As more IP moves from filing cabinets to computers, network use policies can help secure companies' trade secrets and mitigate the risk of disclosure.
These days, business owners have more to worry about than their company's bottom line. They have to stay on top of escalating health insurance premiums, employee training and retention, technology and more. But there's one area that, left unaddressed, can potentially do more harm to a business than any other: intellectual property. And it's often overlooked.
While some IP generated within a company is easy to catalog (think logos, inventions or other trade secrets), other propriety information arises from everyday acts as simple as making a cell phone call or sending an e-mail. Often, it's the latter that catches organizations off-guard.
According to attorney Mark Landes, a partner with Isaac, Brant, Ledman & Teetor, intellectual property is the lifeblood of any business. Companies "derive profit from their special knowledge, which is really their intellectual property. Therefore, it must be protected," Landes says.
Don't think, though, that Landes is suggesting a cadre of beefy bodyguards or high-tech security systems to foil would-be thieves. "Any careful business will protect its assets, including confidential information. In today's world, that means a network policy," says the former chair of the Columbus Bar Association's Labor & Employment Law Committee.
Properly drafted and implemented, a network security policy does more than tick off a list of technology-related rules, such as banning employees from Facebook and Hulu, limiting personal use of company e-mail and warning that your BlackBerry may be monitored. It may also help mitigate an employer's liability in the event that an employee discloses confidential information-intentionally or not.
Drafting a Policy
While Central Ohio attorneys agree that a network policy is imperative for any business, the advice differs when it comes to what the document should say and endeavor to accomplish.
Brian D. Hall, a partner in the labor and employment department of Porter Wright Morris & Arthur, says policies should first and foremost detail how a company stores intellectual property. It's also important to outline who has access to what information and the circumstances under which employees can view or retrieve it.
The policy also should specify when otherwise confidential information may be given to an outside organization. "The policy can be strict so as to include what can and cannot be disclosed," Hall says. Companies should obtain a signed nondisclosure agreement before any information is given to a third party. Hall says such restrictions are critical to maintaining workplace and customer privacy.
Given their complexity-particularly when attorneys get involved-network policies can get rather lengthy. But Matthew D. Austin, of counsel with Barnes & Thornburg, says it's not always necessary to have pages and pages of paperwork. "I have seen policies as brief as ‘Be Smart,' " he says, as well as policies upwards of 25 pages. Austin's advice: Avoid the two extremes. "There has to be a happy medium between those," he says.
Landes says some business owners don't recognize the importance of intellectual property or how easily it can be created. "Recipes, communications and every electronic communication are intellectual property, but often, they don't take steps to protect it. That goes beyond a secured network server. In today's technologically savvy world, it includes a pragmatic, enforceable network policy that then must be methodically enforced."
A network policy can reduce the likelihood that people with access to a company's confidential information will improperly disclose it. But such documents don't necessarily lessen an employer's liability should a breach occur.
The extent to which a company can be held liable depends on what was disclosed, to whom and who owns the information, says Benita Kahn, a partner in the Columbus office of Vorys, Sater, Seymour and Pease. A business that inadvertently divulges its own customer list when a worker attaches the wrong file to an e-mail blast is less apt to end up in a legal battle than one whose employee leaks a client's pending patent application to a competitor.
Consistency also is key: Companies that have a history of selective policy enforcement are less likely to prevail in court. "There needs to be consistent enforcement of all IP policies to minimize liability," Landes says. "If a company is inconsistent in enforcing a policy, it can weaken their argument that the policy was breached in the first place."
"Anytime you have policies you don't enforce consistently, you are opening yourself to potential liability for discrimination [litigation], assuming there is a protected class involved," says Hall.
The issue of enforcement was central to a decision handed down by the U.S. Supreme Court in June. In City of Ontario v. Quon, the Supremes highlighted the important intersection of technology, workplace policies and oversight. The court ruled that employers cannot expect to write policies that decrease an employee's expectations of privacy, and then behave contradictorily by not fully or consistently enforcing those policies, says attorney Mehmet Munur, an associate with Tsibouris & Associates. When an employer's enforcement is so lax that employees are permitted to behave as if no rule exists, the employer cannot suddenly punish workers for not abiding by the policies, Munur says.
