All businesses, especially those involved in any form of innovation, need to take steps to prevent employees from leaving with confidential information. Most employees are aware of their duty to act in good faith and not to use an employer’s conditional information wrongfully. But what happens when an existing employee provides a company’s confidential information to a competitor? The case of Show Pony Group Pty Ltd (Showpo) v Black Swallow Boutique & Ors (Black Swallow) (Federal Court Case NSD1984/2016), highlights the risks of the unauthorised use and disclosure of confidential information. Case study: Showpo v Black Swallow Showpo, a trendy online women’s fashion retailer, commenced proceedings in the Federal Court against Black Swallow in November 2016. Showpo alleged that one of its former employees downloaded Showpo’s Client Contact List before leaving the company and provided the Contact List to Black Swallow. The Contact List contained contact information for all of Showpo’s customers, competition entrants, suppliers and other contacts. It was estimated that the database contained around 306,000 contacts. Showpo commenced legal proceedings when it became aware that Black Swallow had used its Contact List in a marketing campaign. The case settled at mediation, and Black Swallow agreed to pay Showpo $60,000 in compensation. Disclosure of confidential customer information and data breaches can have serious consequences to the viability of a business. So, what measures can be taken to protect information? Data security management Employers should regularly evaluate and monitor their IT systems, policies and procedures. It is essential for a business to develop rules and policies to determine who can access confidential information and how confidential information can be used. To minimise data security risks, a business can take the following steps:
- Work with an IT professional to ensure that your computer software is up to date and that storage and backup devices are available and used effectively.
- Ensure that access to confidential or sensitive information is provided only as an absolute necessity and that records are kept with details of the employees who are granted access to this information.
- Educate staff about cybersecurity threats such as scams or unauthorised access attempts.
- Create policies that require that any suspicious activity or access to the business’s computer systems must be immediately reported.
- Reiterate the importance of creating strong passwords and keeping them confidential.
- Passwords should never be shared with other staff members and a one-password-fits-all approach is a recipe for disaster.
- Ensure that an outgoing employee’s access to information is immediately terminated upon their departure. Depending on the circumstances, employers might also consider whether access should be suspended before the last day.
- Use employment agreements, policies and codes of conduct to document your expectations regarding cybersecurity and computer use.
Managing the risk of data breaches by employees
- Incidental workplace matters and employee expectations regarding computer use and confidentiality should be spelt out in a business’ policies and code of conduct and made readily available to employees before or during their induction.
- Confidentiality and trade secrets can be protected through restraint of trade clauses in the employee’s employment contract.
- A restraint of trade clause prevents an employee after leaving the workplace, from using confidential information and/or working with certain competitors within a certain area and over a specific time period. Restraint of trade clauses must be carefully drafted to ensure they are reasonable in the circumstances and only go so far as to protect the legitimate interests of the business.
Seek legal advice It is important to act quickly if you believe an existing or former employee has misused confidential information. If you are aware that an existing employee is breaching confidentiality it is important to obtain advice on how to address the conduct and, if necessary, lawfully terminate the employee. A Court may grant an urgent injunction restraining the recipient of the confidential information from using the data until proceedings are finalised. Further legal remedies include permanent injunctions, awards to compensate the innocent party for any loss suffered from breach of contract, damages for infringement of copyright and costs orders. Take away Confidential information is essential to the running and viability of many businesses. A business should take proactive steps to develop rules policies to protect a business’s confidential information. An experienced workplace lawyer can assist in preparing effective employment agreements containing confidentiality and restraint clauses and provide guidance on developing policies addressing cybersecurity risks. If you or someone you know wants more information or needs help or advice, please contact us.