Managing the Departure of Sensitive EmployeesJosh Dixon, Hal Frampton, and Lance Lawson / McNair Law Firm
Few events are more disruptive to a business than the departure of a key employee. In the digital age, such departures are more dangerous than ever, as survey after survey shows that departing employees regularly take the company's digital information with them. In fact, the Ponemon Institute, an information security think tank, recently found that 50 percent of surveyed employees admitted to taking company information with them when their employment terminated and 40 percent admitted that they intended to use that information in their new job. Properly handling the departure of employees with access to sensitive intellectual property and other information requires careful planning before the event and quick action when the departure is announced. Below are a few of the critical steps employers should take before, during, and after a sensitive departure.
Before the Departure
- Protect intellectual property with strong, enforceable agreements. Perhaps the most critical component of a robust program for protecting a company's intellectual property is a strong, enforceable agreement signed by each employee with access to the company's intellectual property. Such an agreement should include:
- Broad (but not overbroad) confidentiality provisions. The agreement should have a confidentiality provision tailored to capture all of the information that the company legitimately attempts to keep confidential. Because South Carolina law is skeptical of overbroad confidentiality provisions–-sometimes construing them as de facto unenforceable non-competes–-the agreement should minimize boilerplate language concerning types of information that the company either does not maintain or does not actually keep confidential. In addition, the agreement should contain an express disclaimer stating that general skills and knowledge gained through the employee's employment are not considered confidential under the agreement.
- The Defend Trade Secrets Act disclaimer. In light of the federal Defend Trade Secrets Act (DTSA), every confidentiality agreement should now contain a clear disclaimer stating that the employee will not be held liable for disclosing confidential information (1) in confidence to a government official, either directly or indirectly, or to an attorney, solely for the purpose of reporting or investigating a suspected violation of law; or (2) in a filing that is made under seal in a lawsuit or other proceeding. Without this disclaimer, an employer cannot recover exemplary damages or attorneys' fees in a subsequent lawsuit under the DTSA.
- Non-compete and customer non-solicitation provisions as needed. If the employee could cause significant damage to the business by competing and/or soliciting customers, consider non-compete and customer non-solicit provisions. Again, South Carolina courts look disfavorably on these provisions, so carefully confine them to the company's legitimate business interests. Non-competes must contain reasonable geographic and temporal limitations, and the employee should only be prohibited from engaging in truly competitive work (not merely working for a competitive enterprise in a non-competitive division or position). Note that South Carolina courts will not reform an overbroad non-compete; the most they will do is strike an unenforceable term, and even that is not assured. Thus, companies should take special care in selecting a geographic restriction that actually comports with the employee's scope of work and potential harm. Likewise, customer non-solicits should only apply to customers with whom the employee personally worked. As opposed to customer non-solicits, the enforceability of agreements prohibiting the solicitation of other employees is unclear in South Carolina; thus, any such agreement should also be limited in time and limited in scope to current employees.
- Work made for hire and intellectual property assignments. If there is any possibility of the employee having involvement in the creation of work that is copyrightable or patentable, then work-made-for-hire and intellectual property assignment provisions should be part of the agreement. These provisions should broadly assign intellectual property rights in work created by the employee related to the company's business. While there are no South Carolina decisions on the potential overbreadth of such assignments, North Carolina has a statute expressly precluding employers from taking assignment of inventions developed entirely on the employee's own time and without the employer's equipment unless the invention (1) relates to the employer's business or actual or demonstrably anticipated research or development, or (2) results from any work performed by the employee for the employer. Because South Carolina courts tend to look disfavorably on overbroad provisions in employment agreements and often look to North Carolina for guidance on undeveloped legal issues, it would be prudent to incorporate these kinds of limitations in a South Carolina intellectual property assignment.
- BYOD provisions. If employees are permitted to use their own devices for work purposes, and particularly if any of those devices will be provided access to a company e-mail or exchange server, it is important to include provisions giving the company access to any such devices for purposes of ensuring that company information is permanently deleted if the employee departs.
- A clear severability provision. Because South Carolina courts will not reform an overbroad agreement, it is critical that employee agreements contain clear severability provisions permitting the court to strike any portion of the agreement (including individual works, phrases, and sentences) that it deems unenforceable.
- Protect company IT systems with clear policies, consistent enforcement, and proper security measures.
- Limit employees' access to information needed to perform their job duties. To the extent practicable, use security settings or password protections that prevent employees from accessing company information that they do not regularly need to perform their job duties. Even with clear security policies, employees often assume that they are entitled to access any information that the company's security settings allow them to access. Preventing that access from an IT angle substantially reduces the risk of data theft and provides the employer a clearer case of misappropriation if the employee overrides or circumvents the security settings to access information.
- Have clear IT policies against improperly accessing, using, copying, or disseminating company information. It is important for companies to have clear policies prohibiting employees from accessing any company information that is not needed to perform their job duties. Likewise, these policies should clearly prohibit using, copying, or disseminating company information for any purpose other than to perform the employee's job duties. In addition, the policies should prohibit copying or sending company information to unsecure or unapproved devices, such as e-mailing company information to a personal e-mail account or copying it onto a personal flash drive. To ensure that employees are aware of these policies, they should be physically or electronically signed by each employee. These policies are important both in terms of preventing theft and because the federal Computer Fraud and Abuse Act (CFAA) may give employers a powerful remedy in the event that an employee exceeds his or her authorized access.
