How to keep confidential company info confidential | Legal Thinking Podcast
This podcast transcript has been edited in places for readability. You can also listen to our podcast on your podcast platform of choice - find it here >
In this episode of the podcast, we speak to employment lawyers at RWK Goodman Caroline Doran-Millet and Catherine Hawkes about how employers can protect their confidential company information when an employee decides to leave.
Okay, so, thank you Caroline and Catherine for joining us today. Caroline, I guess I’ll direct the first question to you…
Why is it important to protect confidential information in a business?
Caroline Doran-Millet: So your trade secrets and confidential information can be the most valuable assets your business owns. You have probably spent years and thousands, if not hundreds of thousands of pounds, building up your customer base, and finessing your product or your service, you don’t want to allow an employee simply to benefit from this, to be able to walk into your office, and then bring all your confidential information to a new employer, or perhaps even set up by themselves.
So there are some very simple practical and simple legal steps that you can take to protect your business’s information which we’ll be exploring today.
What might the different types of confidential information be that employers might need to protect?
Caroline: Yes with this, a business quite often considers any commercially sensitive information to be confidential information which should be protected by the UK courts. Unfortunately there’s a different approach within the court system, so the leading case for this is Faccenda and Fowler.
So, to give a bit of the background, Mr Fowler set up his own business, which was the same as his old employer, his new business was a direct competitor, some of his new customers were exactly the same as his old employers, and he even recruited some of his former colleagues. His old employer brought a claim saying that “he had stolen confidential sales information relating to the customers and the prices” and they tried to stop him from using this.
The High Court said, “Well firstly, you don’t have any contract of employment, so we’re going to look at what the basic legal situation is.” And they said, “No, sorry, you cannot stop a former employee for using this type of information! Even though it’s commercially sensitive, a new employer can use it because there’s no express written contract!” And what the courts then did and said that “there are four different types of potentially confidential information, or information that it would look at.”
The first is trade secrets, this is a gold standard for employers. You get the best protection for your information if you as a business can show that you really have a trade secret. But this really is a high threshold. Think of the secret recipe for Coca Cola here, it’s something which has been treated as secret, and has a significant amount of commercial, importance and value. It might be … secret processes in terms of manufacturing, a chemical formula, special design, message or something else which is similarly secret.
The next stage is ‘mere’ confidential information, and actually the courts describe it as “merely confidential information” which is interesting because, as an employer or a business you think its confidential information so really important. This is the type of confidential sensitive information like, sales and client information which Mr Fowler was merrily able to use after he left employment, because it wasn’t protected by a contract, so this type of thing is … source codes, customer lists, business plans, commercial agreements, research and development projects, so it’s very important to your business, but the courts say “It’s merely confidential information”, so as far as they’re concerned, during employment the employee can only use it to benefit their employer. However, if they happen to carry it away in their head, after they leave employment, they can use it, that’s unless there’s a written contract. So the danger is that, if an employee has a lot of confidential information in their head and the business hasn’t taken steps to protect itself, the employee can use this information that he just inevitably carries away in his head. It is slightly helpful that the courts have said that if you deliberately memorise confidential information … just try to cram as much in your head as possible before you walk out the door, that’s not protected, but we see this as a really dangerous and grey area for employers and why they really need to take practical steps in advance to prevent somebody walking out the door with their confidential information.
The third one is information which relates to the skills/experience, know-how and the general knowledge of the employee which shorthand we usually call that “The Employees Know-How”. It’s about how the job is done, the processes, the problems, and that is generally seen as belonging to the employee and they can do whatever they want with that, you can’t stop them for using it … after they leave employment.
And then finally, public information … basically does what it says on the tin!
Which categories of information can be protected during employment, by an employer?
Catherine Hawkes: Yeah so, as Caroline has said, there are four kinds of business information which are trade secrets, mere confidential information, information that amounts to skill and knowledge of the employee, and then public information, and so, during employment both trade secrets and confidential information can be protected from disclosure through implied duties.
