How to stop staff stealing your secrets
IT can take years of work to build up a company's intellectual property. And yet you can stand to lose it all if an employee steals client contact lists, internal documents or other confidential information. So what can a business do to protect itself from intellectual theft?
Australian businesses are increasingly susceptible to staff stealing their secrets and sales, with confidential company information able to be siphoned off with the click of a mouse these days.
And while some employees are stealing company secrets and potential leads on purpose, a huge proportion of employees are actually stealing unwittingly.
That means that the onus is on companies to ensure they have protections in place to prevent intellectual property walking out the front door. And companies would be wise to act fast given that a growing number of executives are being poached by opposition companies now that the global financial crisis is behind us.
According to March job figures recently released by ANZ, job advertisements are up 8% on March last year (seasonally adjusted). The statistics confirm that the employment market is picking up, providing more jobs and more opportunity for employees to consider their next move.
Karl Rozenbergs, partner of legal firm Hall & Wilcox has seen a substantial increase in client requests regarding restraint clauses since December.
He says employers are realising that they need to get employment contracts in order so they don't risk having company secrets exposed once an employee resigns.
"Employers are either being exposed due to senior staff that have had access to confidential information moving on, or that have strong ties to the employer's client base. Others are realising the potential loss they could encounter if employees did move on, so are contacting their company lawyer," Rozenbergs says.
A real threat
Workplace theft of this nature is very real, according to cyber crime specialist Greg Singh of RSA, the security division of technology company, EMC. He says Australian companies spend between $500,000 and several millions continually beefing up workplace IT security to prevent theft, but says it does happen from time to time.
"Workplace security wasn't such an issue a couple of decades ago. Once staff left the office, there was a physical barrier that prevented them from taking anything of any real value from the building."
"But these days as technology takes over our lives, employees can steal an entire database of contacts or private company documents or procedure manuals at the click of a button."
Singh says cyber espionage is alive and well in Australia, with demand for confidential information opening up a willing supply chain.
"Stealing company information is far worse than stealing material assets from an office, because it has the potential to cripple a business. And it's up to a business to make sure they make it clear how they expect employees to behave," Singh says.
Businesses that have specialist financial systems, are profitable due to the way they go to market or employ people with specialist knowledge should also consider protection, according to Stephen Curtain, Aitken Partners Melbourne partner.
"Any business with particularly sensitive information needs to take this matter very seriously. So many times we find that employees aren't stopping to think about whether they're entitled to this information before they leave a company, so it's up to the employer to be sure they stipulate the rules up front," Curtain says.
Taking steps to protect your business
So what steps can a business take to protect itself?
Data leakage prevention software can prevent certain material from being sent from a company laptop, which can be an extremely valuable tool for companies. Encryption technology, which prevents anyone on the receiving end of your company data from being able to open confidential documents, can also be a worthwhile investment.
Businesses should also ensure an employment contract includes a confidentiality clause (similar to a non-disclosure contract) that is clearly understood by the employee. Curtain says he's seen a few legal cases fall over because what constituted confidential information wasn't made clear enough by a company.
"Businesses need to make it crystal clear what is confidential information, preferably with a 'confidential' stamp clearly marked on particular documents so there's no confusion," Curtain says.
Peter Vitale, principal of Melbourne's CCI Lawyers says an employment contract or confidentiality agreement should include clauses like:
* A clear definition of what is regarded to be confidential information, with specific definitions to suit your business;
* A clear definition of what is NOT regarded as confidential information;
* A clause that relates to any specific information created in the course of employment remaining with the employer;
* Consider identifying a time period by which the agreements in the contract must remain in place; and
* An acknowledgement that monetary damages may not necessarily be adequate compensation if the conditions are breached.
Jamie Robinson, partner of Brisbane's Harmers Workplace Lawyers says that when a staff member resigns, they should be directed to delete any business information before they leave, which circumvents accidental theft.
"The advent of electronic communication, particularly email, makes it potentially more difficult for companies to prevent dissemination of confidential information. However, employees need to be very careful as obviously most email systems also make it substantially easier for employers to track and trace inappropriate behaviour and distribution of confidential information, making breaches much easier to prove," Robinson says.
Social networking a gray area
However, there's a very definite gray area around who owns the contacts gained on corporate social networking sites in the line of duty, such as LinkedIn.
Malcolm Burrows, associate of Brisbane's Rostron Carlyle Solicitors, believes that contacts gained online during work hours belong to the employer, but says many businesses don't enforce this.
"Anyone in sales dealing with a longer sales cycle has the danger of sales people being able to build up their relationships on LinkedIn, for example. But then they move jobs, update their status and proceed to keep all of those contacts. So unbeknown to an employer, people all over the country are taking all or part of their entire sales database."
Burrows says while a legal case relating to LinkedIn hasn't made it to court, he believes it
will be only a matter of time before the matter is pursued legally.
"As far as I'm concerned, LinkedIn is a ticking time bomb. Businesses need to have a social media policy that is clearly understood by employees."
The letter of the law
So what should a business do if an employee has breached your workplace confidentiality?
A breach could end up in court, according to Robinson.
He says an employer could:
* Take disciplinary action against an employee who uses confidential information inappropriately. This could include dismissal.
* Seek a court order to prevent future inappropriate use of confidential information; and/or
* Seek court orders against the employee to recover the monetary value of any damage the employee has caused to their business.
Robinson says while these obligations are reinforced with legislation, they need to be proven in court.
"There's a substantial level of litigation surrounding inappropriate use of confidential information, particularly given that competitive advantage often now comes from that information. I would say there is an increased willingness to litigate, or at least take precursory steps toward litigation to protect confidential information and sales," Robinson says.
But if a company does have to take the matter to court, think carefully before pursuing the legal system, advises Curtain.
"Sometimes an employer has a strong suspicion that it's happening, but the risk is low, so it's not always worth pursuing the matter legally."
However, perhaps the answer lies in a company's interviewing techniques and hiring policy.
Singh says that despite the law protecting companies to some extent, there's nothing that can prevent a business against truly malicious intent combined with an understanding of how technology works.
"When someone is truly intent on doing the wrong thing, they can harvest the hard drive or any number of other things. While you can take steps to protect yourself, you do also need to be able to trust your employees."
Read more ...