Defecting Employees

In addition to limiting employee access to information, companies can also use loss-prevention technology to prevent employees from taking or transferring that information. For example, software is available to prevent employees from inserting USB thumbdrives into their computers to take information. Likewise, businesses can use technology to monitor e-mails and text messages so that when triggering information is sent by e-mail, the company is notified. This type of software can be particularly effective in preventing employees from e-mailing confidential information to their homes or new employers when they leave. Software is also available to monitor printing and file-sharing services. Companies need to consider how their information may be transmitted and how comprehensive they want their preventive measures to be.

Companies that allow employees to access or store confidential information on their personal devices should particularly consider protecting information through technology. Higher-end controls may be needed for documents on remote computers or mobile devices, and companies may want to contemplate requiring software on laptops and smartphones that will enable the company to remotely wipe the proprietary contents of these devices as soon as the employee resigns.

Taking these steps will serve your company well on three fronts. First, they will help to prevent employees from taking information that could benefit a competitor. Second, if an employee does take information and the company sues to prevent the misappropriation and misuse of that information as a trade secret, the company will need to prove it took steps to keep the information confidential. If reasonable steps are not taken to protect the information, trade secret protection may not apply to the information. Finally, good technological controls will also provide evidence of attempted misappropriation in the event the company decides to seek injunctive or other relief in court.

Implement Agreements

Although a company can go a long way toward protecting its information through the use of software and other technology, these methods are not fullproof. Therefore, companies should also institute policies affirming that company information is confidential and must be treated as such. Companies should consider what types of information they deem confidential and proprietary, and describe that information in their confidentiality agreements. Since an increasing number of employees are re-creating information once they arrive at their new employer, the company should also specify that even information retained in memory is confidential and should not be used or disclosed other than to conduct business on behalf of the company.

The policy should require that information not be taken, used or disclosed, but also that if it is in the employee's possession when he resigns, it should be immediately returned. In order to determine exactly what the employee took and what he may have done with the information, policies should be clear that any information in electronic format should be preserved and the company is permitted to review and delete that information.

Confidentiality agreements should also specify that the company has the right to inspect the employee's personal devices if it suspects that they contain confidential information. In fact, if a company decides to allow employees to use their own personal devices to conduct business on behalf of the company, it is advisable to require them to sign a specific Acceptable Use Agreement. This agreement should outline the acceptable uses of company information and make it clear that employees are responsible for keeping company information secure. This is a good place for the company to make it clear that use of the personal devices for company business is conditioned upon the installation of remote wiping software.

Companies should not forget about independent contractors, vendors and other business partners when assessing measures to safeguard their confidential information. Any information disclosed to such entities should likewise be protected by an appropriate agreement.

Disseminate a Social Media Policy

Many companies encourage employees ' particularly those involved in sales and marketing ' to use social media sites to increase their contacts and communicate with customers. Yet, this social interaction, which is very beneficial while the employee is working to promote the company's interests, can also be used to divert information and customers once the employee resigns.

By allowing employees to link in with customers or other confidential contacts, the company may be destroying the legal protection afforded this information. This is a particular challenge with regard to customer and prospect information. While companies want their employees to be able to communicate with customers through increasingly popular social media sites, they also have a legal obligation to protect the confidentiality of that customer information. As discussed above, if a company wants its confidential information to be protected when an employee leaves, it needs to show that the information was not publicly available and that it took steps to keep the information private. If an employee posts customer names and other information on a social media site, a court could conclude that the information was publicly available ' even if only a limited number of people could view the information.' If the court concludes that the company put the information in the public domain or failed to take steps to protect the confidentiality of the information, it may decide that the information was no longer confidential or entitled to trade secret protection.

Social media sites can also enable employees to thwart contract provisions that prevent them from initiating contact with, or soliciting customers when they resign. Many companies take great pains to implement employment agreements that contain these types of restrictive covenants. However, if the company has permitted the employee to link in with customers during his employment, the employee simply has to update some aspect of his profile, such as his employment, and each of his contacts will get an automatic notification that the employee has updated that information and the new information will be provided.

The employee can then continue to ping customers by tweaking different aspects of his profile, causing additional notifications to be sent to the company's customers each time he does so. Courts are facing an increasing number of lawsuits alleging that an employee's communication with a contact on a social media site was a solicitation. At least one court has indicated that if a company wants to prevent that type of conduct, it should provide a definition of “solicit” that specifically includes that type of activity. Enhanced Network Solutions Group, Inc. v. Hypersonic Technologies Corp., 951 N.E.2d 265 at fn. 1 (Ind. Ct. App. 2011).

