Protecting your Confidential Information
A business’ confidential information is as important to its makeup and operation as our DNA is : the ideas, customers, working customs and practices and pricing – to name but a few - are what make each business unique. It is what your business requires to operate on a day to day basis, and it is this confidential information that differentiates your business from its rivals.
It is surprising then that businesses can often adopt a somewhat blasé attitude to the use and safeguarding of its confidential information – often only seeking to do so as an after-thought, in the face of a threat to its integrity. This is particularly the case now that more and more of a business’s confidential information is stored electronically, as it has become easier and easier to lose (or steal) it.
The following steps are quick and easy ways to sense-check what confidential information you have, and how to protect it:
- Understand what you’ve got and the relative value of your different types of data to help design and implement an effective security policy. Knowing what data you have and how it is used by your business will enable you to put into place effective policies to protect its use. We recommend that you carry out a legal audit which can also inform you what intellectual property rights you may have.
- Use industry-certified encryption and anti-virus software to protect your data.
- Protect yourself against the removal of confidential information via removable media. Restrict the ability to plug removable media and devices, such as telephones or USB sticks, into PCs and laptops – clearly you cannot prevent their use entirely, but it could be limited, e.g. requiring the download or upload of data to removable media to be undertaken by members of your IT department.
- Keep it simple and seamless for your employees to use security systems that are in place. The more complex your security procedures are, the less likely they are to be followed.
- Take time to train your employees. Although having the right technology is important, ensuring your internal policies and procedures are followed is critical – your employees will, for example, be the first line of defence at identifying phishing or malware emails.
- Take out a robust insurance policy to protect against losses arising from cyber theft. Not all losses of confidential information come from within, such as via former employees. If the worst happens and your business is subject to an external attack, make sure that you have adequate protection to deal with the fallout.
As with most things, planning and preparation is the best defence, and this is never more true than when it comes to confidential information. Adopting, monitoring, maintaining and enforcing robust internal policies and procedures remain the most effective ways to protect your confidential information.
So what do you do if your confidential information is lost or stolen, perhaps by a disgruntled former employee who has moved to one of your competitors? The approach that you adopt will depend upon the business-critical nature (or not as the case may be) of the confidential information that has been taken.
If the confidential information is business-critical in nature, such as a copy of your customer database or pricing structure, then swift and decisive action will be required to ensure that it does not cause your business lasting damage. The following steps should be considered:
- Instruct an independent digital forensics expert. This has two key benefits : first, it enables you to ascertain the nature and extent of the problem and the information that was taken; secondly, it will provide impartial evidence for any claim that you may bring against the former employee (and/or their new employer, if there is evidence to suggest that they have induced your former employee to take the information);
- Write a Letter before Action to the former employee (and/or their new employer) – you should set out with as much detail as possible the nature of their actions, what you require them to do and by when. You should require them to destroy or deliver up (as applicable) the confidential information that they have taken and to sign undertakings to confirm that they have done so. If your business has suffered quantifiable losses as a result, then you may wish to include a claim to cover damages in respect of this; and
- Commence Court proceedings, possibly seeking an injunction – if they refuse to provide the undertakings and the information is so confidential that it must be protected, then Court proceedings should be instigated without undue delay. You should consider whether it would be necessary or desirable to issue an application for a Springboard Injunction before Court proceedings are commenced. If granted, this would protect the confidential information and prevent your former employee and/or competitor from using it to gain an unfair advantage.
Although these steps are not cheap, if you find yourself in a situation where business-critical information has been taken, then you may find that you have no choice.
BPE have considerable expertise in protecting a business’s confidential information within their Employment and Commercial Litigation teams, and we bring a collaborative approach to successfully resolving these issues for businesses.
These notes have been prepared for the purpose of an article only. They should not be regarded as a substitute for taking legal advice.