We live in the information and digital age, and the combination of the two may provide competitive advantages for a business, but may also pose significant challenges when it comes to information. Information that is not known to its competitors may become strategically valuable for a business. However, with the development of cloud-based document file storage, thumb drives, small external hard drives, and laptop computers doubling as work and personal computers, the risk of misappropriation of confidential information is much greater today that it was even five years ago. Employees and independent contractors who have worked on projects for even a short time may easily copy and download virtually unlimited amounts of information through a few keystrokes. The viability of a company’s future could be seriously compromised in a matter of seconds.
Businesses must protect their valuable assets because only through the leveraging of its assets may a business be profitable. Whether the assets constitute inventory, equipment and machinery, furniture and fixtures, brands, content, or confidential information, a plan needs to be developed and implemented for the protection of each asset. For example, an auto dealer needs to have a plan in place to protect all of the new and used cars on the lot that are exposed to weather, damage, and theft. Similarly, plans need to be developed to protect the confidential information of a business. Just as the failure to adopt a plan to protect cars on the lot could lead to substantial financial losses for a dealership, the failure to protect confidential information could cause serious harm to a business.
A company’s valuable confidential information may include items as varied as business plans, customer lists, pricing models, computer software, models, charts, algorithms, formulas, recipes, specifications, and financial information, Confidential information may be any information that a company will benefit from so long as the information is not known to its competitors, consumers, or the general public.
Confidential information is not generally protected under common law, so the failure to adopt a plan to safeguard it will likely lead to a very frustrated business watching its confidential information being used by competitors. There are some federal and state laws that protect the privacy of certain information, such as the Health Insurance Portability and Accountability Act (HIPAA) for protected health information, and the Gramm-Leach-Bliley Act (GLBA) for personally identifiable financial information, but these laws do not provide protection for other types of confidential business information.
Any plan for protecting valuable confidential information should include, or at least consider, the following:
1. Identify what business information is valuable and should be treated as confidential. Just as an inventory of cars needs to be maintained by an auto dealer, an inventory of confidential information should be maintained by every business. The inventory does not need to be too specific, but general categorization should be maintained at a minimum.
2. Identify who should and may have access to confidential information. Develop procedures and practices to ensure that only authorized persons have access to confidential information, including through the use of user IDs and passwords. Remember that the broader the pool of persons with access to confidential information, the more difficult it will be to argue that it is confidential information, and the more challenging it will be to implement an effective plan to protect against misappropriation and wrongful disclosure.
3. Identify where confidential information may be stored, and how access to confidential information may be obtained. Consider limiting access points to the information and increasing the level of security to access such information. If the company allows storage on mobile devices, have clear rules on access and use with a mobile device.
4. Develop and use contracts to protect confidential information, including the return or permanent deletion of all confidential information upon termination of employment or a contract. For example, all employment contracts should have a confidentiality covenant. Contracts with vendors and other third parties should include similar provisions. Sometimes confidential information needs to be shared with potential competitors to further business purposes. Mutual non-disclosure agreements should be used in such events. If any confidential information will be used downstream, for example if a business shares information with a vendor who shares the information with an independent contractor of the vendor, there should be a contract in place for the downstream user, as well as for the person who is providing the information to the downstream user.
5. Determine whether any of the confidential information is also a trade secret. Trade secrets are a subset of confidential information, and state trade secret law provides an additional layer of protection, so long as the owner of the confidential information treats the information appropriately. Any information that rises to the level of trade secret also needs to be treated at a higher level of confidentiality, control, and security.
6. Conduct an exit interview with each employee, independent contractor, and other third party who has had access to confidential information. Based on the contract with those parties, as indicated in paragraph 4 above, obtain a written certification of the return or permanent deletion of all confidential information. Determine whether the departing employee or independent contractor will be working for a competitor, and if there is a likelihood of disclosure of confidential information to the new employer. Also require the return of all company-owned computers, mobile devices and other hardware that may contain any confidential information, and terminate access to all confidential information, including through a company network.
7. Create a culture within the organization, beginning at the top, that recognizes that confidential information is valuable, and that the company’s policy regarding its confidential information must be respected and followed. Don’t allow a culture of compromise to develop. If an employee breaches his/her confidentiality covenant, take action. As part of developing the culture, provide training regarding the protection of confidential information. Usually when we know the “why” of something, we are much more likely to comply with what is being asked.
8. Read, understand, and enforce contracts relating to confidential information. Although a confidentiality agreement helps send the message that the company values its confidential information and will enforce its rights, if the company fails to comply with the terms of its own contract, or to enforce the terms of the contract against others who have violated it, the likelihood of successfully enforcing the company’s rights to its confidential information when enforcement is crucial may be substantially diminished.
Although confidential information is a type of intangible asset that does not generally enjoy the benefits of intellectual property law protection, there are ways to provide a very high level of protection. By thinking about confidential information, and implementing a plan to protect it, a business may develop and enhance its competitive position in the market. It’s just one more way of allowing business owners and managers to sleep a little better at night.