Some of these matters may be resolved through a thorough and well-promulgated social media policy that discusses the use of confidential information on social media sites, what social media can be used by employees, who they can link in with, and what happens to those connections once they resign. Designing a social media policy is not easy because employers need to navigate the National Labor Relations Act (NLRA) to make sure that their policy does not run afoul of an employee's Section 7 right to engage in concerted protected activity. Concerted protected activity extends protection to all employees (whether union or non-union) to band together for “mutual aid or protection.” Section 7 is designed to ensure that employees can share concerns over common employment terms and conditions.

Many companies make sweeping proclamations in their social media policies, which can make that policy run counter to Section 7. For example, the National Labor Relations Board (NLRB) invalidated a company policy that prohibited any posts that damage the company, its reputation, or defamed an individual, concluding that it was an overly broad restriction on employees' Section 7 rights. See Costco Wholesale Corp., 358 NLRB No. 106.

Employers need to implement social medial policies that ensure that confidential information remains confidential while at the same time not running afoul of employee rights. Some of the provisions that employers can consider adding to their social media policies include: 1) Specifying that login and passcode information on sites used for business purposes are owned by the employer and must be disclosed to the employer; 2) Explaining that the company will monitor activity on social media sites that are used for business purposes; 3) Confirming that information regarding customers, prospective customers, vendor contact information and whatever other connections the company considers confidential are owned by the company; 4) Ensuring that social media information is specifically included as part of confidential information that is protected by any confidentiality or non-disclosure policies; 5) Limiting the information that can be posted on these sites (again while making sure not to violate the NLRA); 6) Requiring employees to set their social media sites to private so that their connections cannot view each other; and 7) Specifically stating that if an employee chooses to connect with customers or other confidential connections, he must either disconnect from those connections following termination of employment, or not update his profile if he does not remove confidential connections.

The last item above raises two issues. First, if the employee disconnects from an individual, some social media sites will automatically send a notification to that person stating that the connection has been terminated. This could cause the customer to call the employee to find out why their connection was terminated. If the customer calls the employee, a court may conclude that the employee is then free to talk to the customer about his new venture ' thereby skirting any nonsolicitation restrictions. Alternatively, if the company does not require employees to terminate those confidential connections, then they still have access to the customer's information and it can be difficult to monitor whether they use that information in their new role. Companies need to consider which approach is best for their situation.

Crafting a social media policy that will protect your company's confidential information and limit communications with customers will likely be one of the most important steps that the company takes to protect itself, as the Internet and social media redefine how companies do business.

Monitor Employees and Conduct Exit Interviews

If the company suspects that an employee might be planning to resign, it should not wait to begin monitoring her activities. By monitoring an employee before she departs, a company can learn about activities that may be harder to detect after she leaves. For example, if employees begin printing excessive information or start carrying laptops into the office, those actions could raise red flags the company will want to ask about if the employee in fact resigns. If the company is aware that an employee is interviewing with a competitor or seems to be unhappy at the company, new technologies can allow the company to track the employee's digital activities. Software is available to record everything that occurs on company devices and provide reports on unusual activity, such as data transfers.

When employees do resign, management should conduct an exit interview to learn about the employees' new position and to remind them of their obligation to maintain the confidentiality of company information. Management should ask the employee where he is going, and what position he will be in at the new company. The employee should also be questioned about any company information he has in his possession, and be asked to immediately return it. If the employee had access to valuable company information, or there is a question about whether the employee has possession of that information, the company may want to require the employee to sign off on a statement that all information has been returned.

At the conclusion of the exit interview, the employee should be provided with either the confidentiality agreement that she signed, or a sample of the company's policy so that she is aware of her obligations. Departing employees should be told that the company expects full compliance with the agreement, and be reminded that the agreement requires employees to return all company property and information. Once the exit interview has finished, the employee should be escorted out of the office to make sure he does not take any company information.

Finally, management should quickly act to terminate the employee's access to company systems. Most businesses know to terminate the employee's access to their network and e-mail accounts. However, consider other places where the employee may be able to obtain information. For example, does the employee have a remote access connection that needs to be terminated? Also check their phone lines to see if they have changed their message to direct customers to call their new firms. Make sure that the password is changed on any phone line so that the employee cannot call in and obtain messages from the company's customers.

Conclusion

By following the steps outlined above, companies can take greater control over information that could be devastating in the hands of a competitor. Management should meet with their technology and legal advisers to determine what is both possible and practical in deciding whether to institute some or all of these measures.

Susan Guerette is a partner in the Philadelphia office of Fisher & Phillips. She can be reached at [email protected].

In today's business world, the entirety of a company's most significant information can be uploaded to a device the size of a thumbnail and taken by a departing employee. The consequences can be devastating. With advances in technology, it is more important than ever for companies to identify their confidential information and institute measures to preserve and protect that information from employees who decide to leave the company.

