Stop your confidential information from walking out the door

The departure of sensitive information along with a valued employee is a persistent threat to business – how can HR minimise the impact?

The leakage of confidential information, whether it be via social media channels such as LinkedIn, through Bring Your Own Device (BYOD) breaches, or old-fashioned word-of-mouth, the departure of sensitive information along with a valued employee is a persistent threat to business.

However there are important steps HR can take to minimise the risks. Richard Hoad from Clayton Utz recently outlined some key steps business can undertake to ensure confidential information is safeguarded.

For starters, Hoad said the first port of call is to build a fence around corporate confidential information, and keep the gate shut by:
 

  • Conducting regular audits. Know the type of sensitive information which needs to be protected.
  • Do the simple things. If a document is confidential, mark it as such.
     
  • Record and share the confidential information as appropriate. It’s no good having one employee who is too valuable to lose because they hold key confidential information in their head.
     
  • But limit disclosure to those who need to know. The more valuable the confidential information, the more limited its disclosure should be. Put in place systems to restrict access (eg. use password protection or user access controls for electronic data).
     
  • Monitor access and use. It’s no good having systems in place to control access if those systems are not used. Again, the more important the information, the more rigorous the monitoring should be.
     
  • Review employment contracts and policies. It’s important to ensure that employment, contractor and other relevant agreements impose appropriate obligations of confidence. These obligations should be tailored to the employee – one size does not fit all. Generic descriptions of confidential information should always be supported by a schedule setting out specific examples of confidential information to which the particular employee will have access. It is best practice to have a mechanism to update that schedule as new confidential information is developed and as the employee’s role changes – and, of course, remember to update it!

What to do when an employee resigns

While your business is likely to already have standard procedures for dealing with departing employees, Clayton Utz noted it’s advisable to:
 

  • Remind employees of their obligations. At the exit interview, remind the employee of their continuing confidentiality obligations.
     
  • Require employees to hand over devices. Require the employee to hand over personal electronic devices (laptops, tablets and smartphones). If the device is the employee’s, remove corporate confidential information and then return the device to the employee.
     
  • Quarantine systems. Particularly where the employee leaves to go to a competitor or to start up their own competing business, quarantine the former employee’s computer (and corporate laptop, tablet and smartphone) for a short period following their departure. If you later become concerned that the employee may have taken confidential information with them, a forensic analysis of computer systems will be critical in determining what action to take next.
     
  • Investigate concerns and take swift action where appropriate. Importantly, if you are concerned that an employee may have taken confidential information, seek legal advice and take swift action to prevent the information being used or further disclosed. Once the information becomes public, the horse has bolted.