So what constitutes a reasonable standard of care? The answer is not self-evident. Practices differ among businesses so given the mobility of employees there is a strong likelihood employees will not be on the same page in terms of their understanding of what the obligation entails.
A breach of confidential information can range from benign to catastrophic for an organization. It is prudent for businesses to have written procedures to define reasonable steps, as well as to provide training, as part of an employee orientation and on an ongoing basis.
It is helpful in such policies to define at the outset the key obligations NDAs impose on recipients.
An NDA is a time-limited licence permitting the recipient to use the discloser’s confidential information for evaluation purposes only. The recipient may not use the information to improve on its own products or technology. Nor can it reverse-engineer, decompile, or disassemble the confidential information (unless the NDA is silent on this point or it is otherwise permitted at law). The recipient cannot use generic or general information retained in the unaided memory of the recipient’s employees for the recipient’s business purposes in the absence of a residual knowledge clause (though Canadian law is not clear on this point, as far as I am aware).
Some NDAs restrict the use and disclosure of confidential information to the recipient’s employees, whereas others extend use and disclosure to its consultants, suppliers, professional advisers, and the like provided they are similarly bound by an NDA.
Confidential information is typically defined as information marked “confidential” or “proprietary” or by a like designation, as well as intangible information identified as being confidential at the time of its disclosure and confirmed to be confidential in a writing subsequently delivered to the discloser. Occasionally the NDA provides that it may also extend to information a reasonably informed person would regard as confidential due to its nature.
Here is a checklist of items to consider including in your handling of confidential information policy:
• Adopt a clean desk policy (on a regular basis, especially nightly).
• Ensure confidential information is properly stored including desks, locked and (where necessary) fireproof filing cabinets, on secure servers, and on the cloud (after verifying steps taken by the provider to protect confidentiality), and disposed of using best practises (e.g. shredders both onsite and offsite).
• Require that employees turn off Wi-Fi in public areas, or at a minimum when visiting customers, suppliers, partners, etc., and avoid accessing information through public computers or networks.
• Direct employees to disable USB ports and use of memory devices until needed. In countries known for espionage consider requiring Internet access be turned off and the use of Wi-Fi devices be banned altogether.
• Remind employees of the risk of storing confidential information on memory devices and how these can easily be lost, and need at all times to be accounted for.
• Consider the use of encrypted e-mail, RSA tokens, dual-factor authentication, intrusion detection, session-recording, log aggregation, and other such IT tools to protect against hacking.
• Some companies have banned the use of Siri by its employees, including most notably IBM. Information transmitted using Siri is stored by Apple. Siri collects the names of contacts from your address book and other unspecified user data and can be used to write e-mail and other text messages. The Siri license allows Apple to store, process, use, and dispose of the information. IBM also bans Dropbox and similar cloud services.
• Require employees to report suspicious activity (e.g. a notification indicating a device has recently been installed).
• Prohibit sending business information through personal e-mail accounts or over instant messaging.
• Consider the use of e-mail tools that allow sent e-mail to be retracted in case confidential information is inadvertently disclosed.
• The exclusive use of company-owned computers and phones should be either encouraged or required. It is much easier to obtain a warrant or an injunction against the use of information stored on company-owned devices.
• Restrict the use of social media regarding company information to specific departments such as marketing and communications and corporate.
• Restrict the disclosure of third-party confidential information to employees; all other disclosures (i.e. to contractors, advisers, and others where permitted under the discloser’s NDA) could require managerial approval.
• Restrict the making of additional copies to only those strictly needed to achieve the purpose and make them available on a strict need-to-know basis.
• Caution employees that all media enquiries should be referred to a designated spokesperson.
• Recipients could request highly sensitive documents be provided on a read-only basis.
• Reverse-engineering should require the prior approval of a designated person or persons and legal counsel should be involved as appropriate.
• The use of residual knowledge should similarly require the prior approval of a designated person or persons, and legal counsel where appropriate.
• Require visitors sign in and be escorted at all times.
• Consider a policy against visitors being allowed to use recording devices on company property (including smartphones and tablets).
• Include a statement informing employees information is owned by the employer.
• Advise employees they consent to being monitored by the employer in regard to the use of information and that information may be accessed for company purposes.
• Outline the penalties for violations, up to and including dismissal.
• Caution new employees against the use of proprietary or confidential information obtained during the course of their employment with previous employers.
• Interview departing employees to remind them of their confidentiality duties.
• Immediately terminate departing employee’s access to computer systems and the workplace.
• For key employees who depart to join a competitor, consider writing a letter advising the new employer of the employee’s confidentiality obligations.
Privacy and confidentiality issues are trending throughout society in tsunami proportions. Julian Assange’s activities with WikiLeaks, Edward Snowden’s revelations concerning the National Security Agency, and the rumoured penetration of Nortel’s IT network that may have played a role in its downfall (I don’t buy that argument, by the way, since I am of the view corporate espionage is rampant) have heightened our awareness around the challenges we face in assisting our clients to safeguard confidential information.
As in-house counsel we need to rise to these challenges and create policies and best practises that strike an appropriate balance between fear mongering and getting on with business.