So, how do we protect sensitive, confidential material and processes in the face of iPhones and flash drives in the hands of our employees? It’s no longer good enough to lock up the secret formula under lock and key. Everything from a secret formula to an entire manufacturing process can be uploaded and emailed, recorded or photographed in an instant. An employee can literally walk out the door with the company in her pocket.
Taking measures to prevent theft or inadvertent disclosure of trade secrets is imperative in industries such as the paint and coatings industry that rely heavily on closely held manufacturing processes and formulae. So, in order to limit exposure to accidental disclosure or intentional misappropriation of the company jewels, you might be considering audio, video or computer monitoring of your employees.
What is the line between the legitimate protection of trade secrets and invasion of employee privacy? A prudent employer will know the answers to several touchy questions. The laws relating to integrated employee monitoring are complex at times and vary from state to state, but it is generally recognized that the prevention of theft or misappropriation of confidential business information is a legitimate business reason for monitoring employee workspace. It is the employer’s job to implement a suitable policy that falls within the confines of the law.
Can you record employee conversations?
Generally yes, but proceed with caution. Both federal and state laws govern the use of electronic equipment for purposes of wiretapping or eavesdropping (listening to conversations of others). There are both civil and criminal penalties for violations of these laws, and the laws vary from state to state.
The federal law allows the recording of phone calls and other electronic communications so long as one party to the conversation consents to the recording. A majority of the states have adopted wiretapping statutes based on the federal law. There are twelve states, California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania and Washington which have adopted more stringent standards, in which consent by all parties to the phone call is required. These twelve states are often referred to as the “two-party states,” however, if there are more than two parties on the call, all parties need to give consent. Although most of these statutes address wiretapping and eavesdropping, they also tend to apply to phone calls and in-person conversations. Regardless of the state, it is illegal to record a conversation to which you are not a party, don’t have consent and could not naturally overhear. In most states, it is also illegal to disclose the contents of any illegally obtained call or communication.
Courts have recognized employee consent through the use of written consents and policy manual provisions. The most important thing is that the consent is clear and unequivocal as to the employer’s actions. At all times, however, caution should be taken in taping employee calls, in that employees may be speaking to people in multi-party consent states.
Can I monitor my employees using hidden cameras?
In most cases the answer is yes. Twenty-four states have laws outlawing the installation or use of hidden cameras in private places. A private place is one where a person may reasonably expect to be safe from unauthorized surveillance. A number of these states specifically outlaw the use of hidden cameras in bathrooms and locker rooms or for the purposes of viewing nudity. In states where no specific law exists, the interests of the employer in using hidden surveillance cameras will be weighed against the employee’s expectation of privacy. In all cases, the expectation of an employee’s privacy in a bathroom will outweigh any interest of the employer.
On the other hand, courts rarely find that there is an objective reasonable expectation of privacy in any public place. Where an employer hired a private investigator to use surveillance equipment to videotape his employee while he was in his car in a parking lot at a wedding reception and while he was entering and leaving his home, the court found that such surveillance was lawful because the employee-plaintiff did not allege intrusion into any private place. See Salazar v. Golden State Warriors, No. C-99-4825 CRB, 2000 U.S. Dist LEXIS 2366, at *2, 5-6 (N.D. Cal. March 3, 2000).
So you cannot catch your employees with their pants down (literally), but what about when the employee is in a restricted area of your manufacturing plant? With the exceptions listed above regarding bathrooms and locker rooms, quality control and theft prevention are legitimate reasons for videotaping employee activity. Courts rarely recognize a reasonable expectation of privacy in the workplace. See Marrs v. Marriott Corp., 830 F. Supp. 274, 283 (D. Md. 1992) (holding that where an employee was videotaped picking a lock on a desk drawer, the employee had no reasonable expectation of privacy in an “open office”); Cox v. Hatch, 761 P.2d 556, 563 (Utah 1988) (finding no reasonable expectation of privacy in a “common workplace”).
Keep in mind, however, that the audio portion of any videotape would be governed by the wiretapping laws.
Preventing employees from downloading sensitive information
In March 2010, a computer-monitoring system helped save a hedge fund, Citadel, from a trade secret misappropriation of great proportion. A quantitative engineer, Yihau “Ben” Pu, working with proprietary trading formula and strategies had uploaded confidential material onto two “virtual machines” he had created on his Citadel computer in order to bypass computer security systems. When asked what had occurred, he responded by saying he was just uploading music, but the system could detect activity inconsistent with his story. Pu later attempted to discard the evidence by dumping the hard drives in a canal mafia-style, but the evidence was recovered and he was subsequently arrested.
