Defend your data 

Data held by firms is central to their continued existence and needs protection from those that would wish to abuse it. But while there are countless malevolent external actors, hackers and fraudsters, when looking closer to home not all firms properly protect information from abuse by employees.

The problem is that trusted company servants often have ready access to systems and may go unchallenged when interrogating them. Further, when they leave, they can take unprotected company data with them.

So, the obvious question is how can firms protect what they hold dear and prevent it from walking out the door with a departing employee?

Information is protected by confidentiality

There are three general categories of confidential information: general skill and knowledge; confidential information; and trade secrets, which includes commercially valuable secrets that give a business owner a competitive advantage.

Mark Stevens, senior associate at VWV, says that information can generally be said to be confidential if it “has the necessary quality of confidence; has been imparted in circumstances where the recipient knows or ought to have known of the confidentiality attached to it; and there has been unauthorised use or disclosure of it to the detriment of the rights holder”.

He also points to The Trade Secrets (Enforcement, etc) Regulations 2018 (SI 2018/597), regulation 2, which similarly defines the matter but in legal terms.

Of course, having a definition is one thing, but how does it play out in an employment context?

From a legal perspective, Aron Pope, a partner in City law firm Fox Williams, says that “during employment, employees have an implied duty to keep all information confidential. However, once they have left, the picture is different, and employers will be more at risk”.

He comments that although employees are still subject to an implied duty to keep trade secrets confidential, “without specific and robust post-termination confidentiality terms in the employment contract wider valuable information is at risk of being passed to a competitor”.

Stevens agrees but thinks that “after the individual’s employment ends, the tables are turned, and the balance of public interest favours the employee. Implied confidentiality obligations are therefore generally insufficient in protecting as much information as organisations would usually like”. But he says that there is an exception: if the information amounts to a trade secret, then there is an implied duty of confidentiality – even after termination of employment.

What should be worrying for employers is detailed by Stevens. He says that “confidential information can become part of an employee’s necessary skill and knowledge, and, in those circumstances, employees are entitled to use that skill and knowledge when they leave and work for another company or competitor”. However, an employer can try to stop them from doing so by way of a post-termination restrictive covenant.

Practical steps

There are, however, practical and preventative steps that employers can take to protect confidential information. For Pope, this means identifying what is important, protecting it, training staff on the importance of protection, and monitoring for any breaches.

On the first, identification, Pope says that firms should pinpoint the confidential information that it owns. This may include intellectual property, such as marketing information and its brand, or it may be as simple as a list of client names and contact numbers. He adds: “Once identified, that information should be appropriately labelled with ‘confidential’ or ‘not to be disclosed externally’, securely stored, and handled accordingly.”

Stevens is of the same view and suggests that firms make it clear to employees when information is sensitive by marking emails or documents as ‘confidential’. He would also ensure that certain key information is circulated to limited numbers of employees only.

The key benefit here for Pope is that “understanding which employees have access to information will assist when it comes to justifying the employment contract protections that need to be put in place”.

Next comes the need to protect data through contracts and policies to ensure there is a legal disincentive against information and intellectual property being poached.

For Stevens, an obvious way to do this is to put in place effective security measures for information such as password protection and encryption.

Beyond the technical obstacles, Pope talks about bespoke confidentiality clauses that are incorporated into employment contracts: “These should be specifically tailored to information which is relevant to the firm and tightly drafted to capture only that information it can lawfully protect.” He adds that recent cases have shown that trying to restrict an employee from disclosing generic information “relating to the business, products, affairs and finances” of a business is unlikely to be enforced by the courts.

And looking to a post-termination future, both Stevens and Pope consider that well-drafted appropriate restrictive covenants are another tool to deploy. An enforceable non-compete restriction can prevent an employee from joining a competitor for a specified period of time (generally no longer than 12 months) after their employment ends. Similarly, non-solicitation and non-dealing restrictions may prevent them from contacting and/or working with any clients or suppliers for a limited period.

It’s worth noting that Stevens says post-termination restrictive covenants in employment contracts are common across many industries and that they can be useful. In practice, however, he says restrictions can be difficult to enforce.

This is why Pope warns that more is not necessarily better: “Restrictions will only be enforceable if they operate in a way that is no wider than necessary to protect legitimate interests as well as goodwill and the stability of the workforce including trade secrets and confidential information.”

He says the same principles apply when drafting clauses in a settlement agreement where an employee is exiting the business: “Given that settlement agreements are often drawn up under contentious circumstances, it is particularly important that the employer focuses its mind on the confidential information that it is seeking to protect.”

Stevens thinks the same but adds that beyond confidentiality and non-compete clauses – which need to be sufficiently narrow and specific in order to improve their chances of being enforceable – garden leave clauses can also be helpful. He says that “if the relevant clauses are not in the employment contract, they could potentially be introduced as part of a settlement agreement”.

At the same time as putting in place well-written contracts, another tip is to write a confidentiality policy that highlights expectations about confidentiality; the types of confidential information existing within the business; and ways to keep such confidential information secure.

Again, Pope cautions about usage and says that “for a policy to be effective, it must be read and understood by the workforce... there is little to be gained from hiding a confidentiality policy deep in a handbook. It must be clearly visible and publicised to all employees”. He also thinks that it’s advisable that it and should be read alongside other relevant policies such as IT security and data protection.

The third strand when protecting information is to train staff to reduce risk. This, says Pope, “will help employees identify the confidential information they may be working with or have access to; understand how to keep that information confidential; and raise awareness of their contractual obligations both during employment and after leaving the business”.

