A Guide for Protecting Proprietary Information

The following is a general review of recommendations for managing an organization’s confidential information.

I. OVERVIEW

Like most all modern companies, your company (“Company”) and its staff face tremendous market pressure to protect the trade secrets and confidential information belonging to the Company, its customers and its collaborators.  Successful protection of confidential information allows the Company to keep staff employed, grow staff opportunities, serve existing customers, and attract new customers.The Company’s confidential information falls into two main categories: a) information developed and owned by Company; and b) information temporarily given to Company by its customers, collaborators and others.  This guide deals with both categories.Every Company team member, whether a manager, employee or contractor, has a key role in maintaining the Company’s confidential information.  This Guide is intended to help Company team members better understand how to maximize the protections of sensitive information while reducing risks of inadvertent disclosure. For purposes of this article, trade secrets are treated like confidential information.

II. IMPACT OF DISCLOSURE

Once disclosed publicly (or in the absence of a confidential obligation), the “confidential” nature of a piece of information is lost forever. The inadvertent disclosure of sensitive information can permanently eliminate the ability to maintain or control the secrecy in the information.

III. EXAMPLES OF CONFIDENTIAL INFORMATION

The confidential information covers many types of information. Generally, confidential information includes any secret information that gives the Company a competitive advantage.

If a staff member is unable to determine whether information is confidential, the staff member should assume the item is confidential until otherwise confirmed by Company management. Examples of confidential information might include:

  • Company information marked “Confidential”.
  • Company customer targets and proposals.
  • Software application designs and specifications.
  • Details contained in signed contracts.
  • The dimensions, staff numbers and resources located in an office location.
  • Project status updates and reports.
  • Business plans.
  • Company databases.
  • Company pricing programs.
  • Company strategic plans.
  • Company financial records.
  • Employee files, compensation and benefits.
  • Company research and development projects.
  • Company marketing strategies and programs.
  • Company’s new customer targets.
  • Company’s new business development initiatives.
  • Company reports and analysis.
  • Contract and negotiation strategies.
  • Company processes, techniques and systems used or considered for use.
  • Hardware, software, and database passwords.
  • Software code created for a Customer.
  • Customer information (and any third party items) marked as “Confidential”.
  • Customer systems and databases.
  • Customer business, financial and sales data. 

IV. POLICIES AND RULES

An organization seeking to protect sensitive, confidential information might want to consider one or more of the following:

1. The Company should establish a written confidentiality protection guide and share it with all staff who interact with confidential information belonging to either the Company, or the Company’s partners, collaborators and customers. All key staff members should read and become familiar with the guide. Upon hiring, each Company staff member should sign a contract that includes a confidentiality provision. Periodically, such as once each quarter, the Company should remind staff members about their confidentiality obligations. Management should encourage staff members to discuss questions or concerns about information protection with Company management.

2. When the confidential status of a piece of information is ever in question, a staff member should assume the information is confidential. Thereafter, the staff member should refrain form disclosing the information until management has provided clarification.

3. A staff member should not disclose confidential information unless the staff member obtains authorization from management and the receiving party has signed a confidentiality agreement.

4. Staff members should not allow confidential information to remain on a desktop or computer screen exposed to view when not actively used. Staff members should keep proprietary information out of sight or turned over when those who should not see the information are in the office or have access to the office.

5. A staff member should only share confidential information with other Company staff members who need to know the information.

6. The Company should prevent unauthorized user access to any electronic and physical areas containing confidential information. For computers, staff members should password protect screensavers. For electronic data, staff members should password protect files. For hard copy documents, staff members should limit the physical access to the document by locking the office door, locking a desk drawer, locking a filing cabinet, and / or restricting room access.

7. A sender of an email should assume unauthorized readers will view the text and files contained in an unencrypted email. A sender should not send sensitive data in an unencrypted email or file. Senders should use encryption and passwords when possible. A staff member should take precaution when moving confidential information from one point to another, either by mail, personal delivery or electronic form. The greatest risk is the movement of information electronically without the use of security protections. The exchange of information over the Internet provides significant risk of exposure unless the exchanged information is subject to encryption or password. The exchange of information using unencrypted emails provides a significant risk of exposure even where the information is marked confidential. The sender must always assume that an unauthorized reader will see all information sent by email. Prior to sending information via the Internet, the staff member should consider the risk of an inadvertent disclosure to an unintended third party. If a disclosure poses significant damage to Company or a Customer, or would violate a Company non-disclosure obligation, then the staff member should take extra precautions including encryption, password protection or refraining from sending the information.

8. When sending an email containing sensitive information, staff members should insert the word “Confidential” in the email’s title and/or in the first line of email text. This potentially provides an additional legal remedy in the event of unintended capture and / or review by a known unauthorized reader such as under the US Economic Espionage Act.

9. When operating a laptop, smartphone, tablet PC, or other mobile electronic device containing confidential information, staff should use a password controlled screensaver. A staff member should not leave DO NOT LEAVE these electronic devices unattended unless passwords are in place. Change passwords periodically, and avoid posting password near the computer or otherwise in plain view. Use strong passwords (at least eight characters long).

10. A staff member should immediately report to Company management any intentional or unintentional unauthorized disclosure of confidential information.

11. A staff member should immediately report to Company management any attempt to obtain confidential information using a misleading or fraudulent means.

