Safeguarding Commercially Sensitive and Confidential Information for Businesses

Employment Law: 23 March 2019

If your business values its stored information for commercial advantage, it is likely that a competitor will also value it. Maybe even more. This article discusses legal and practical measures that businesses can take to protect their commercially sensitive and/or confidential information from theft or misuse by outgoing employees.

Theft or the misuse of a business's commercially sensitive and/or confidential information by an employee is a serious issue that is often only thoroughly considered by the employer after it has happened. From our experience, this leaves businesses feeling vulnerable and bearing the uncomfortable burden of the "what ifsfollowing the event. Contracts, policies, procedures (including response plans) are imperative to any business who closely guards the storage and use of their commercially sensitive or confidential information.

Under the Corporations Act 2001, outgoing employees owe their employers a duty to not improperly use 'information' to gain advantage for themselves or someone else or to cause detriment to the corporation. The Act does not extensively define 'information'.

Employment contracts that incorporate policies and procedures need to define what your business classifies as "confidential informationand what employee conduct or use amounts to a breach. Contracts should also account for how information is stored and used in devices provided by the employer. Businesses need to ensure that documents used to govern confidential information or commercially sensitive information are updated regularly to reflect any changes. To do so reduces the risk of the misuse of the information and strengthens your hand if it is stolen by an outgoing employee.

Contracts may also include a clause requiring outgoing employees to attend an electronic exit interview. This is a preventative measure to ensure that things such as emails and remote/local access are checked with the outgoing employee and are disabled following clearance. References of service could be withheld from employees who fail to attend these interviews as a measure of ensuring compliance. Company devices (USB sticks, laptops, smart phones) can also be checked and retrieved at this interview. You may choose to conduct the exit interview through a neutral third party (eg IT consultant) to put the to put the outgoing employee at ease.

Policies need to be updated regularly and may include;

• a deleted email retention policy: (e.g. for three months before the employee's departure);
• remote login rules and login tracking;
• incident response plan.

Businesses need a sound understanding of Australian state and federal privacy laws and the minimum standards prior to commencing any investigations or surveillance if they suspect theft of information by an employee. Privacy policies help set boundaries for what employers can and can't do and for what employees can expect should they consider theft or misuse of information.

Practical measures that businesses can adopt to safeguard against theft of information can include the use of the following;

• Asset registers: retaining information on the whereabouts and use of electronic devices including their serial numbers and policies explaining how the devices are to be used i.e. for work purposes only (USB sticks, laptops, smart phones);
• Information security frameworks (including information access controls);
• Emergency response access and service agreements with forensic computer analysts and/or IT consultants.