Lessons from the Edward Snowden Case: Protecting Proprietary Data from Rogue Employees or Contractors
Whether one considers Edward Snowden a traitor or a hero, one thing is certain – he was an employee. Snowden worked for Booz Allen Hamilton Holding Corp., a consulting firm that regularly staffs the National Security Agency and other federal defense agencies, when he leaked classified surveillance documents.
While the Snowden case is a highly publicized example, rogue employees and independent contractors can seriously undermine any business. In many cases, disgruntled employees will steal confidential business data and use it to help a competing business, start their own company. However, employees can also walk out the door with proprietary data without any malicious intent or a specific plan to use the information. A recent Symantec study found that half of all workers take sensitive information with them when they leave a job. Even more alarming, forty percent plan to use it.
In order to help safeguard proprietary information, businesses need several layers of protection, ranging from physical measures such as locking file cabinets and data access points, to employee training, to legal measures such as requiring employees to sign confidentiality agreements within the broader context of employment agreements. Specific tools include:
- Non-competition agreements: Non-competition agreements prohibit former employees from working for a competitor for a stated period of time. In order to ensure that they are enforceable, they must be reasonable in both scope and duration.
- Non-disclosure agreements (NDAs): Employees and third-party contractors should be required to sign an NDA that expressly prohibits them from disclosing confidential business information to third parties and details the legal consequences of such violations. In order to be effective, NDAs must be strictly enforced.
- IP assignment agreements: Employees often do not understand that intellectual property created during the course of employment generally belongs to the employer. To avoid any potential confusion or legal conflict, employees should be required to execute assignment agreements for any trademarks, copyrights, patents, etc.
- Trade secret policy: Adopt a comprehensive trade secret policy that educates employees about what constitutes a trade secret and what steps they are expected to take to protect proprietary data, i.e., not transferring data to personal devices.
- Data security: Password-protect sensitive computer files and restrict access to only necessary employees. Change the access codes after an employee leave the company. Paper documents should be marked “confidential” and stored in locked file cabinets.
- Exit interviews: When an employee leaves the company, the terms of any employment agreements and trade secret policies should be reiterated. In addition, employees should be required to surrender all company property, including electronic devices and access cards.
As the Edward Snowden case highlights, it is impossible to ward off every attack on your company, particularly when the rogue employee is motivated. However, establishing smart, tailored, comprehensive controls and vigorously enforcing them can send a strong message to would-be violators.
If you have any questions about protecting your company’s proprietary data or would like to discuss the legal issues involved, please contact me, Fernando M. Pinguelo, or the Scarinci Hollenbeck attorney with whom you work.