It is, by now, axiomatic that our new social media world has increased the risk of disclosure (intended or inadvertent) of information and documents that are not meant for public consumption. As an employer, you must understand these risks and take pro-active measures to protect the private and confidential information of your company, your clients, and your employees. And you must act swiftly when you determine that a breach has occurred.
According to a CNN report this week, Google did just that, announcing that it had fired one of its employees for violating privacy policies by accessing user accounts. CNN reported that the employee “used his position as a key engineer evaluating the health of Google’s services to break into the Gmail and Google Voice accounts of several children.” The conclusion reached there: “The incident highlights how easy it can be for anyone with access to confidential information stored online to abuse it, regardless of any systems that are in place.”
Some, many, or all of your employees have access to certain private and confidential information, and those employees are blogging, tweeting, and otherwise actively engaging in social networking sites. What types of potentially harmful disclosures are we talking about? For one, the potential disclosure of your own company trade secrets or confidential information. An employee may be violating a contractual commitment or duty of loyalty by disclosing certain information through social media, but perhaps more importantly, that disclosure to competitors or the general public will cause irreparable harm to your business. You can’t un-ring that bell.
There is also the potential disclosure of trade secrets belonging to your clients or customers. The disclosure of sensitive information with which you have been entrusted could lead to a damaged business relationship, and a possible lawsuit against your company for failing to adequately maintain privacy controls. In a similar vein, is the potential disclosure of your employees’ information, such as medical-related information and an employee’s social security number or other banking or financial-related information.
The Google firing highlights the cataclysmic result that could come when the ease of employee access to social media collides with the ease of employee access to private and confidential information.
Employer Take Away: What should you as an employer take away from this development?
(1) It is not enough to maintain and communicate policies dealing with the unauthorized access to and disclosure of confidential information. It is critical that your policies refer expressly to social media and, specifically, bans on inappropriate disclosure of information and documents through the various forms of social media. Moreover, your policies should not only apply when the employee has departed from the company, but also while he or she is employed and has access to the information.
(2) You should consider establishing a “trade secret program” that will allow the company to defend against a position taken prior to or during a lawsuit that the disclosed information does not rise to the level of a trade secret because the company did not treat it as such. The manner in which certain information must be treated and accessed internally (as distinguished from other non-sensitive information), an identification of those employees who may have access to that information, and what monitoring controls are in place to avoid unauthorized disclosure, are among the components of an effective program.
(3) You should consider the current state of the law as it relates to employer obligations to properly maintain certain types of information. For example, certain obligations to segregate medical and benefits information from the contents of a “normal” personnel file, and the requirements enacted legislatively in states such as New York for the use and disposal of documents containing personal information such as employee social security numbers.