[BreachExchange] How to prevent an employee stealing confidential information

Audrey McNeil audrey at riskbasedsecurity.com
Wed May 17 20:44:37 EDT 2017


Discovering its regional manager, Luis Cabezas, had been forwarding work
emails to his personal account, Accreditation Canada ordered him to stop
immediately. Like many companies, it wished to secure its confidential
information. Little did it know that Cabezas had already hatched a scheme
to siphon business from his employer and channel it to himself and a
partner, another former employee now working as a consultant.

Accreditation Canada provides advice to health care facilities on how to
achieve patient safety and attain accreditation. Cardenas’ job was to reach
out to potential clients in Mexico and South America and negotiate service
arrangements. In his role, he had access to highly confidential information
including client details, accreditation methodologies and market
strategies, as did his partner. Accreditation Canada, dissatisfied with
Cardenas’ performance, terminated his employment without alleging cause.

As too often happens, the organization discovered that after his dismissal
but before his departure, he had continued to send confidential work emails
to his personal account and claimed he was ill when he was actually at a
meeting in Mexico soliciting work for his newly established business, one
with a confusingly similar name to Accreditation Canada. It also learned he
had then diverted business to his new company and destroyed AC information
in order to give his new business a competitive advantage.

Accreditation Canada sought an injunction to prevent Cabezas and his
partner from using its information and soliciting its customers. The
Superior Court of Ontario found both Cabezas and his partner in violation
of their employment agreements and their duties to Accreditation Canada and
issued an injunction to prevent them from continuing this misconduct.

What lessons can be learned from this case?

First,  have enforceable written agreements to protect your business. These
agreements should prohibit the disclosure of confidential information;
should assign any intellectual property rights to the employer; limit
solicitation of valued customers, suppliers and existing employees; and,
for high-value employees such as a CEO, restrict competition. These
limitations and restrictions must be reasonable in their scope or a court
will not enforce them. If they are too broad, the contract won’t apply. In
that case, the employer will have to prove the employee has stolen
confidential information or is a fiduciary‎ — a very senior officer or
director — which has significantly higher hurdles than just proving a
breach of contract. To be enforceable, these agreements must be entered
into before the employee starts working for you or in return for the
employee receiving a promotion, raise or bonus. Having these agreements
reviewed by experienced employment law counsel is essential.

Next, if there is any suspicion about an existing or former employee,
immediately conduct an inspection of the employee’s files and, most
important, including any electronic devices with an external storage device
like a USB drive. Also determine if the employee has deleted any company
information that should be preserved. Check expense and/or attendance
records to ensure the employee has not improperly been spending company
time or resources on the competitive activities. Of course, any evidence
obtained that shows improper conduct may also be grounds for cause and may
create a claim for any damages such as lost business.

If an employee gives notice, the employer should interview them, ask about
their plans and issue a caution about their obligations. Some departing
employees are, or pretend to be, blissfully ignorant of their
post-employment obligations and are unpleasantly surprised to be reminded
of them.

Finally, I have often sent letters to the new employer advising them that
their new hire has contractual obligations to my client, which it intends
to enforce. If the new employer has not been informed of these obligations,
their new employee could be terminated for failing to disclose them. In any
event, the new employer is now on notice as to what their new employee can
and cannot do. Failure by the departing employee or the new employer to
abide by the former employee’s obligations can lead to expensive and
sometimes disastrous consequences for them if the former employer seeks and
obtains an injunction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170517/ab57c901/attachment.html>

More information about the BreachExchange mailing list