And so, specifically, there are implied duties which exist in all contracts of employment, that employees will conduct themselves with fidelity and good faith. And this duty includes an obligation to respect the confidentiality of the employer’s commercial and business information and, some senior employees such as statutory directors also owe what is known as … “fiduciary duties” and these duties require an individual to act in the best interests of the company at all times, even at the expense of their own interest. So, essentially, during employment, employees shouldn’t use or disclose confidential information and employers can actually rely on these implied duties with or without an employment contract.
But, as Caroline touched upon as well, even if you’ve got the existence of these implied duties, it’s really important that employees have expressed confidentiality terms and confidentiality covenants within their employment contract to ensure sort of additional protection for … for a business.
And which categories of information can be protected after employment?
Catherine: Yeah so, without the expressed confidentiality provisions, only trade secrets can be protected after employment, through the implied duty of confidentiality. But it’s … as we’ve both said … its far better to try and enforce an expressed term in a contract, which has actually been signed by the employee, rather than trying to rely on implied terms. And so, its … it’s very important to include express confidentiality provisions.
And so, these confidentiality clauses should include clear definitions of what the employer considers to amount to confidential information … in the context of their business specifically.
But, for example, this could include lists and details of clients, pricing strategies, marketing plans, pitches, together with any sort of … specific sensitive information to which the employee has access during their employment, and if that confidentiality covenant is drafted to cover as much information as possible, and in particular specifies what amounts to confidential information in the context of their business, then an employer is likely to stand a very good chance of protecting that information, but more importantly being able to persuade a court that it’s taken all reasonable steps to notify that employee about what it considers to be confidential information.
But as, you know the law of confidence is quite uncertain and that, you know, case law … there’s a lot of grey area in this area about what could amount to a trade secret verses mere confidential information so, it would be advisable to have other covenants within your contract to rely on, not just confidentiality clauses. So, you might want to consider having post-termination restrictions for example, sort of, non-compete restrictions, restrictions against soliciting employees for example, or customers, and if you have well drafted restrictions, you may be able to get additional protection without having to solely rely on your confidentiality clauses and you might also want to consider having a garden leave clause within your contract to try and minimise any damage that could be caused be … an employee that’s leaving the business, and a garden leave clause essentially keeps an employee out of the market for the duration of that garden leave period and the aim is to try and prevent them from misusing any confidential information during that time.
Caroline, what types of confidential information can a former employee lawfully or safely use and the employer?
Caroline: Lawfully use – he can or he or she can bring with them any know-how … information about processes or systems or methods of working that they have been using that they just happen to have in their knowledge and in their mind.
If there isn’t a written contract, if they happen to have some confidential information in their mind as to client lists or client information, they could use that as well, as long as they haven’t stolen a client list. Also if there’s information on the public domain, quite often we have companies who are concerned that a former employee is targeting certain of their very important clients. Those important clients are on their public website or there have been press releases them.
So if it’s in the public domain and the clients are using this particular product or service, you couldn’t stop them from going after them unless there’s something specific in the contract so there are lots of grey areas which can make it difficult.
And how can information be protected when sharing it with other or third parties?
Caroline: Yes so, confidential information can be disclosed to third parties in a number of situations, for example when businesses are discussing sort of, business proposals with the clients or if you’re engaging a third-party contractor or dealing with suppliers. So in order to protect information when shared with third parties, you’d want to use something called a … “confidentiality agreement” or a “non-disclosure agreement”, and the aim of these agreements is to ensure that the information that you disclose under the agreement remains confidential and secret, and that the … the person receiving that confidential information agrees to only use it for the purposes that you’ve actually defined within that confidentiality agreement.
But, while confidentiality agreements should allow for a contractual right to an injunction or a claim of damages in the event that there is an unlawful, sort of, disclosure of that confidential information, in reality any compensation awarded to a business may be quite meaningless if the confidential information has already been disclosed to competitors.
So, there are limitations to confidentiality agreements and, ideally what you need to be doing is putting in more practical steps as well as sort of, just solely relying on those documents. So, for example, you might want to disclose only what’s absolutely necessary to a third party, or provide hard copies of that confidential information or limit the number of individuals who might receive that information for the … the third party business, but also to ensure that the information is returned back to you at the end of that … arrangement and also you get confirmation that that third party’s actually deleted any confidential information after it’s been used.