It's not enough for a company to simply draft a network policy. Managers also need to ensure that employees know it exists.
Take the case of a worker fired for violating his company's network policy. Were he to sue for wrongful termination, the employer must not only demonstrate that the rules were consistently enforced, but also that the employee "had notice" of the provisions, Landes says. Meeting those burdens of proof can support the employer's defense that the firing was just. "You don't want it to seem like a termination was retaliatory," Landes cautions.
There are several ways employers can notify employees about such policies. Landes suggests giving new hires an employee handbook detailing company procedures and policies, including network use. All employees should sign an acknowledgement indicating they received the handbook.
Another suggestion is to create an in-office checklist detailing the various documents and signatures the company requires prior to a worker's first day on the job. This is especially important for employees who will have access to IP and other confidential information, Landes says.
Kahn advises business owners to ensure that employees are properly trained on how propriety information should be treated. Labeling data "confidential" or "trade secret" can strengthen an employer's stance that a worker knew or should have known that information he disclosed was privileged, she says.
Hall recommends vigilance when it comes to departing employees as well. Each should undergo an exit interview "to discuss where they're going and remind them of their duty of confidentiality," he says. "We will also make sure they return everything electronic they had that was owned by the company and terminate their access to the network."
Even the most intricate network policy in the world isn't worth much once privileged information is leaked to outside parties. You might win the lawsuit, but that's little consolation if your competitors now know your secret blend of 11 herbs and spices and you're out of business.
One Columbus employment law attorney who creates network policies for clients goes so far as to say they aren't worth the paper they're written on. "These policies are designed to put fear into employees, but what can a policy really do? The damage, in theory, has already been done [once confidential information has been revealed]," says the lawyer, who asked not to be identified.
Most attorneys, however, view network policies not as a scare tactic, but an intrinsic element of a company's Incident Response Plan (IRP). Kahn says drafting an IRP is the first step any business should take to protect its intellectual property and other vulnerable information. An IRP details how potential violations should be handled.
As soon as a breach is alleged, key people within the organization should meet in person. "Stop all electronic communication and do not discuss [the matter] in e-transmissions," such as text or e-mail, Kahn says.
The IRP should clearly detail the pro-cess for "escalating the breach to the appropriate person or department," says Kahn. The plan should state who is responsible for investigating the incident and guiding its aftermath, she says, as well as who should be involved in decision-making once a breach has occurred or is suspected. While it's advisable to include a public re-lations person and representatives of dif-ferent departments in the decision-making group, their input may not be necessary in all situations.
A review of applicable laws and contracts should also occur almost immediately to determine if the company is legally or contractually required to notify any other parties, Kahn advises. Depending on the specific disclosure, that could include customers, vendors or law enforcement.
The plan also should direct how the company responds to internal matters, such as what happens to the employee during the investigation and how fact-finding will be handled, says Kahn.
Finally, if the wrongfully disclosed information was protected intellectual property, a cease and desist letter should be dispatched "almost immediately" to the recipient, says Kahn.
Crime and Punishment
In Ohio, the wrongful disclosure of trade secrets is governed by the Ohio Uniform Trade Secrets Act (OUTSA), which broadly defines a trade secret as information, techniques, methods-even a list of names and addresses-that not only helps a company generate income but would take discernible effort for another entity to accrue. The protected materials must also be the "subject of efforts that are reasonable under the circumstances to maintain its secrecy," according to the statute.
Companies that pursue legal action against an employee may ultimately prevail, but they need to consider whether the end result is worth the effort and expense. If a judge finds that a breach of the OUTSA has occurred, the plaintiff may be awarded injunctive relief, attorneys' fees and damages-both compensatory and punitive, if appropriate. Whether the employee will be able to pay up, of course, is another matter altogether.
In the end, says Landes, companies should take all possible precautions to protect their IP-including thoroughly vetting job applicants, particularly those who would have access to sensitive data.
And, he says, a little extra motivation never hurts. "It would certainly help if a former or current employee thought they could get sued if they leaked company information."
Tami Kamin-Meyer is an attorney and freelance writer.
Reprinted from theNovember 2010 issue of Columbus C.E.O. Copyright © Columbus C.E.O.