Protecting confidential information and IP amid employee mobility
A company’s ability to maintain the confidentiality of its trade secrets and other sensitive information is affected to a significant degree by employee mobility. An exiting employee can leave with a company’s confidential information, risking loss of trade secrets and serious harm to the company. Additionally, incoming employees can threaten a company’s confidential information by contaminating it with proprietary information from a prior employer. This article describes several practical steps and specific procedures that companies can follow with respect to departing and incoming employees to help protect company confidential information, and to mitigate the risk of exposure to third-party confidential information.
Companies regularly have to decide whether to seek patent protection for their innovations or to maintain them as trade secrets. Many companies will file patents for certain inventions and elect to treat other techniques, formulae, or processes as trade secrets. For example, companies may more frequently seek to patent customer-facing innovations, while maintaining back-end solutions as trade secrets. Each route has its advantages and limitations. Regardless, all companies will continue to have confidential information that they will want to preserve. Some of the confidential information may constitute protectable trade secrets, while other information may simply be sensitive information the company does not wish to share with the public—and certainly not with its competitors. In either event, the value of the information (and any legal protection) is largely dependent upon the company’s ability to maintain its confidentiality.
It is nonetheless a practical reality that companies generate, maintain, and lose confidential information through their employees. While with the company, many employees will have access to, and work regularly with, the company’s confidential information, using myriad company-issued computers, devices, and storage media to handle the information. When such employees depart, there is a risk that, through inadvertence or otherwise, they will take confidential information with them. To address this risk, companies should have procedures in place to ensure confidentiality is maintained. These procedures may include having new hires execute invention disclosure, assignment, and confidentiality agreements. These elements are particularly important for departing employees, through whom companies frequently have the greatest exposure to lost confidential information.
Protecting Confidential Information and IP When Employees Depart
Upon notification that an employee will be leaving, companies should consider, as part of their overall intellectual property management system, taking at least the following steps:
- Confirm that the departing employee will return all company confidential information, and, as appropriate, prepare, collect, and return all company-issued IT systems and access materials and IT-related devices before the departure date. Items that should be collected may include badges, calling cards, cell phones, corporate cards, token/hard keys, furniture and office keys, pagers, wireless devices, laptops, and any other devices or accessories that may contain or enable access to the company’s confidential information.
- Verify that written notice has been provided to the departing employee about his or her continuing obligations regarding the company’s confidential information, and maintain such written notice in an appropriate repository. Reaffirm obligations under appropriate confidentiality, invention disclosure, and assignment agreements.
- Obtain the departing employee’s new contact and employment information. The company should consider notifying the new employer of the departing employee’s ongoing obligations with respect to company confidential information.
- Take appropriate steps to limit or halt the departing employee’s access to company confidential information and to instruct the network administrator to tailor access to all IT systems and facilities accordingly.
- Request and review a memo from the departing employee that summarizes ongoing projects. The nature or status of the projects may indicate the need for further security measures.
- Determine whether the departing employee is subject to a “litigation hold” and, if so, coordinate as necessary to take steps to ensure the continued preservation of any information within the scope of the hold.
- Obtain written certification from the departing employee that all company confidential information has been returned.
The level of risk associated with the departure will influence the measures that need to be taken to restrict access to company confidential information. It is therefore critical to determine at the earliest opportunity whether a departure presents a high risk to company confidential information, warranting special protective measures. Considerations that may indicate the need for further measures include that the departing employee:
- is of high rank or seniority;
- has special access to or responsibility for confidential information;
- is presently engaged in a sensitive business unit or initiative;
- is associated with actual or threatened mishandling or misappropriation of confidential information; and/or
- intends to work for a competitor.
In higher-risk situations, the company may consider immediately confiscating company-issued computers/devices, disabling access to all networks and facilities, and even potentially escorting the employee from the facility. Additionally, the company should promptly investigate all information, computer systems, and devices (e.g., voicemail, email, etc.) that have been used or accessed by a departing employee. The departing employee’s work area should be checked for any missing files, records, or documents. By contrast, in comparatively low-risk situations, the company may permit the departing employee access to company data, as necessary, to complete ongoing projects, before termination.
With these steps, a company can exert greater control over its confidential information during times of employee transition. While these procedures cannot prevent all acts of misappropriation, they can certainly enable a company to identify threats and demonstrate that the company has taken reasonable steps to ensure the confidentiality of its information—an essential element for establishing, and enforcing, trade secret protection.