Liam and I talked to other people about this on the podcast before so obviously the workplace has been changing since COVID: working from home, flexible working, different ways of working that maybe we hadn’t even thought of before COVID.
Caroline, have you noticed with that any changes recently in cases you’re seeing about, like former employees stealing confidential information, has that had any impact on that kind of thing?
Caroline: Yes that’s a really good point. Previously there used to be- so the traditional advice which was to look out for flight risk indicators for your staff: who has started to stay in the office later, come in at the weekends, who’s doing more photocopying and printing… But if people are working on a hybrid basis, or working from home this doesn’t really help us as an employer, so we all have to adapt to the new working conditions.
For example, an old school case, we were involved in in which an individual who was working for an investment bank had printed off too many client files during her notice period. This was flagged by IT and her explanation was it was for handover purposes but that wasn’t believed and she was dismissed for gross misconduct during her notice period, the new employer was notified in the reference that she was dismissed for gross misconduct and the regulator was notified as well.
So, nowadays few employees are silly enough to print off reams of confidential information or send it their personal email during their notice period, although I am still flabbergasted that still does happen!
Liam: I was gonna say you just take pictures of the screen on your phone surely?
Caroline: So yeah, exactly there’s those … the new technology has evolved the employer has to be careful and using the situation, and that happens a lot, people take pictures with their phones and then send it to themselves by WhatsApp, or a telegram so what we have to do is change our mindset so, you know, corporate espionage or data theft … you sort of conjure up sort of a … a Mission Impossible style image: somebody breaking into the office at midnight with sort of futuristic equipment, now every single one of us is working at our kitchen table with a laptop and a iPhone, could potentially replicate the confidential information or damage it!
So, the things that we need to look at, to … the change in workplace means that employers need to change how they protect their business and protect their confidential information is say, “Okay, well firstly, what do we want to protect? What’s important to us?” And the next stage is … who can access it, and who is accessing it? Do you get real time notification if somebody’s looking at your client lists or your trade secrets, is it read only, can somebody change it or delete it? Is it password protected? Is it marked confidential? There’s so much that people can do on a practical basis to protect themselves, but quite often that they’re not. And I’m a firm believer of prevention not cure. Some employees might simply be naive or “over-enthusiastic” let’s say when they leave and are preparing to join a new employer but you do also get the occasional bad apple that you need to protect your business against. And this is a dishonest employee who’s highly motivated to use your commercially important information and trade secrets for his own benefit.
So things in that kind of situation that you might want to look at is, as well as in your password protected client list have some sleeper cells … that’s maybe a family member or a senior employee’s email or home address so, if they’re notified you are contacted in real time, or even put in deliberate markers into confidential information, such as a small amendment to the address or a little typo. We had a case where, with a client list and a postcode we put in a … a letter O instead of a 0 so then when the ex-employee was writing to the employee at their home address we were able to trace it back. So when he said, “Well actually, I just knew this, I happen to know it from my memory”, we can say, “Well actually no, this is misinformation, we can prove that you’d stolen this from our database”. So there’s lots of practical steps you can do but you need to be proactive. No point locking the door after the horse has bolted!
In terms of some of those practical steps that can be taken by employers to protect confidential information, Catherine why don’t you give us maybe three of them, of what employers can do whilst people are being employed, so during employment?
Catherine: So one of the … the key factors that the courts will consider when deciding if information is truly confidential, is whether the employer made the employee aware that the information was considered confidential!
So, with that in mind, to protect information during employment, as Caroline has kind of touched upon, you should think about, sort of labelling commercially sensitive information as confidential and circulating it to only a limited number of employees or, for example, using different coloured paper for documents with different degrees of confidentiality or password protecting devices and documents which contain confidential information. But also, looking at the policies that you have in place as an organisation and making sure that you have a confidentiality policy for example, an IT policy and, depending on the nature of your business, you might want to also think about having a social media policy, which would set out the employee’s policy on the use of things like, networking sites such as “LinkedIn” and making it clear that client contacts remain the employer’s property!