With so many working from home now training is essential. This is why Stevens believes that employers should adopt reporting procedures to help them “ensure that the right information is being circulated to the right people and so that line managers know what their staff are seeing and doing on a day-to-day basis.”

Training, in Pope’s eyes is not a one-time deal. In fact, he thinks it is likely to be beneficial to employers to run refresher training sessions that “highlight any additional measures and reiterate the importance of protecting confidential information, no matter the location that an employee is working from.”

The last and fourth step to take is to monitor IT systems to pick up any data and confidentiality breaches promptly. With the growth of hybrid working, Pope reckons that “employers may now be more vulnerable to the loss of confidential information as remote working makes it more difficult to ensure data security”.

He points to software that can alert instantly to suspicious behaviour, such as large downloads, emails to personal accounts or voluminous printing.

However, there are various legal restrictions – GDPR is one – which put employers at risk of overstepping the mark. Pope advises that “monitoring is proportionate to the legitimate interest that employers are seeking to protect, namely the confidentiality of business information.”

To stay on the right of the law, firms must keep employees well informed about the type of monitoring undertaken with data privacy notices and other documents. Here Stevens comments that policies should “make clear who is monitoring, what they are monitoring, the reasons for and frequency of the monitoring, what is done with the information and who it will be shared with, as well as any sanctions”. Further, he adds that those carrying out the monitoring, IT personnel for example, need to be aware of the consequences of carrying out unauthorised monitoring. 

And of course, post-employment, business devices can be checked on return for confidential information that has been suspiciously downloaded or emailed externally. Something else to consider – from Pope – employers should “keep a close eye on former employee’s activity elsewhere to spot any early signs of breach of restrictive covenants or leaks of confidential information to a competitor.” Injunctions can be sought.

Hiring employers beware

Experience and depth of knowledge are key attributes that an employer will seek in any new hire. And it’s possible that incoming employees will have captured confidential information from their former employer. But as Pope explains, it “will usually be the subject of restrictions and new employers may find themselves subject to duties of confidentiality that prevent them from using it in a useful way for their business – even if it is of a great commercial benefit.”

The problem, says Stevens, is that skills, knowledge, experience and general know-how gained during employment can often be regarded as belonging to the employee – more often than not “difficulties arise when employee divulges more specific information or uses contacts from their previous employment.”

And there is case law on the subject detailed by Pope: the 2021 case of Trailfinders Ltd v Travel Counsellors Ltd & others. Here 40 sales consultants at Trailfinders left to join a competitor which encouraged them to bring their customer contact lists; the consultants weren’t warned that this might lead to a breach in confidence.

Pope highlights that “the Court of Appeal held that the competitor was in breach of an obligation of confidence. Even though it was not explicitly made aware that the information was confidential, it ought reasonably to have known that it was or, if unsure, it should have made enquiries as to whether it was”.

So, to minimise the risk of trouble, firms should never suggest in adverts or in interviews that confidential information is welcomed. Also, material in their possession should not be used. Anything otherwise could result in a claim against the firm for losses. Similarly, incoming employees should be asked to confirm whether they have any restrictions in their previous employment contract that will impact on their new role.

Lastly, Stevens has seen previous employers seek to protect information through the courts, which could include issuing an injunction in order to restrain the use of the information: “A previous employer may seek damages or an account of profits from the employee and/or the new employer. There are also risks associated with the use of confidential information which is otherwise protected.” Registered copyright or a patent is a good example which firms will want to prevent a former employee – or a new employer – from using in the future.

In summary

Confidential information is by its very nature valuable, and firms should take great care to protect it against loss and misuse. Similarly, employers should ensure that they are not put in a position where they might be accused of abusing another’s protected information. 


CASE STUDY

TALL Group

Martin Ruda, group managing director of the Tall Group, says that all of the company’s employees are made “very aware that security and confidentiality is of paramount importance”. He adds that “every member of staff attends induction training at the start of their employment which covers all company-wide security procedures and policies”. 

The process pays particular attention to confidentiality and what is expected from staff. But prior to employment, Ruda says that “all applicants go through a rigorous vetting process including Police Act Disclosures (repeated every two years), a verbal reference from a previous employer, two written references from previous employers (covering a five-year history), proof of identity and a credit reference.”

Beyond that the company issues regular training questionnaires with a focus on cyber security, data management and GDPR. Further, there is regular training and testing on data security “and our people receive annual refresher training covering the stringent requirements of ISO 27001, with the principal focus on information security.”

Ruda recognises that statistically users are the weakest point in the security landscape, as a result, the company regularly runs internal ‘phishing’ exercises to familiarise staff with the ways scammers can dupe individuals into disclosing sensitive information.

The company is fortunate to, as Ruda comments, have a very low turnover of staff. But when staff leave, he says that they are subject to exit interviews that “explain the ongoing implications of company confidentiality. We also have a comprehensive account closure procedure in place to ensure that data is dealt with according to requirements”.

Ruda emphasises that the company “has invested heavily to ensure confidentiality and minimise the risk of data leakage.” To illustrate this, he explains that email and data are monitored for certain words and number sequences to detect any anomalies.

He does say that “on the rare occasion of a data breach or perpetrated fraud taking place within our industry information is communicated quickly across the forums”. He also thinks that the penalties for breaching regulations are certainly sufficient to act as a deterrent to any loose procedures.

Ultimately, Ruda says that for the security print industry, the integrity of data is of the highest importance for all organisations. He adds that “financial institutions tend to lead the market with extremely demanding security standards. This can be a considerable challenge for contracted service providers in terms of investment, keeping up to date with software and equipment, and adherence to the stringent compliance requirements of ISO standards.”