Q: How can I ensure my employees protect my confidential information?
A: Protecting confidential information – such as proprietary information, sensitive client or customer information, trade secrets, financial data, or any other information that could negatively impact the company if it became public – is crucial to success in any business. As the adage goes, "it is difficult to put the genie back in the bottle," which is doubly true when safeguarding confidential information. In the ever-shifting technological and legal landscape, being proactive and having a multifaceted approach to protecting confidential information is critical. Here are some key tips to help ensure that your confidential information remains protected.
Safeguard No. 1: Include a Confidentiality Policy in the Employee Handbook
A confidentiality policy in an employee handbook might state that the disclosure, misuse, or unauthorized use of confidential information, documents, or data is prohibited and may lead to disciplinary measures, up to and including termination of employment. While courts typically do not treat employee handbooks as legally binding unless contract principles have been met, having such a policy within the handbook effectively informs employees of their confidentiality obligations and may form an appropriate basis for employment termination.
Safeguard No. 2: Confidentiality Agreements
Confidentiality agreements that protect sensitive or proprietary business information from unauthorized disclosures by employees are generally enforceable and can be a strong tool in safeguarding against unwanted disclosures. However, enforceability depends on the scope of the agreement and whether it aligns with jurisdiction-specific standards. Employers should consult legal counsel to ensure their confidentiality agreements are legally compliant.
For example, the U.S. Court of Appeals for the First Circuit has held that overly broad agreements are unenforceable. Provisions purporting to cover any information employees may obtain during their tenure, any information regarding the business, any information provided to the employee by the employer, and any information received from third parties, such as former clients, are deemed as overbroad and thus unenforceable. See TLS Mgt. & Mktg. Servs., LLC v. Rodríguez-Toledo, 966 F.3d 46, 59 (1st Cir. 2020).
Similarly, the Seventh Circuit has held that confidentiality agreements are only enforceable where the party seeking enforcement has taken reasonable steps to safeguard the information it claims as confidential. See nClosures Inc. v. Block and Co., Inc., 770 F.3d 598, 602 (7th Cir. 2014).
It is important to keep in mind that employers cannot use confidentiality agreements to stop employees from reporting legal violations under whistleblower laws.
Safeguard No. 3: Early Detection and Protecting Against Cyberattacks
First, it is critical that employers inform their employees what constitutes confidential information and make employees aware of the repercussions of mistreating the confidential information with which they are entrusted. Given the ever-shifting technological and legal landscape of the workplace, routine and updated training on confidential information is key to assuring employees are aware and up to date on employer-specific policies.
While training and awareness are always critical, employers also can use security services to monitor and track the flow of confidential information within the workplace, including instances where employees improperly transfer confidential information to their personal accounts. However, keep in mind that some states such as Delaware restrict workplace monitoring.
Best Practices
There's no question that employers should adopt policies and measures to safeguard confidential information. To that end, the following best practices can help reinforce employees' confidentiality obligations.
- Make confidentiality training a key component of the onboarding process. Employees should receive clear guidance on what constitutes confidential information and their obligations to safeguard such information.
- Implement a "Clean Desk" policy, which usually requires employees to avoid leaving documents that contain personal or sensitive information exposed on desks or in any public work areas such as conference rooms and break rooms. Confidential materials should be properly stored or secured, especially when employees are away from their desks.
- Create a comprehensive exit procedure that instructs employee to return company documents and confidential information before their employment formally ends.
Lastly, while taking steps to safeguard confidential information from improper internal disclosures is necessary, employers must protect against disclosures from outside, namely, cyberattacks. Fortunately, these two concepts go hand-in-hand, and employers should treat them equally. Training should include defining what confidential information is and the common methods hackers use to try and access it. For example, employees should be aware of the prevalence of phishing emails and be familiar with reporting these attacks internally. Further, just as employees should be trained to keep Clean Desks, they should be trained to avoid keeping their passwords written on paper or near their computers. Understanding the latest tactics in a hacker's playbook, and recognizing potential attacks is essential to ensure that employees do not inadvertently disclose confidential information.
While every employer has unique circumstances, all should want their confidential information kept safe. Employers can ensure that their sensitive data remains private by being proactive and adopting and enforcing a comprehensive strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
