For many companies, customer information ranks among its most important assets. Yet these days, employees often keep this sensitive customer information in electronic locations that are not readily accessible to or controlled by their employers. Employees typically maintain customer contacts in personal smartphones under Bring Your Own Device (“BYOD”) policies, and are also often connected with customers on LinkedIn and other social media networks. For this reason, departing employees who would seek to use their former employer’s customer information in connection with a competing company pose a serious threat to the secrecy of the information.
Because a company armed with its competitor’s customer information can gain a massive advantage in diverting business, courts in most states recognize that customer information can constitute trade secrets that enjoy special protection under the law. To qualify for trade secret protection, information must have independent economic value and be the subject of reasonable efforts to protect the secrecy of the information.
Employers should give serious consideration to protecting the trade secret character of their customer information by exercising control over the common electronic locations of customer information that are managed by their employees. Failure to implement controls over these locations may result in the loss of trade secret protection of customer information and, more critically, the loss of customers.
Customer Contacts On Cell Phones
Many employers now utilize BYOD policies that permit employees to utilize their personal smartphones for work. Although BYOD policies may save some money in onboarding, they can also make protection of customer information substantially more difficult. Indeed, under a BYOD policy, employees are carrying around trade secret customer information on personal devices.
The secrecy of customer information contained in cell phones is jeopardized when employers maintain a BYOD policy and fail to take measures to ensure that the information is maintained confidentially and deleted prior to employee departures. Absent policies protecting the customer information contained on employee devices, courts many well find that the employer did not take sufficient steps to protect the secrecy of the information. This could result in a loss of trade secret protection for your customer information.
At a minimum, employers should implement procedures that give them the ability to inspect employees’ devices prior to departure and delete company information. But problems nonetheless arise because the employer is forced to sort through often thousands of “mixed” personal and business contacts to identify customers or trust employees’ representations that all customer contacts were deleted.
A safer, although more expensive, approach is implementing policies (and investing in software applications) that allow the company to scrub all data from employees’ phones upon resignation or termination. This can include a remote wipe in the event the employee refuses to turn over the phone. Although these policies may be unpopular with employees, they offer good protection for the employer.
For many enterprises, the best approach may be simply doing away with BYOD policies altogether, at least with respect to employees that are privy to customer information. If these “high risk” employees are required to use devices purchased by the company to conduct business and their company-related contacts are stored on those phones, the company can ensure that the information does not remain with the employees simply by requiring them to return the phones upon termination. Even before termination, employers can exercise a greater degree of remote control over and monitoring of company devices.
In addition to protecting the company from theft of customer information before it occurs, implementing a “remote wipe” policy or doing away with BYOD may force employees with bad intentions to take affirmative steps to illicitly transfer their contacts to another location, such as by emailing the contacts to themselves. While this can be difficult to prevent, evidence of the data transfer will be the smoking gun that enables the employer to show misappropriation of its information and intent to use it to compete.
Customer Contacts on Social Media
Employees are also increasingly using personal social media accounts to connect with their employer’s customers. This practice too raises thorny issues for employers and your business may want to curtail it.
First, employees’ use of social media to cultivate client relationships can lead to the destruction of trade secret protection for the customer information. Indeed, if all a competitor has to do find out the identity of your customers is look at your salespeople’s public social media pages, have reasonable efforts to protect the information been made? California courts have held that customer lists are not trade secrets when the identity of the customers can be readily determined based on public information. If employees are using social media to connect with customers, whether customer information is entitled to trade secret protection may well turn on employees’ use of privacy settings on their accounts.
Second, allowing employees to connect with customers on their personal social media accounts creates a dispute regarding ownership of the customer information. There is no general rule regarding the ownership of employee social media accounts and the data contained in those accounts. One federal court in Pennsylvania found that an employee’s LinkedIn account belonged to the employee based in large part on LinkedIn’s User Agreement at the time which provided: “If you are using LinkedIn on behalf of a company or other legal entity, you are nevertheless individually bound by this Agreement even if your company has a separate agreement with us.” On the other hand, a federal court in New York held that the employer owned its employee’s Twitter account content since the employment agreement expressly spelled that out.
Beyond ownership issues, in the event of suspected employee disloyalty, it can be difficult to force employees to delete their social media contacts. In California, employers are prohibited from requiring or requesting employees (or applicants) to disclose their username or password for social media accounts.
Given these risks, employers should strongly consider prohibiting their employees from using personal social media accounts to connect with customers. Although outright prohibition may be the appropriate policy, if an employer nonetheless sees value in cultivating customer relationships on social media, the simplest solution is likely to set up new, company-owned and controlled social media accounts that employees are required to use. Those accounts must, of course, be set to private such that they are not viewable by other network members. The company should also make clear in employee handbooks and written policies that (1) the employer is the owner of the social media accounts including all data contained in the accounts; and (2) the social media contacts used for business purposes are the confidential information of the employer and must be deleted or otherwise managed upon termination of employment.
Employers must act proactively to protect their trade secret customer information. By controlling the electronic locations of their customer information, employers can ensure that the information retains its trade secret designation, while also substantially reducing the likelihood that their departing employees will be able to misuse customer information and unfairly compete.