Confidential Information - Managing the Risks 

May, 2011 - Michelle Sherwood

All businesses possess confidential information - trade secrets, customer lists, staff records - which could mean loss of business, reputational damage, or give competitors an advantage if leaked, whether deliberately or accidentally.
Depending on the type of information disclosed and the type of organisation, there are potential consequences regarding public policy and data protection. It is, for example, very easy for breaches of the Data Protection Act 1998 to occur when certain types of information (such as personal data like names and addresses) are disseminated in error.


Increasingly, confidential information is stored electronically, for example in the form of emails, Word documents and spreadsheets. There are risks associated with storing the information electronically: files can be corrupted, lost or accidentally deleted. There is also a risk, because electronic information can be shared easily, that it may be received by parties who should not have access to it. 


There are, however, simple and practical precautions that can be taken, both in relation to IT systems and the people who use them, to reduce the chances of confidential information ending up in the wrong people’s hands.


Protect your technology: Don’t let backups get your back up!
There are various methods which can help prevent loss or deletion of confidential information stored electronically, including backing up the servers. A server is fundamentally a large computer built for a specific purpose, such as data handling, processing or storage.


A backup server controls data storage from sources such as laptops, BlackBerrys and workstations, and usually has devices such as tape drives or hard disk arrays attached, which handles backups. 


Special software can be installed to control the process of backing up confidential information and other data. Backup strategies vary, ranging from a full backup every day, to even every hour, depending on the importance of the information being backed up; to a differential backup, which backs up only the files which have changed since the latest backup.  


A full daily backup means all information and data transmitted on that day, including details of emails sent, and any attachments, will be stored and can be accessed at a later date. Backups should be stored at separate premises to prevent the information being lost as a result of, for example, flood or fire damage. A copy should also be available on site to enable quick disaster recovery and to help maintain business continuity. Backups should be password-protected to prevent unauthorised data access.


Consideration should be given to encrypting files and/or email attachments, if deemed necessary, particularly if laptops or other portable devices containing confidential information or personal data, are being used off site.


Technology is only half the story
A risk with storing information electronically is that it can easily be disclosed by employees, for example by forwarding emails and attachments.


An employee working his or her notice before moving to a different employer that might be a competitor may try to steal confidential information for use in their new role. This misuse of confidential information has the potential to cause serious damage to a company.


One means of preventing employees from doing this is to put restrictions in their contracts of employment to that effect. For example, state that employees must not send by email any company information except for work-related purposes, and set out the possible consequences of failing to adhere to this requirement.


Most companies take misuse of company confidential information very seriously, and have a policy in place whereby misuse amounts to gross misconduct, which may lead to summary dismissal. It is important also to define what constitutes ‘confidential information’, and to ensure that all employees with access to electronically-stored confidential information understand their duties in this regard. Appropriate training should be provided, and signed copies of employment contracts and IT policies should be retained.


Many contracts of employment include a provision to the effect that employees’ internet and email usage may be monitored. This can act as a powerful deterrent from employees using their work email account and internet for things for which they should not, i.e. dissemination of confidential information.  However, it is important to be aware of the fact that excessive monitoring of employees’ use of emails and/or internet may amount to a breach of privacy laws including The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. Monitoring should be kept to a level deemed necessary to protect company information.


Prevention better than cure
•ensure your company has adequate policies for prevention of misuse of confidential information (such as email and internet acceptable usage policies)


•provide appropriate IT policy training and explain to employees what is required of them and why


•make sure employees are aware of the potential consequences of any breach of your IT policies
If it all goes wrong
There are various options open to you as an employer if someone does misuse any of your confidential information. These can include:


•Investigation: possibly – and this will depend on the circumstances and the severity of the breach – leading to the dismissal of the employee in question (having first ensured that the appropriate disciplinary and investigational procedures have been followed)
•If the breach is sufficiently serious, and if you have strong evidence to support your position, you may consider applying for an emergency injunction, which usually includes an order that the employee in question must deliver up all copies of information taken, and give undertakings that they will cease and desist from taking similar action in the future. Injunctive proceedings are very expensive and should only be considered in very serious circumstances in which you have a lot of concrete evidence, otherwise you could be exposed to severe costs consequences in the event that an injunction is not granted
•Seek legal advice at an early stage if in any doubt


Share this article


 


 



Link to article

MEMBER COMMENTS

WSG Member: Please login to add your comment.

dots