Accidents happen. But what firms do once an incident occurs will have repercussions on how an investigation proceeds and its effects on the organisation concerned, says James Lowe.
Data held by firms is central to their continued existence and needs protection from those that would wish to abuse it. But while there are countless malevolent external actors, hackers and fraudsters for example, not all firms properly protect information from abuse by employees.
The problem is that trusted company servants often have ready access to systems and may go unchallenged when interrogating them. Further, when they leave, they can take unprotected company data with them.
The flooring sector is not exempt from this as a recent case proves – see panel.
So, the obvious question is how can firms protect what they hold dear and prevent it from walking out the door?
Information is protected by confidentiality
There are three general categories of confidential information – general skill and knowledge; confidential information; and trade secrets that includes commercially valuable secrets that give an owner a competitive advantage.
Mark Stevens, senior associate at VWV, says that information can generally be said to be confidential if it ‘has the necessary quality of confidence; has been imparted in circumstances where the recipient knows or ought to have known of the confidentiality attached to it; and there has been unauthorised use or disclosure of it to the detriment of the rights holder.’
He also points to The Trade Secrets (Enforcement, etc.) Regulations 2018 (SI 2018/597), regulation 2, which similarly defines the matter but in legal terms.
Of course, having a definition is one thing, but how does it play out in an employment context?
From a legal perspective, Aron Pope, a partner in City law firm, Fox Williams says that ‘during employment, employees have an implied duty to keep all information confidential. However, once they have left, the picture is different, and employers will be more at risk.’
He comments that although employees are still subject to an implied duty to keep trade secrets confidential, ‘without specific and robust post-termination confidentiality terms in the employment contract, wider valuable information is at risk of being passed to a competitor.’
Stevens agrees but thinks that ‘after the individual’s employment ends, the tables are turned, and the balance of public interest favours the employee. Implied confidentiality obligations are therefore generally insufficient in protecting as much information as organisations would usually like.’ But he says that there is an exception: If the information amounts to a trade secret, then there is an implied duty of confidentiality – even after termination of employment.
What should be worrying for employers is detailed by Stevens. He says ‘confidential information can become part of an employee’s necessary skill and knowledge, and, in those circumstances, employees are entitled to use that skill and knowledge when they leave and work for another company or competitor’. However, an employer can try to stop them from doing so by way of a post-termination restrictive covenant.
Practical steps
There are, however, practical and preventative steps that employers can take to protect confidential information. For Pope, this means identifying what’s important, protecting it, training staff on the importance of protection, and monitoring for any breaches.
On the first, identification, Pope says firms ‘should pinpoint the confidential information it owns. This may include intellectual property, such as marketing information and its brand, or it may be as simple as a list of client names and contact numbers. Once identified, that information should be appropriately labelled with ‘confidential’ or ‘not to be disclosed externally’, securely stored, and handled accordingly’.
Stevens is of the same view and suggests firms make it clear to employees when information is sensitive by marking emails or documents as ‘confidential’. He’d also ensure certain key information is circulated to limited numbers of employees only.
The key benefit here for Pope is ‘understanding which employees have access to information will assist when it comes to justifying the employment contract protections that need to be put in place’.
Next comes the need to protect information through contracts and policies to ensure there’s a legal disincentive against information and intellectual property being poached.
For Stevens, an obvious way to do this is to put in place effective security measures for information such as password protection and encryption.
Beyond the technical obstacles, Pope talks about bespoke confidentiality clauses that are incorporated into employment contracts: ‘These should be specifically tailored to information which is relevant to the firm and tightly drafted to capture only that information it can lawfully protect.’
He adds that recent cases have shown that trying to restrict an employee from disclosing generic information ‘relating to the business, products, affairs and finances’ of a business is unlikely to be enforced by the courts.
And looking to a post-termination future, Stevens and Pope consider that well-drafted appropriate restrictive covenants are another tool to deploy. An enforceable non-compete restriction can prevent an employee from joining a competitor for a specified period of time (generally no longer than 12 months) after their employment ends.
Similarly, non-solicitation and non-dealing restrictions may prevent them from contacting and/or working with any clients or suppliers for a limited period. It’s worth noting Stevens sees post-termination restrictive covenants in employment contracts common across many industries and that they can be useful. But in practice, he says ‘restrictions can be difficult to enforce’.
This is why Pope warns that more isn’t necessarily better: ‘Restrictions will only be enforceable if they operate in a way that is no wider than necessary to protect legitimate interests as well as goodwill and the stability of the workforce including trade secrets and confidential information.’
He says the same principles apply when drafting clauses in a settlement agreement where an employee is exiting the business: ‘Given that settlement agreements are often drawn up under contentious circumstances, it’s particularly important the employer focuses its mind on the confidential information that it is seeking to protect.’
