HR's Role in Protecting Company and Employee Confidential Information
We see articles about information leaks all the time in the press. Recently, the military was affected. Confidential and proprietary information is plastered on the internet and in the headlines. What has this got to do with HR? Everything.
What information does your business have that you would not want to see on the front page of the morning paper? Trade secrets, customer lists, product and marketing plans, proprietary techniques—and don’t forget about your customers’ credit card information or your employees’ social security numbers. Controlling employees and helping the company with legal compliance are both within HR’s ambit.
Companies have a duty to safeguard confidential employee information in their keeping. Carelessly allowing such information out into the world can result in being liable to the wronged employee who had their identity stolen. Employees stealing customer lists and either selling them to competitors or going into competition themselves costs businesses millions. If this happens, someone is going to be on HR’s back for (a) not protecting the information in the first place and (b) hiring the scoundrel(s) who engaged in the wrongdoing.
Fortunately, there are some things that HR can do about it:
Have a Strong Confidentiality Policy. Put staff on notice through an employee policy that confidential information is in fact confidential and should not be distributed outside the company, or used other than in the course of their employment. State clearly that business information, client or customer information, and employee information is all confidential. Include provisions that prohibit employees from posting business information on the internet (such as on their Facebook pages)!
Have Employees Sign Confidentiality Agreements. In addition, have employees execute a confidentiality agreement committing them to keeping confidential information confidential. A confidentiality agreement is a contract—if breached, your business can sue to enforce it or for damages.
Restrict Who Has Access to Confidential Information. One of the best ways to ensure confidentiality is restrict access to it. Only employees with a legitimate "need to know" should have access to confidential information. For example, only certain sales staff should have access to customer files; only human resources and appropriate managers should see employee files.
Mark Everything Confidential as "Confidential." If you don’t treat it as confidential, it is unlikely that a court will. Make it clear to everyone what’s confidential; confidential documents or files should be marked "confidential," and treated that way (i.e., by keeping them under lock and key or passwording computer files to regulate limited access).
Monitor Employee Computer and Email Usage. The Internet makes it easy for information to escape—and much confidential information can simply be emailed to another or to oneself at home. However, employers can (and should) monitor their employee computer and email usage to check what employees have on their work computers and what they send—and to whom!—from work email. Monitoring employee’s communications can help avoid careless, as well as deliberate, release of confidential information.
Have Monitoring Policies in Place. If you are going to monitor, make sure you put employees on notice that the company will do so—and that employees should have no expectation of privacy with regard to their use of company computers. Courts have consistently held that, with certain very limited exceptions (such as communications with an attorney), employers can monitor employee computer, Internet, and email usage.
Utilize Experts. Consultations with computer security and other experts in this field can help you structure appropriate protections for your company. Consultations after your information walks out the door can help you obtain vital evidence needed to assert legal claims against the culprits.
HR needs to be proactive in this area and audit the company’s confidential information to ensure that it is protected. Don’t get caught short—and read about your company’s secret acquisition plans on Twitter.