Use Technology to Control Information

As a first step, companies should consider which employees need access to what information. Once the determination is made, employers should require passwords to access any company computer, and use additional passwords to restrict employees who do not need to view more sensitive company information. Some companies are even employing voice-recognition software and more advanced methods of confirming identities before allowing access to more sensitive information. In addition, businesses can consider encrypting files and folders that they do not want easily accessed.

In addition to limiting employee access to information, companies can also use loss-prevention technology to prevent employees from taking or transferring that information. For example, software is available to prevent employees from inserting USB thumbdrives into their computers to take information. Likewise, businesses can use technology to monitor e-mails and text messages so that when triggering information is sent by e-mail, the company is notified. This type of software can be particularly effective in preventing employees from e-mailing confidential information to their homes or new employers when they leave. Software is also available to monitor printing and file-sharing services. Companies need to consider how their information may be transmitted and how comprehensive they want their preventive measures to be.

Companies that allow employees to access or store confidential information on their personal devices should particularly consider protecting information through technology. Higher-end controls may be needed for documents on remote computers or mobile devices, and companies may want to contemplate requiring software on laptops and smartphones that will enable the company to remotely wipe the proprietary contents of these devices as soon as the employee resigns.

Taking these steps will serve your company well on three fronts. First, they will help to prevent employees from taking information that could benefit a competitor. Second, if an employee does take information and the company sues to prevent the misappropriation and misuse of that information as a trade secret, the company will need to prove it took steps to keep the information confidential. If reasonable steps are not taken to protect the information, trade secret protection may not apply to the information. Finally, good technological controls will also provide evidence of attempted misappropriation in the event the company decides to seek injunctive or other relief in court.

Implement Agreements

Although a company can go a long way toward protecting its information through the use of software and other technology, these methods are not fullproof. Therefore, companies should also institute policies affirming that company information is confidential and must be treated as such. Companies should consider what types of information they deem confidential and proprietary, and describe that information in their confidentiality agreements. Since an increasing number of employees are re-creating information once they arrive at their new employer, the company should also specify that even information retained in memory is confidential and should not be used or disclosed other than to conduct business on behalf of the company.

The policy should require that information not be taken, used or disclosed, but also that if it is in the employee's possession when he resigns, it should be immediately returned. In order to determine exactly what the employee took and what he may have done with the information, policies should be clear that any information in electronic format should be preserved and the company is permitted to review and delete that information.

Confidentiality agreements should also specify that the company has the right to inspect the employee's personal devices if it suspects that they contain confidential information. In fact, if a company decides to allow employees to use their own personal devices to conduct business on behalf of the company, it is advisable to require them to sign a specific Acceptable Use Agreement. This agreement should outline the acceptable uses of company information and make it clear that employees are responsible for keeping company information secure. This is a good place for the company to make it clear that use of the personal devices for company business is conditioned upon the installation of remote wiping software.

Companies should not forget about independent contractors, vendors and other business partners when assessing measures to safeguard their confidential information. Any information disclosed to such entities should likewise be protected by an appropriate agreement.

Disseminate a Social Media Policy

Many companies encourage employees ' particularly those involved in sales and marketing ' to use social media sites to increase their contacts and communicate with customers. Yet, this social interaction, which is very beneficial while the employee is working to promote the company's interests, can also be used to divert information and customers once the employee resigns.

By allowing employees to link in with customers or other confidential contacts, the company may be destroying the legal protection afforded this information. This is a particular challenge with regard to customer and prospect information. While companies want their employees to be able to communicate with customers through increasingly popular social media sites, they also have a legal obligation to protect the confidentiality of that customer information. As discussed above, if a company wants its confidential information to be protected when an employee leaves, it needs to show that the information was not publicly available and that it took steps to keep the information private. If an employee posts customer names and other information on a social media site, a court could conclude that the information was publicly available ' even if only a limited number of people could view the information.' If the court concludes that the company put the information in the public domain or failed to take steps to protect the confidentiality of the information, it may decide that the information was no longer confidential or entitled to trade secret protection.

Social media sites can also enable employees to thwart contract provisions that prevent them from initiating contact with, or soliciting customers when they resign. Many companies take great pains to implement employment agreements that contain these types of restrictive covenants. However, if the company has permitted the employee to link in with customers during his employment, the employee simply has to update some aspect of his profile, such as his employment, and each of his contacts will get an automatic notification that the employee has updated that information and the new information will be provided.

The employee can then continue to ping customers by tweaking different aspects of his profile, causing additional notifications to be sent to the company's customers each time he does so. Courts are facing an increasing number of lawsuits alleging that an employee's communication with a contact on a social media site was a solicitation. At least one court has indicated that if a company wants to prevent that type of conduct, it should provide a definition of “solicit” that specifically includes that type of activity. Enhanced Network Solutions Group, Inc. v. Hypersonic Technologies Corp. , 951 N.E.2d 265 at fn. 1 (Ind. Ct. App. 2011).

