the United States was $200 million a day 10 years ago, one can only conclude that the cost of data theft in 2010 is frighteningly high.
It’s not often you will have a clear signpost like ‘Operation Scorched Earth’ to tip you off to nefarious activities. However, as always prevention is better than cure.
Contracts, policies and training
At the outset, the employer should ensure that employees’ contracts contain adequate safeguards in relation to confidentiality issues. Thus, the contracts should set out in express terms what information will be regarded as confidential and what the employees’ obligations are in relation to that information.
Employers should ensure that they have clearly stated policies dealing with confidential information and that these are properly communicated to staff.
Policies need to be combined with efforts to educate staff about what the policy means in practice. Make sure that employees have a clear understanding of what is regarded as confidential information and the limits on their use of this. Being able to evidence that employees were trained in this area makes it much harder for the employee to feign ignorance at a later stage.
Employers should also consider including restrictive covenants in some contracts. In broad terms, the courts will uphold a restriction if it offers the employer a legitimate degree of protection from a particular risk and the restriction only goes as far as is necessary to protect the employer from that risk.
An obvious example is a manager who has access to marketing information which, if it fell into the hands of a competitor, is likely to result in damage to the employer. It is likely to be reasonable to restrict that manager’s entitlement to approach those client contacts after his employment ends by way of a non-solicitation clause. It may also be reasonable to restrict his entitlement to deal with those clients at another employer by way of a nondealing clause. However, such restrictions should be limited in time and geographical scope to that which is strictly necessary.
Acting on confidentiality - enforcement
The risk of an Operation Scorched Earth can also be kept to a minimum if employers implement procedures to limit employees’ access to confidential information in the first place. For example, few Boards would be happy at the prospect of confidential Board Minutes being available for any employee to view on the word processing system.
Most automated systems today have means to modify access rights or privileges which allow an easy means of limiting this risk. Any procedure adopted should include the removal of access once employees have moved on.
Employers should also consider implementing a monitoring system which allows a check to be undertaken of employees who can access confidential information to see what they are doing with it. For example, if confidential information is being sent to an employee’s home email account, is there a good reason for this? As always, any monitoring should be done in accordance with an employer’s email monitoring policy.
What if you discover that an Operation Scorched Earth has been carried out by a former employee? If you act promptly, you may be able to obtain a court order (an injunction) preventing the employee from making use of the confidential information or from acting in breach of any restrictive covenants.
Often you may have little time to establish all the facts before taking protection legal action but you should be aware that delay in applying for an injunction could be a bar to success. For example, a court may well conclude that there would be little point in granting an injunction where all the customers have already moved to the new employer. In any event, in these days it is usually possible (subject to any monitoring policies), to get information fairly swiftly from IT systems and such like.
If the court is persuaded to grant an injunction, it may also be willing to grant additional orders, such as an order for delivery up or destruction of confidential information or IT equipment, or orders to preserve, disclose or search for documents.
It isn’t possible to eliminate the risk of file-filching completely but, as we’ve shown, you can reduce it substantially by limiting and controlling access to confidential data in the first place and ensuring that you have appropriate contractual and procedural safeguards in place. Now – who’s taken my stapler…?