Ed: Yeah, there was a case a few years ago about LinkedIn, is that the one you were referencing at the start of those ... quite a well-known case that I heard about LinkedIn where someone, argued that taking all their connections across was not in breach or something?
Catherine: Yeah there’s only been (I think) like one case in relation to LinkedIn and the … I think the courts found that actually that information did belong to the employer, but it … I mean it will be a very fact sensitive, you know, situation because the starting point for employees, they will always say that this information belongs to me because LinkedIn is my, sort of, you know, my profile, you know my information, but an employer will say, “Well no, you only got all of this client information because of working for … for us and for our business” and so, that’s why it’s so important to have things like confidentiality policies and social media polices where you will actually say that … “this information specifically belongs to me” and so you’re in a far better position as a business to then challenge that and say, “Well actually look, you’ve signed up to these, this is the policy, you know that these LinkedIn contacts belong to me, you only knew of them because of your … you know, your existence in the … in the company” and so, in order to (as a business) to protect those contacts you really need to have something in writing really to be able to enforce anything, otherwise the employee can quite easily say “No, this is my account, these are my details” and just, not hand them over on termination.
What is the one most important step for employers to protect their important and confidential information, and why?
Catherine: Yeah, I think, I mean from my perspective I’ve sort of, emphasised this point quite a lot, but I would say that … the most important thing that employers can do to protect their information is to have a very well drafted contract of employment which should clearly set out what the employee’s obligations are, both during and after employment, and should specify what information is confidential.
And the aim is really to ensure that that confidential information amounts to a trade secret itself and you might wanna place, you know, in the contract, that any disclosure of that information is forbidden and would be … the employer would be entitled to seek damages or injunctive relief if it was disclosed! So actually really clearly spelling that out within the contract itself.
But there are other clauses that you can have within the contract, such as sort of protections when an employee leaves the business so for example, you’d want the employee to deliver up all of their IT equipment on termination, to delete any information that they have on their own personal devices which is confidential to the business and confirm in writing that they’ve actually done that, and so that can be a really important evidence for the business to use if there is … and sort of any misuse of that confidential information in the future.
Caroline: In terms of protecting the business, the risk areas are when somebody leaves the business. So I’m a big fan of having resignation meetings or notice meetings, not just an exit meeting because if it’s the last day that they’re in the office that’s probably too late to have those discussions. The resignation meeting; you would explain to the employee what their obligations are in claiming which, because quite often employees are naive and just don’t understand their obligations, so you nip that in the bud! And also you drill down into what … to find out what their future plans are.
Quite often we have had situations where the employee has been disingenuous about what their future plans are. They’re going to take time off to travel, or they’re looking after a sick relative, but then as soon as they have worked out their notice, we find out they’ve actually joined a competitor or have started up their new business! So if you get in writing what their future plans are and write to them there can be no grey area with that. You’re also explaining to them this is your contract and these are your obligations, if they lie to you during their employment they’re breaching their implied duty of fidelity even if there isn’t a contract, which can be very useful and you’re explaining we want to have all of this information back, all of these documents back and you get it back before they leave.
So, you’re able to do a lot more if you believe somebody is about to compete or has done anything either overenthusiastic of nefarious while they’re still employed, you can deal with it then and protect yourself quickly.
Also risk areas similar to resignation are when people are going through disciplinary processes or potential redundancies and unfortunately we’re seeing a lot of redundancies at the moment, in certain areas, and that’s a risk time because the employee is feeling nervous, perhaps concerned about how they’re going to find new sources of income going forward and also might be disgruntled so that’s the stage when somebody might want to be on a … either an IT sort of “watch list” and more attention is being paid as to what they’re looking at, some downloading but you have to make sure that this is done sort of, per the contract and any sort of internal policy and also perhaps reminders periodically to members of staff as to what their obligations are with confidential information because it’s a real area that people just don’t understand but the information they’re working on day in and day out shouldn’t be used apart from for the employer’s benefit and can’t just be transported to a new employer.
Liam: Caroline and Catherine, thank you very much for your time.