Stevens thinks the same but adds that beyond confidentiality and non-compete clauses – which need to be sufficiently narrow and specific in order to improve their chances of being enforceable – garden leave clauses can also be helpful. He says: ‘If the relevant clauses aren’t in the employment contract, they could potentially be introduced as part of a settlement agreement.’
At the same time as putting in place well-written contracts, another tip is to write a confidentiality policy that highlights expectations about confidentiality; the types of confidential information existing in the business; and ways to keep such confidential information secure.
Again, Pope cautions about usage and says ‘for a policy to be effective, it must be read and understood by the workforce… there’s little to be gained from hiding a confidentiality policy deep in a handbook. It must be clearly visible and publicised to all employees’.
He also thinks it’s advisable that it should be read alongside other relevant policies such as IT security and data protection.
The third strand when protecting information is to train staff to reduce risk. This, says Pope, ‘will help employees identify the confidential information they may be working with or have access to; understand how to keep that information confidential; and raise awareness of their contractual obligations during employment and after leaving the business’.
With so many working from home now training is essential. This is why Stevens believes employers should adopt reporting procedures to help them ‘ensure the right information is being circulated to the right people and so line managers know what their staff are seeing and doing on a day-to-day basis’.
Training, in Pope’s eyes isn’t a one-time deal. In fact, he thinks it’s likely to be beneficial to employers to run refresher training sessions that ‘highlight additional measures and reiterate the importance of protecting confidential information, no matter the location an employee is working from’.
The last and fourth step to take is to monitor IT systems to pick up data and confidentiality breaches promptly. With the growth of hybrid working, Pope reckons ‘employers may now be more vulnerable to the loss of confidential information as remote working makes it more difficult to ensure data security’.
He points to software that can alert instantly to suspicious behaviour, such as large downloads, emails to personal accounts or voluminous printing.
However, there are various legal restrictions – the GDPR is one – which put employers at risk of overstepping the mark. Pope advises that ‘monitoring is proportionate to the legitimate interest that employers are seeking to protect, namely the confidentiality of business information’.
To stay on the rightside of the law, firms must keep employees well informed about the type of monitoring undertaken with data privacy notices and other documents. Here Stevens comments that policies should ‘make clear who’s monitoring, what they’re monitoring, the reasons for and frequency of the monitoring, what’s done with the information and who it will be shared with, as well as any sanctions’.
Further, he adds that those carrying out the monitoring, IT personnel for example, need to be aware of the consequences of carrying out unauthorised monitoring.
And of course, post-employment, business devices can be checked on return for confidential information that has been suspiciously downloaded or emailed externally. Something else to consider – from Pope – employers should ‘keep a close eye on former employee’s activity elsewhere to spot any early signs of breach of restrictive covenants or leaks of confidential information to a competitor.’ Injunctions can be sought.
Hiring employers beware
Understandably, staff are taken on precisely because of their prior experience and depth of knowledge. It’s possible that incoming employees will have captured confidential information from their former employer.
But as Pope explains, it ‘will usually be the subject of restrictions and new employers may find themselves subject to duties of confidentiality that prevent them from using it in a useful way for their business – even if it is of a great commercial benefit to them’.
The problem, says Stevens, is that skills, knowledge, experience and general know-how gained during employment can often be regarded as belonging to the employee – ‘difficulties arise when an employee divulges more specific information or uses contacts from their previous employment’.
And there is case law on the subject detailed by Pope – the 2021 case of Trailfinders Ltd v Travel Counsellors Ltd & others. Here 40 sales consultants at Trailfinders left to join a competitor which encouraged them to bring their customer contact lists; the consultants weren’t warned this might lead to a breach in confidence.
Pope highlights ‘the Court of Appeal held the competitor was in breach of an obligation of confidence. Even though it wasn’t explicitly made aware the information was confidential, it ought reasonably to have known that it was or, if unsure, it should have made enquiries as to whether it was’.
So, to minimise the risk of trouble, firms should never suggest in adverts or in interviews that confidential information is welcomed. Also, material in their possession shouldn’t be used. Anything otherwise could result in a claim against the firm for losses. Similarly, incoming employees should be asked to confirm whether they have restrictions in their previous employment contract that will impact on their new role.
Lastly, Stevens has seen previous employers seek to protect information through the courts, which could include issuing an injunction in order to restrain the use of the information: ‘A previous employer may seek damages or an account of profits from the employee and or the new employer. There are also risks associated with the use of confidential information which is otherwise protected.’ Registered copyright or a patent is a good example which firms will want to prevent a former employee – or a new employer – from using in the future.
In summary
Confidential information is by its very nature valuable, and firms should take great care to protect it against loss and misuse. Similarly, employers should ensure they’re not put in a position where they might be accused of abusing another’s protected information.
James Lowe is regulatory partner at Wright Hassall