At a recent forum in New York, a team of Covington lawyers addressed the growing concern among companies that their most valuable assets could leave the building on a thumb drive in an employee’s pocket or be disclosed through an employee’s use of a social media site.  Addressing this threat involves many disciplines beyond trade secret law, including employment, employee benefits and executive compensation, white collar crime, corporate and securities, insurance coverage, and crisis management.  This post identifies five proactive ways in which companies can use comprehensive privacy programs and robust data security measures to help prevent and respond to an insider’s intentional or inadvertent disclosure of confidential company information.

  1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
  2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
  3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
  4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
  5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.