This is a perfect case to illustrate how the benefit of a network-monitoring system can aid in the detection of the access and uploading of confidential material. In order to protect sensitive data, an employer can utilize both Intrusion Detection Systems and Intrusion Protection Systems. These systems monitor for malicious network activity, tracking use of the system and keeping records of access, including specific files accessed and any modifications made to them.
Are an employee’s emails private?
In most cases, no. The employer owns the email system at the workplace and is allowed to examine its contents. This goes for both intercompany emails as well as emails sent to or received from another source. Even in the case where an employer assured its employees that the emails would be kept confidential and privileged and would not be intercepted by the employer, and then proceeded to intercept an employee’s email for the purposes of determining whether or not the employee was making inappropriate or unprofessional comments, the court concluded that the interests of the employer in determining the professional conduct of the employee outweighed any expectation of privacy the employee might have in his email communications. Smith v. The Pillsbury Company, C.A. 95-5712, (E.D. Pa. 1996).
This rule generally includes private, web-based email accounts such as yahoo and gmail. Even a password-protected account is not likely to create an expectation of privacy. In another case, an employee used an eBay account with a password to sell goods he stole from the employer, then claimed that the employer breached his privacy by obtaining his password. Ok, so you have to admit the guy’s got some nerve. Anyhow, the court stated there would be no “absolute expectation of privacy in records kept or accessed on his workplace computer, even if password protected.” Further, the court recognized there would be no reasonable expectation of privacy with a computer usage policy that “advised its employees that their computer activities on the office system were monitored.” Dwayne Campbell v. Woodard Photographic, Inc., et al., 2006 U.S. Dist. LEXIS 36680.
However, it should be noted that a recent case in which some employee privacy rights were recognized by the New Jersey Supreme Court challenges that standard.
In 2010, the New Jersey Supreme Court ruled that an employer’s attorneys that read emails of an employee sent to her counsel on a company laptop through her personal password-protected Yahoo email account violated her privacy. Stengart v. LovingCare Agency, Inc., 2010 WL 1189458 (N.J. March 30, 2010). However, this case was decided on the basis that the emails were protected by the attorney-client privilege, and did not address whether the employee would have a reasonable expectation of privacy with a non-lawyer.
So what’s an employer to do?
Protect, inform, get consent, maintain and remind employees of your trade secret policies. Employees need to know the boundaries of their access to trade secrets, how to treat trade secrets and the consequences if breached. It is important that these policies are set forth in clear and unambiguous language.
1. Non-Disclosure Agreements. Each employee should sign a non-disclosure agreement at the time of employment.
2. Company Policy. The company personnel manual should set out the company’s policies towards the treatment of trade secrets. Among other things, some specifics that should be covered are the policies towards accessing and downloading sensitive information, emailing confidential information, working remotely, traveling with laptops and other data bearing devices, and the protection and return of confidential information. There should be a signature page for the employee to indicate consent to all policies. The following items should be addressed:
a. Electronic monitoring of employees.
b. The monitoring of phone calls. The policy manual should clearly state that all phone calls are subject to recording and that the employees have no personal privacy rights in the phone calls that are made from company phones.
c. No expectation of privacy in emails sent from the company computer system, even from private email accounts.
3. Mark confidential materials clearly and limit access to restricted areas of the computer.
4. Put locks on doors and file cabinets.
5. Issue employee ID badges.
6. Train employees and contractors to understand their responsibility in the protection of trade secrets.
7. Password-restrict and require user identification in order to access sensitive areas of the company files.
8. Regularly remind employees of their obligations towards trade secrets.
9. Conduct exit interviews with employees upon termination.
10. Consider getting a professional trade secret audit to reveal any gaps in company policies.
Keep in mind that union contracts may alter the privacy expectations of employees. Furthermore, the standards for employee privacy herein apply to private sector employees, rather than public sector or government employees.
Although there are no guarantees that a company’s trade secrets won’t be misappropriated or stolen by its employees, there are certain things you can do to protect your trade secrets from rogue employees. Monitoring employees on the computer, phone or in the office can be done legally, if consistent with state and federal laws. Clearly setting out your trade secret policies and getting employee consent for electronic monitoring will help you both PROTECT and COVER your . . . assets.