Business Law & Compliance
Employees come and go, but are they taking trade secrets with them?
6 min read
21 February 2019
It's all well and good sharing business-related information with your staff, but what happens when they leave? If you don't set the legal grounding for what ex-employees can and can't say about your company, you risk your competitors finding out things about your set-up that you don't want them to know about.
Last week Tinder’s co-founder, Sean Rad, was sued for violating trade secret protection arrangements by Match Group. Following Match’s merger with Tinder in 2017, Rad is accused of making copies of work documents and forwarding highly sensitive materials containing Match’s business strategies to his personal email.
Have the conditions of employment become too relaxed?
The case is a timely reminder of how valuable trade secrets and confidential information can be.
Modern employee mobility and less formal, fast-moving start-up environments increase the risk of valuable information, including technological know-how, commercial strategies and customer information, being made public, or worse, falling into the hands of competitors.
The Trade Secrets Directive (2016/943) was introduced last year to harmonise the approach to trade secrets across the EU and provide a common standard of protection for businesses. It is broadly in line with existing UK law but includes an express requirement for employers to show that steps have been taken to protect their confidential information. This is significant: taking such steps obviously will help prevent confidential information from being stolen or misused in the first place, but will also now help prove this information was a trade secret. Here are some other factors to take into consideration below…
What are you protecting?
Every company should constantly review what information is confidential and valuable in its business. It should be stored and used in a way that maintains its confidentiality. Do all employees need access to the full customer list? Have sensitive documents been password protected or stored on a commonly accessible server? Can certain documents be ring-fenced from systems that could be susceptible to cyber attacks?
Co-working and hot-desking present particular risks, as do employees working away from the office or on public Wi-Fi networks. Employers should have a clear policy as to how employees access the systems if working from home, and emailing documents to personal accounts should be forbidden. If possible, IT systems should log who accesses documents, from where, and potentially include tell-tale harmless “fake” entries in databases, so that copying can be proved if necessary.
Movement of Employees
When employees move from one business to another, confidential information and trade secrets become vulnerable.
“Employees should be taught which information is confidential to the employer and should only have access to necessary information for their role.”
Nonetheless, employers should regularly review and update their employment contracts to ensure that they contain well-drafted confidentiality provisions and restrictive covenants that reflect the employee’s role as they progress through the business. They should also ideally apply both during and after employment.
Employers must also manage employee terminations professionally and fairly to reduce the chance of deliberate breaches by employees. Employers should reaffirm confidentiality obligations and restrictive covenants, and reiterate that breaches will be taken seriously.
A well-drafted IT “Acceptable Use”/“Email Monitoring” policy must be in place to warn employees that it may be necessary and proportionate to check their sent items for evidence of misconduct. This will also mitigate the risk of a GDPR breach or employee “privacy” claim.
Employers should be on high alert for the early warning signs that an employee is preparing to depart. These signs include requests to view employment contracts, unusual patterns of meetings and communications over work electronic devices.
“But, despite the best preparation, things can go wrong and companies must be ready to act quickly and decisively if so.”
Understanding what information has been accessed and taken as soon as possible is key, not just to evaluate the potential risks to the business, but also to ascertain whether any personal data has been taken, which might give rise to an obligation under the GDPR to notify the Information Commissioner’s Office within 72 hours.
“Breaches can be contained and damage minimised by injunctions and court orders. However, reputational risks and adverse publicity, including on social media, must also be promptly and decisively managed.”
Employers must consider adopting immediate safeguards
This is when an employee has left for a competitor to limit their ability to misappropriate key information. This includes immediately freezing their computer access, including remote access to email and voicemail, and requiring that they return all company property. It is also helpful to conduct an exit interview with the employee, reminding them of their contractual obligations both face-to-face and in writing. Files belonging to them should be checked for evidence of wrongdoing as soon as possible.
Whilst the Trade Secrets Directive does not radically alter the protection of confidential information in the UK, it definitely serves as a timely reminder that confidential information is an increasingly valuable asset, and almost every business could do more to protect itself.