When Politico reported that it received a copy of a confidential draft of a purported landmark opinion from the U.S. Supreme Court, employers took note.
If someone from an institution as sacred as the Supreme Court could suffer such a monumental breach of confidentiality, what can regular employers do to protect their information?
For many years, employers have been focused on preventing third-party intrusions or hacking into their systems and operations. Employers should continue to focus on third parties but also consider what they are doing to prevent employees from disclosing confidential and proprietary information.
Protecting the confidentiality of customer and employer information has become particularly difficult in the remote work environment.
The Supreme Court leak presents a good opportunity for employers to examine what they have done, and are doing, to protect confidential information.
First, ask what protections you already have in place. Some of my clients have:
- a well-communicated policy and culture of ethics, honesty and integrity;
- a robust, well-communicated policy regarding confidential and proprietary information;
- information technology systems whereby USB and other devices cannot be used in any work computer and/or whereby only approved USB devices can be used, and even those contain a password; and
- operational controls whereby the system triggers when an email has been forwarded to a “gmail” address or personal email accounts.
Even with these controls, employees can unfortunately simply take a picture of their computer with their personal device or print documents and then rescan them, and this is especially difficult to control where employees are working remotely.
While most employers have moved to online technology for sharing and storing documents, these systems create a greater likelihood of sharing information. There have been many times in recent years where I have printed a confidential document, shared it with a board or group on a need to know, and then collected the document at the end to make sure the document was not reproduced, copied or shared with others.
Even with the best organizational controls, sometimes employees can find a way to circumvent them.
I recently had a client whose employee circumvented its operational controls by creating a separate server to upload client information and then posted them on his personal website with the intent of promoting his consulting services. This employee hadn’t intended to harm the client or employer, but to promote the work he did with the employer, although his actions nonetheless disclosed confidential information.
Employers should implement as many controls as possible, but employers can also take an extra step by having employees sign non-disclosure agreements with consequences for violations.
Among other provisions, the non-disclosure agreement can be something like this:
Recognition of Company’s Rights; Nondisclosure. At all times during his/her employment and thereafter, Employee will hold in the strictest confidence and will not disclose or use any of Company’s Proprietary or Confidential information (as defined), except as such disclosure or use may be required in connection with his/her work for Company, or unless Company’s President/CEO expressly authorizes such in writing. Employee hereby assigns to Company any rights Employee may have or acquire in such information and recognizes that all Proprietary and Confidential Information shall be the sole property of Company and its assigns. Employee has been informed and acknowledges that the unauthorized taking of Company’s trade secrets may subject Employee to civil or criminal penalties.
Employees who have signed such agreements under a penalty of legal consequences or even prosecution (it is a criminal theft for employees to steal information or break into the company’s computer systems) may be less likely to engage in acts of disclosure or misappropriation.