When an employee leaves, make sure your data doesn’t
Financial services firms understand the value of their private data and go to great lengths to protect it. Up-to-date infrastructure and IT security are a costly but necessary feature of any modern business, yet more often than not, the biggest threat to data security comes from within.
We often see that data theft takes place when someone leaves to rivals, or sets up their own competitor. It is possible to remedy stolen data via an injunction. However, injunctions are expensive and there is no guarantee that all the data is successfully retrieved.
As with so many things in business, being reactive is often too little too late. By having a proactive mindset, you can make affordable and simple changes to your security right now.
So to help you save money and to understand how you can deliver a proactive approach to data defence, we have identified these simple steps that you can take right now:
- Ensure that you have suitable email monitoring systems in place to track unusual activity.
- Limit the ability of employees to remove information from your systems, such as not permitting personal devices to be used and restricting the use of USB ports.
- Ensure sensitive commercial documents are labelled accordingly, that access is restricted to those who require it and that access is monitored.
- Ensure that your employment contracts and social media policy make it clear who owns contacts, leads and referrals generated through social media.
- Train on both data protection matters and what information constitutes the firm’s confidential information.
- Ensure that restrictive covenants are reasonable in terms of scope and length and are tailored (as far as possible) to each employee’s role.
- If an employee is promoted, see if the old restrictive covenants need updating because of the change of role. If they do, update the restrictive covenants as a condition of promotion.
Manage the risk
However, even with the best systems in place there is still a risk. Unfortunately, this risk is only increased with the current trend towards home working. The full suite of tools available should therefore be used to minimise this risk.
The highest risk moment for losing confidential information to a competitor is when an employee moves jobs. Sometimes this is a deliberate act, but it could also be naivety on the part of an employee who, for example, does not appreciate that a client list belongs to the firm, not the employee, or does not understand the implications of misappropriating personal data.
Additional proactive steps can therefore be taken once it is know that an employee is leaving. These include:
- Enhanced monitoring of future emails and IT activity for unusual behaviour such as accessing documents for prolonged periods of time outside of working hours.
- A search of recent sent emails.
- Remind the employee – both in person and in their exit interview – of the ongoing duties of confidentiality and the restrictive covenants to which they are subject.
- Putting the employee on gardening leave immediately to restrict the ability to obtain confidential information (but bearing in mind that this then reduces the length of the restrictive covenant post termination).
- Confirming that any restrictive covenants will be enforced.
- Writing to the new employer to put them on notice as to the employee had access to confidential information.
- If you’re entering into a settlement agreement with an employee on exit and old restrictive covenants or confidentiality clauses are poorly drafted, or not sufficient, consider putting new ones in the agreement.
The exact steps to take upon an employee leaving will be dependent on various factors such as the nature of the confidential information, how long information will stay confidential, how important enforcing the restrictive covenants is, whether the employee is going to a competitor, and the risk that the employee themselves poses. For example, an administrative assistant may not have access to a client list or pricing information, whereas a junior advisor may. For very senior leavers, it may be prudent to write to the new employer so that they are unable to turn a blind eye to any subsequent misuse of confidential information.
In addition, it is worth noting that restrictive covenants are enforceable in the event of redundancy if drafted properly. You may decide to release employees being made redundant from certain restrictive covenants, such as those stopping them working for competitors, to help them get another job. However, if you do so be very careful to ensure that you don’t inadvertently release them from others (such as non-poaching of staff or clients). Also be aware that if an employer breaches an employee’s contract when they leave this may mean the restrictions are unenforceable. Common examples of contract breaches include wrong/no notice given or unfair or discriminatory dismissals.
If the worst happens then we can assist you in taking all necessary steps (including obtaining an injunction) to recover any misappropriated information and to comply with your regulatory obligations in the event of a data breach. However, we believe in proactive steps to reduce the risk of confidential information being taken in the first instance. We would be delighted to assist you in discussing how to implement such steps.