Your business is unique and has a lot of confidential and highly sensitive information that is vital for its success. Much of this will be held on central IT systems, accessible to employees whilst working for the company.
The information might include lists of customers, financial projections, price sensitive information, business plans and strategies, to name but a few. And whilst you are of course content for employees to make use of this data to further the business’ needs, you would not want them using it when they leave, whether for their own benefit or that of your competitors.
PROTECTING SENSITIVE INFORMATION WHEN AN EMPLOYEE LEAVES YOUR BUSINESS
So how can you make sure the information remains protected when someone leaves? And how can you stop a departing employee from taking and sharing it with their new employer so that they gain an advantage over you?
A key part of protection and prevention needs to happen right at the outset, when you take on someone new. You need to ensure that your employment contracts go far enough to protect your business, both during and after an individual’s employment.
There are terms implied into every employee’s contract. For example, there is the duty of fidelity to maintain mutual trust and confidence. But it is not enough to rely on these terms, nor to rely on ex-employees doing the right thing in order to safeguard your business. Employment contracts should contain specific terms known as ‘restrictive covenants’, or ‘post-termination restrictions’, to help protect you when someone leaves for a specified period of time.
Common terms include:
1. Non solicitation – so the employee cannot poach your customers and clients.
2. Non-compete – which restricts the employee from working for a competitor within a specified geographical area.
3. Non dealing – the employee cannot deal with your customers and clients, regardless of who approaches whom.
4. Non poaching – the employee cannot poach your other employees. In addition to these restrictive covenants, there should also be general confidentiality clauses, which make it clear what information is confidential; the use of which must be restricted while setting out the consequences of any misuse of confidential data.
CONTRACTS OF EMPLOYMENT
As with everything, prevention is better than cure, so as a first step you should look at your standard contracts of employment in order to ensure they contain the right provisions, and that any restrictions on the employee are reasonable and can be justified insofar as they protect your legitimate business interests. There is no ‘one size fits all’ and reasonableness is judged at the time the contract is entered into with that particular employee.
It is a risky business putting contracts in place without properly considering what you are seeking to protect and how far you need to go in order to do so. You, as the employer, not only need to be able to rely on properly drafted provisions, you also need to be able to justify any restrictive covenants in the event of a dispute arising. This is because if a court considers a clause is unreasonable (in scope and/or length), it is likely to strike it out of the contract, potentially leaving the business without adequate protection or grounds to pursue someone.
In addition to the contract of employment, the business also needs to make sure that it knows who is accessing its confidential and sensitive information. Having audit logs in place which record sufficiently detailed data of what your employees are accessing, through what means and when, will help should a situation arise. Given that this data could be subject to challenge if a dispute arises, you need to make sure that it is secured and properly and legitimately monitored at all stages.
If and when a problem does arise with an employee who has departed or is about to depart, it is imperative to seek legal advice immediately so that the business gets help with securing and preserving data and advice on what to specifically look for. This is a very specialised area of law, so seeking advice from a knowledgeable legal team will mean that the business is in a position of strength should action be required.
FORENSIC READINESS PLANNING
It is critical not to let your IT team go in to ‘have a quick look’ unless they have forensic training and know what they are doing. Evidence spoliation is of real concern in these situations, so when in doubt take copies from any devices and accounts in question. Ideally, use a third party to advise, so that the steps can be carried out ‘at arms length’. This is all part of forensic readiness planning which all businesses should consider as part of their wider Incident Response Framework and general risk management.
If the business takes the necessary steps from the start, the legal team will have all of the necessary information and knowledge to write to the employee and future employer setting out your rights to help negotiate a successful outcome. Not only will this save you time and money, it will also ensure that what makes you you, remains firmly under your control.
DMH Stallard, in conjunction with First Response, will be hosting an event in September addressing these issues. To register your interest or if you are interested in finding out more about protecting your companies information assets please e-mail enquiries@DMHStallard.com
DMH Stallard is known for their expertise, approachability and for always adopting a commercial and pragmatic approach. Nicola Billen is a Partner in our Dispute Resolution and Litigation Team. Abigail Maino is a Partner in our Employment Team