Electronic storage media are easy and convenient and allow the portability of information. However, portable media devices like USB drives can also be easily stolen or lost. It has been the case for many years that employees will take information on a thumb drive to work outside the office. In fact, those employees working from home or remotely are often seen as overachievers — for example, the sales person bringing her contact list home to update it with current information or the CFO revising financial statements from the airport.
Both acts seem helpful to the employer, right?
Not when the employer has to prove its information is confidential before a judge after a departing employee takes off with the information. If for no other reason than this, an employer needs to protect its confidential information in order to later argue to a court that the information is worthy of trade secret protection.
Tracking what information is confidential, who has access to it and restricting how that information is used are key maneuvers for any employer that seeks to protect its information.
Employers are now seeing the reality that an employee can walk off with confidential and proprietary information, and the employer cannot track where that information has gone. Once put on a thumb drive, that information is portable and can be transferred to other computers, or other devices, and transmitted via email almost anywhere. Following the trail of that information can be difficult and the company’s ability to prove that such information was misappropriated can depend on how and when the information was transmitted.
Do you, as an employer, have a policy to reduce the potential for these kinds of security breaches?
If not, you should consider revising your employee manuals and policies to prohibit the use of thumb drives and other mobile storage devices. Employers can implement other IT protections as well to secure the sensitive information, such as encryption mechanisms and software that allow the employee to work remotely but without the ability to access or transmit sensitive company information. Physical barriers can also be used to preclude the use of USB drives.
Employee manuals should also contain restrictions on the use of company information and an acknowledgement by the employee that certain information is in fact confidential and proprietary. A manual with restrictions on use of information is helpful to educate the employees, and can also be helpful when there is a security breach by pointing to ramifications for improper conduct.
A restriction policy is also useful in the sense that it can be persuasive to a court and can demonstrate that an employer is taking reasonable efforts to protect its information. If a court believes that the employer is not taking reasonable measures to protect its information, that court is less likely to enter any injunctive relief precluding the dissemination of that information.
Swift action is important when a security breach is suspected. Employers should resist the temptation to open up the departing employee’s computer. To properly preserve information, employers should call their trusted advisor or litigator to consult on how to handle departing employees’ devices. It’s possible that the departing employee left a trail that the employer could use later to prosecute a case for misappropriation of trade secrets. However, the wrong steps by the employer at the beginning stages can impact the reliability of that information.
The best course of action is to call your litigator – someone versed in the world of e-discovery and forensic preservation – in order to maximize the reliability and usability of the information moving forward.
The author is an attorney with the Chicago-based law firm of Horwood Marcus & Berk Chartered. Contact her at firstname.lastname@example.org.