Coatings World - broadwaycheer

Preventing employees from downloading sensitive information

In March 2010, a computer-monitoring system helped save a hedge fund, Citadel, from a trade secret misappropriation of great proportion. A quantitative engineer, Yihau “Ben” Pu, working with proprietary trading formula and strategies had uploaded confidential material onto two “virtual machines” he had created on his Citadel computer in order to bypass computer security systems. When asked what had occurred, he responded by saying he was just uploading music, but the system could detect activity inconsistent with his story. Pu later attempted to discard the evidence by dumping the hard drives in a canal mafia-style, but the evidence was recovered and he was subsequently arrested.

This is a perfect case to illustrate how the benefit of a network-monitoring system can aid in the detection of the access and uploading of confidential material. In order to protect sensitive data, an employer can utilize both Intrusion Detection Systems and Intrusion Protection Systems. These systems monitor for malicious network activity, tracking use of the system and keeping records of access, including specific files accessed and any modifications made to them.

Are an employee’s emails private?

In most cases, no. The employer owns the email system at the workplace and is allowed to examine its contents. This goes for both intercompany emails as well as emails sent to or received from another source. Even in the case where an employer assured its employees that the emails would be kept confidential and privileged and would not be intercepted by the employer, and then proceeded to intercept an employee’s email for the purposes of determining whether or not the employee was making inappropriate or unprofessional comments, the court concluded that the interests of the employer in determining the professional conduct of the employee outweighed any expectation of privacy the employee might have in his email communications. Smith v. The Pillsbury Company, C.A. 95-5712, (E.D. Pa. 1996).

This rule generally includes private, web-based email accounts such as yahoo and gmail. Even a password-protected account

is not likely to create an expectation of privacy. In another case, an employee used an eBay account with a password to sell goods he stole from the employer, then claimed that the employer breached his privacy by obtaining his password. Ok, so you have to admit the guy’s got some nerve. Anyhow, the court stated there would be no “absolute expectation of privacy in records kept or accessed on his workplace computer, even if password protected.” Further, the court recognized there would be no reasonable expectation of privacy with a computer usage policy that “advised its employees that their computer activities on the office system were monitored.” Dwayne Campbell v. Woodard Photographic, Inc., et al., 2006 U.S. Dist. LEXIS 36680.

However, it should be noted that a recent case in which some employee privacy rights were recognized by the New Jersey Supreme Court challenges that standard.

In 2010, the New Jersey Supreme Court ruled that an employer’s attorneys that read emails of an employee sent to her counsel on a company laptop through her personal password-protected Yahoo email account violated her privacy. Stengart v. LovingCare Agency, Inc., 2010 WL 1189458 (N.J. March 30, 2010). However, this case was decided on the basis that the emails were protected by the attorney-client privilege, and did not address whether the employee would have a reasonable expectation of privacy with a non-lawyer.

So what’s an employer to do? Protect, inform, get consent, maintain and remind employees of your trade secret policies. Employees need to know the boundaries of their access to trade secrets, how to treat trade secrets and the consequences if breached. It is important that these policies are set forth in clear and unambiguous language.

1. Non-Disclosure Agreements. Each employee should sign a non-disclosure agreement at the time of employment.

2. Company Policy. The company personnel manual should set out the company’s policies towards the treatment of trade secrets. Among other things, some specifics that should be covered are the policies towards accessing and downloading sensi-

tive information, emailing confidential in-
formation, working remotely, traveling
with laptops and other data bearing de-
vices, and the protection and return of
confidential information. There should be
a signature page for the employee to in-
dicate consent to all policies. The follow-
ing items should be addressed:
a. Electronic monitoring of employees.
b. The monitoring of phone calls. The
policy manual should clearly state that
all phone calls are subject to recording
and that the employees have no per-
sonal privacy rights in the phone calls
that are made from company phones.
c. No expectation of privacy in emails
sent from the company computer sys-
tem, even from private email accounts.

3. Mark confidential materials clearly and limit access to restricted areas of the computer.

4. Put locks on doors and file cabinets.

5. Issue employee ID badges.

6. Train employees and contractors to understand their responsibility in the protection of trade secrets.

7. Password-restrict and require user identification in order to access sensitive areas of the company files.

8. Regularly remind employees of their obligations towards trade secrets.

9. Conduct exit interviews with employees upon termination.

10. Consider getting a professional trade secret audit to reveal any gaps in company policies.

Keep in mind that union contracts may alter the privacy expectations of employees. Furthermore, the standards for employee privacy herein apply to private sector employees, rather than public sector or government employees.

Although there are no guarantees that a company’s trade secrets won’t be misappropriated or stolen by its employees, there are certain things you can do to protect your trade secrets from rogue employees. Monitoring employees on the computer, phone or in the office can be done legally, if consistent with state and federal laws. Clearly setting out your trade secret policies and getting employee consent for electronic monitoring will help you both PROTECT and COVER your . . . assets. CW