Increasingly a business’ most important assets are digital in nature. Client databases, business plans, source code and other intellectual property often represent a significant portion of a business’ value. Technology such as cloud-storage and sharing applications make it simple for such assets to be shared, sent, manipulated, downloaded, transferred, accessed or deleted in a few moments. Theft of data due to breaches and backdoor access by sophisticated hackers makes the news; however, the most common form of theft of digital assets occurs by a business’ employees. There are a number of reasons why an employee may steal such assets from being disgruntled, to helping a competitor to becoming a competitor themselves. Small businesses are more likely to be targeted because they have less sophisticated systems of protection.
So how does a small business protect itself from such theft? The best way is to implement some common sense best practices to limit such exposure with HR Policies and Practices, Technology Protections, and Trade Secret Litigation. In this series, we will look at the first of these methods: HR Policies and Practices. These front-end defenses are so important because laws to protect businesses after the theft occurs are often inadequate.
A business’ HR Policies and Practices should focus on protection of business data. Some common sense policies include subjecting new employee candidates to a background investigation. Background investigations may reveal prior crimes of dishonesty or terminations of employment due to dishonest actions. Identifying and avoiding the hiring of candidates for employment who may have a proclivity for dishonest behavior is one significant way to reduce the likelihood of employee theft of data.
A second effective HR policy is to have in place and provide written confidentiality policies to all employees upon hiring, which employees should be required to sign and acknowledge. The communication of such policies should occur as part of an initial orientation so that employees are aware of the company’s requirements for accessing and using company trade secrets. The scope and definition of trade secrets should be clearly defined in the company’s policy and procedures manual.
There should also be a reporting policy for situations where employees become aware of a possible breach of security policies. Further protectionist policies might include prohibitions from sharing passwords, password strength requirements or a requirement to change a password so often. The business should also prohibit the practice of e-mailing sensitive data and/or downloading third party sharing software platforms (such as dropbox) for transmitting data.
When an employee’s employment is terminated, the business must make sure to immediately limit access to confidential information. The months leading up to a change in employment is the most likely time for a theft to occur, as was the case for this employee who downloaded over 100 files from his employer when he learned he was about to be terminated. If an employee resigns, efforts should be made to determine who will be the employee’s next employer and to remind the employee of his duties of confidentiality and to confirm that any and all copies of the confidential information have not been retained by the employee or sent to any third party. An effort should be made by internal IT professional to review the employee’s computer to determine if any suspicious e-mails have been sent or downloads have occurred. If any are detected, the business should confront the employee to try to prevent the likelihood of a future disclosure.
While these and other common sense HR policies may not prevent employee theft of a business’ trade secrets, they will act to minimize such exposure. Further, if an employee does take confidential information, these policies will become an important aspect of the employer’s case for theft of trade secrets should litigation be necessary to prevent the employee from using or sharing the business’ confidential information.
In the next post, we will look at the second prong for protecting business’ confidential information, implementing common sense technology and procedural protections.