Confidentiality: the danger of iPods

What dangers do employers face from iPods and other such portable electronic storage devices?

When plugged into a PC, iPods and devices such as memory sticks can copy information to or from the PC, often bypassing firewall or password protection. Employers’ systems can therefore be vulnerable to the theft of confidential information, intellectual property and personal data, as well as to the introduction of malicious viruses or snooping software. This is most likely to occur when aggrieved employees are looking to compete with or cause harm to the employer.

The main challenges employers face involve keeping information secure, preventing unauthorised use for commercial gain, updating IT systems and implementing and policing clear IT and confidentiality policies.

What is the legal position on confidential information?

The starting point is the employment contract. This should contain clauses defining and protecting confidential information and intellectual property, and should protect against unfair competition while employment continues and (if necessary) for a period afterwards.

If the contract is silent on these matters, the employee is bound by implied contractual terms not to divulge confidential information, make a secret profit from or compete with the employer, and to act in good faith during the duration of their employment. However, if the contract is silent and employment ends, only a limited category of confidential information remains protected – ‘trade secrets’ (such as the Coca-Cola formula, for example) – and the employee is generally free to join a competitive business.

What can employers do to protect themselves from a competing employee?

The employment contract should stipulate what the employer regards as confidential information, and place restrictions on its use and disclosure that last not only during employment, but also indefinitely (unless the information ceases to be confidential or becomes public other than via the employee). The contract could also prevent the employee from working on their own behalf or for anyone else during employment. It should also require the return of all documentation, passwords, property (tangible or intangible) and copies on termination of employment or earlier request.

Contractual clauses restricting post-employment activities such as competing with the employer or soliciting prior customers need careful drafting. Employers should seek specialist advice as such clauses are often unenforceable as a restraint of trade, unless they are reasonable and only restrict what is necessary to protect confidentiality and trade connections.

The disciplinary policy should state what conduct during employment would be grounds for disciplinary warnings or dismissal. Employers should act consistently when disciplining or dismissing for IT offences. The IT policy should give clear guidelines on the use (or prohibition) of uncontrolled storage devices and other media (CDs or floppy disks) on the employer’s network. If employees are taking information away to work on home PCs, there should be guidelines on data use, storage and deletion.

For data protection reasons, employers should notify staff in its policy that the use of IT systems is monitored for security reasons, and to prevent or detect fraud. To secure personal data, employers should strengthen anti-virus software and adopt firewalls to limit the use of CDs and floppy disks, USB and firewire ports, and consider password protection for file-sharing activities.

What remedies do employers have as a last resort?

Other than disciplinary action or dismissals for contractual or policy breaches, there are more extreme remedies.

A well-drafted post-termination restriction or confidential information clause can be enforced in the High Court through an action for damages for financial losses arising from the breach, or if damages are inadequate, an injunction to prevent the continuing breach (such as stopping the dissemination of information or working for the competitor). The court can also order the return or destruction of all copies of the information.

However, these court proceedings can be expensive and carry the risk of legal costs if the employer loses.

Misuse of personal data, if notified to the Information Commissioner, could result in the competitor’s business being investigated and, in extreme cases, fined or denied the use of its computer systems. If information is being used for criminal activity (such as identity fraud or piracy), the employee could be prosecuted. However, the publicity aspects and stress of pursuing an employee through a police investigation and the courts can be dissuasive.

Comments are closed.