12. Staff should exercise caution when talking about business to an unauthorized listener or were others can overhear the conversation. Proprietary information often gets disclosed to unauthorized individuals either through inadvertent disclosure during an informal conversation with an unauthorized individual or through an unauthorized individual overhearing a conversation. Staff can minimize the risk of innocent disclosures by applying three basic questions:

  • Is the person authorized to know the information?
  • Does the person need to know the information?
  • Does an unauthorized person potentially have access to the information when being disclosed (eavesdropping on a conversation, glancing over a shoulder, reading a computer screen, etc)?

13. A staff member should not READ, ACCESS OR USE IN ANY MANNER the confidential information belonging to a third party if not authorized to view the information. This action could cause the Company to violate a non-disclosure contractual obligation or violate international criminal law such as the US Economic Espionage Act.

14. A staff member should not READ, ACCESS OR USE IN ANY MANNER confidential information of Company or a Company Customer if not authorized to view the information.

15. A staff member should assume that all use of Company confidential information is restricted to internal use only unless Company management expressly authorizes the disclosure or use outside of the Company.

16. A staff member should not photocopy or reproduce confidential records unless authorized by the information originator or the information’s manger. Reproduction of confidential information increases the risk of inadvertent disclosure.

17. The Company should appoint one or more managers with responsible for managing organizational record retention. Staff members should coordinate long-term storage and ultimate destruction of confidential information with the record retention manager.

18. Staff members who create confidential information should promptly mark or designate confidential information as “confidential” as quickly as possible once the information is created. For electronic or hard copy documents, the confidentiality notation should appear in a prominent and visible location on the document cover sheet or heading and, if possible, throughout the document. A confidential designation can appear as a distinguishable stamp (many use a red inked stamp), as part of the text of the document, or through a separate cover sheet.

V. EXECUTING NON-DISCLOSURE AGREEMENTS

The Company should routinely execute NDAs prior to exchanging sensitive information with third parties such as vendors, collaborators, partners and customers. In addition, the Company should have any staff member who has access to confidential information to sign an agreement containing a non-disclosure obligation. Unless the receiving party agrees to keep information secret once disclosed, the Company may lack the power to prevent the receiving party from subsequently disclosing or misusing of the sensitive information.

The Company should have a series of NDA templates (created or approved by the Company’s attorney) that managers can use to establish confidential obligations. Managers should ensure that the NDA is modified for the specific facts of the transaction. Having one standard template is frequently difficult since transactions are often fact specific. To ensure the best practice, have the Company’s attorney review the facts and modifications.

NDA agreements are discussed in detail elsewhere.

VI. POST NDA DEBRIEFING

Execution of a non-disclosure agreement and the exchange of information is only part of the process. An effective NDA confidentiality agreement obligates the receiving party to return the Company’s disclosed confidential information upon the termination of the relationship.

Once the business relationship comes to an end, the Company manager managing the transaction (or his designee) should ensure the return of all confidential information given to the third party.

Once the Company has asked for the return of its confidential information, Company should ask the party returning the information to sign a certificate confirming the return of all information. See Annex A below for an example.

Similar to agreements with third parties, the Company’s employment agreements should require staff to return sensitive information (along with other Company assets) once the staff member ends his relationship with the Company. During the termination debriefing / exit interview process, a Company representative should remind the staff member when possible of the the staff member’s ongoing obligation to refrain from using or disclosing confidential information. In order to acknowledge the staff member’s understanding and to help ensure full compliance, the Company’s employment agreement might want to obligate the staff member to sign a certificate confirming the return of all sensitive information. See Annex B below for an example.

VII. COMPLIANCE AUDITING

Company management should conduct periodic audits to ensure full compliance of by Company staff with the obligations the Company owes to third parties, and the obligations staff members and third parties owe to Company.

ANNEX A

CERTIFICATE FOR RETURN OF CONFIDENTIAL INFORMATION

[NAME], the below-identified recipient (“Recipient”) of confidential information from [DISCLOSING COMPANY NAME] (“Company”), is a party to a confidential agreement with Company and pursuant to the terms of the confidential agreement, has an obligation to return all confidential information to Company. Recipient hereby certifies that all confidential files, records, memorandum, specifications, notes, reports, and other materials and documents related to Company’s business and received under the Confidentiality Agreement have been returned to Company, as required by the agreement, prior to this date.

____________________________________
Print Name of Recipient

____________________________________
Signature

____________________________________
Name Officer Signing (if Recipient is not an individual)

____________________________________
Title

____________
Date

ANNEX B

STAFF CERTIFICATION FOR RETURN OF CONFIDENTIAL INFORMATION

I, the below referenced staff member, certify that I have returned to [DISCLOSING COMPANY NAME] (“Company”) all Company confidential information including, but not limited to, reports, databases, files (both hard copy and electronic), plans, strategies, software, Customer lists, pricing data, Customer information, and all other materials which either belong to Company, Company Customer, or a Company partner of a secret or confidential nature relating to Company’s business which was in my possession or under my control.I am aware of my signed confidentiality agreement with Company that prohibits me from using or divulging at any time, both prior to termination and following termination, any secret or confidential information of Company without Company’s written consent.

______________________________
Print Employee Name

______________________________
Employee Signature

______________________________
Date