Some of these matters may be resolved through a thorough and well-promulgated social media policy that discusses the use of confidential information on social media sites, what social media can be used by employees, who they can link in with, and what happens to those connections once they resign. Designing a social media policy is not easy because employers need to navigate the National Labor Relations Act (NLRA) to make sure that their policy does not run afoul of an employee's Section 7 right to engage in concerted protected activity. Concerted protected activity extends protection to all employees (whether union or non-union) to band together for “mutual aid or protection.” Section 7 is designed to ensure that employees can share concerns over common employment terms and conditions.

Many companies make sweeping proclamations in their social media policies, which can make that policy run counter to Section 7. For example, the National Labor Relations Board (NLRB) invalidated a company policy that prohibited any posts that damage the company, its reputation, or defamed an individual, concluding that it was an overly broad restriction on employees' Section 7 rights. See Costco Wholesale Corp., 358 NLRB No. 106.

Employers need to implement social medial policies that ensure that confidential information remains confidential while at the same time not running afoul of employee rights. Some of the provisions that employers can consider adding to their social media policies include: 1) Specifying that login and passcode information on sites used for business purposes are owned by the employer and must be disclosed to the employer; 2) Explaining that the company will monitor activity on social media sites that are used for business purposes; 3) Confirming that information regarding customers, prospective customers, vendor contact information and whatever other connections the company considers confidential are owned by the company; 4) Ensuring that social media information is specifically included as part of confidential information that is protected by any confidentiality or non-disclosure policies; 5) Limiting the information that can be posted on these sites (again while making sure not to violate the NLRA); 6) Requiring employees to set their social media sites to private so that their connections cannot view each other; and 7) Specifically stating that if an employee chooses to connect with customers or other confidential connections, he must either disconnect from those connections following termination of employment, or not update his profile if he does not remove confidential connections.

The last item above raises two issues. First, if the employee disconnects from an individual, some social media sites will automatically send a notification to that person stating that the connection has been terminated. This could cause the customer to call the employee to find out why their connection was terminated. If the customer calls the employee, a court may conclude that the employee is then free to talk to the customer about his new venture ' thereby skirting any nonsolicitation restrictions. Alternatively, if the company does not require employees to terminate those confidential connections, then they still have access to the customer's information and it can be difficult to monitor whether they use that information in their new role. Companies need to consider which approach is best for their situation.

Crafting a social media policy that will protect your company's confidential information and limit communications with customers will likely be one of the most important steps that the company takes to protect itself, as the Internet and social media redefine how companies do business.

Monitor Employees and Conduct Exit Interviews

If the company suspects that an employee might be planning to resign, it should not wait to begin monitoring her activities. By monitoring an employee before she departs, a company can learn about activities that may be harder to detect after she leaves. For example, if employees begin printing excessive information or start carrying laptops into the office, those actions could raise red flags the company will want to ask about if the employee in fact resigns. If the company is aware that an employee is interviewing with a competitor or seems to be unhappy at the company, new technologies can allow the company to track the employee's digital activities. Software is available to record everything that occurs on company devices and provide reports on unusual activity, such as data transfers.

When employees do resign, management should conduct an exit interview to learn about the employees' new position and to remind them of their obligation to maintain the confidentiality of company information. Management should ask the employee where he is going, and what position he will be in at the new company. The employee should also be questioned about any company information he has in his possession, and be asked to immediately return it. If the employee had access to valuable company information, or there is a question about whether the employee has possession of that information, the company may want to require the employee to sign off on a statement that all information has been returned.

At the conclusion of the exit interview, the employee should be provided with either the confidentiality agreement that she signed, or a sample of the company's policy so that she is aware of her obligations. Departing employees should be told that the company expects full compliance with the agreement, and be reminded that the agreement requires employees to return all company property and information. Once the exit interview has finished, the employee should be escorted out of the office to make sure he does not take any company information.

Finally, management should quickly act to terminate the employee's access to company systems. Most businesses know to terminate the employee's access to their network and e-mail accounts. However, consider other places where the employee may be able to obtain information. For example, does the employee have a remote access connection that needs to be terminated? Also check their phone lines to see if they have changed their message to direct customers to call their new firms. Make sure that the password is changed on any phone line so that the employee cannot call in and obtain messages from the company's customers.

Conclusion

By following the steps outlined above, companies can take greater control over information that could be devastating in the hands of a competitor. Management should meet with their technology and legal advisers to determine what is both possible and practical in deciding whether to institute some or all of these measures.

Susan Guerette is a partner in the Philadelphia office of Fisher & Phillips. She can be reached at [email protected].