- Be realistic in IT policies, and enforce those policies consistently. Often, companies have IT policies written more broadly that the company ever intends to enforce. This includes policies that purport to prohibit all personal use of company computers, which are often not enforced. The better course is to write realistic policies that the company will enforce, such as policies that prohibit excessive personal use and focus on improperly accessing, using, copying, or disseminating company information. Such policies should be consistently enforced, including through IT audits of employees' use of the IT system.
- Maintain the secrecy of confidential information and trade secrets. The Achilles' heel of many trade secret claims is the company's own failure to take reasonable steps to maintain the secrecy of the claimed trade secret. To avoid this defense, companies should rigorously employ the security measures listed above, and, depending on the employer's business and the nature of the trade secret, should perhaps impose additional protections, such as limiting premises access, security badges for sensitive areas, etc. In addition, trade secrets should be clearly identified and marked confidential, even in internal communications. Anything the company can do to clearly communicate to employees that the information is confidential will be helpful in subsequent litigation.
When the Departure Is Announced
The company should have a written protocol for handling the departure of key employees so that HR managers and others have a clear plan to execute when a departure is announced, rather than trying to reinvent the wheel each time. The primary goal of such a protocol is to lock down the company's IT systems and prevent, to the extent possible, the employee leaving with any confidential company information. This protocol should include:
- Conduct exit interviews and obtain information from the departing employee. Exit interviews, when properly conducted and documented, can greatly assist in determining the level of risk posed by the departure. The company should obtain as much information as the departing employee will give on his or her plans, including the name of the new employer and the employee's role at that company. This will serve as starting place for evaluating the danger that the employee's departure poses to the company's business.
- Carefully evaluate any offer to work through a notice period. The employee may, as a professional courtesy, offer to work through a notice period. Before accepting such an offer from an employee with access to sensitive information, be sure that it is in the company's best interest to have the employee continue to work. Often, in the interests of minimizing the risk of information loss, it is preferable to decline the offer and end the employment relationship upon the employee's announcement.
- Terminate the employee's access to IT systems. Unless the employer agrees to the employee working for some period of time after the announcement, the employee's access to all IT systems should be terminated immediately. Be sure the IT department maintains a list of all IT systems and subscriptions to which each employee has access so that they can all be terminated at the same time.
- Delete the information contained on BYOD devices. Assuming the employee signed a strong, clear BYOD agreement, have the employee provide all devices that contain company data to the IT department so that all company information can be removed. Do this quickly to minimize the inconvenience and reduce the risk of litigation. If the employee did not have all such devices with him at the time of the announcement, send the employee a formal letter demanding that any devices containing company information be provided to the company for review and potential deletion within a short timeframe.
- Demand the return of confidential information and remind the employee of his or her obligations. Upon announcement, send or give the employee a formal letter demanding the return of all confidential information within a short timeframe. This letter should also remind the employee of his or her contractual obligations to the company–-such as confidentiality, invention assignment, non-compete, etc.–-and provide the employee a signed copy of the agreement reflecting those obligations. The goal of this communication is to avoid any claim that the employee was unaware of his or her obligations.
After the Departure
Once the company has taken the initial steps to mitigate the risk of the employee leaving with confidential information, the company's focus should turn to evaluating whether the employee violated any obligations to the company and taking steps to remedy any such violations. The key tasks as this point include:
- Formally advise the new employer of all relevant obligations. It is difficult to hold a new employer liable for any violations of the employee's obligations if the employer can plausibly argue that it was unaware of those obligations. Therefore, in any case where there is risk of the employee causing damage, one of the first steps after locking down the company's IT system should be formally advising the new employer of the employee's obligations to the company. This communication should be sent to the new employer's registered agent by certified mail so that there is a record that the communication was received. The content of this letter will vary somewhat depending on circumstances but should contain enough information to clearly put the new employer on notice of the employee's obligations and demand that the employer not participate in any breach of those obligations. At the same time, communications should be carefully worded so as not to defame the departing employee.
- Audit the employee's use of the IT systems to determine the risk of misappropriation. If there is any reason to suspect than the departed employee may have misappropriate anything, have the IT department audit the employee's use of the IT systems in the weeks or months leading up to the departure. Often, it can be determined whether the employee copied data to flash drives or e-mailed substantial data to a personal or other third party account.
- Preserve evidence until any issues are resolved. Once a company is on notice of an issue that may be litigated, the company has an obligation to preserve any potentially relevant evidence. Thus, when a key employee leaves, the best practice is to preserve all evidence related to that employee until any issues are resolved or the company determines that there are no issues related to the departure.
- Begin negotiating / litigating any breaches of obligations. Finally, if it appears that the employee has breached any obligations to the company, work with counsel as quickly as possible on the appropriate next steps. If the company needs to seek injunctive relief, one of the key issues the court will consider is whether the company faces a risk of irreparable harm, and, in determining that issues, courts regard any on the part of the company as evidence that irreparable harm is unlikely. It is therefore important to move as fast as possible once it appears that an obligation has been breached.
Conclusion As digital information continues to proliferate, it is likely that departing employees will continue to be a primary source of risk to a company's intellectual property and confidential information. With rigorous preparation and planning, however, companies can significantly reduce the risk that a key employee walks out the door with sensitive information and gets away with it.