Confidentiality: Keep your IP and data safe

Your intellectual property and your own data are amongst the most valuable assets your business has.

Customer lists, passwords, recipes, bespoke code, funding applications and business plans are just a few examples of confidential information you should be keeping as secure as possible.

We’ll take a look at keeping your own IP and data safe in this overview guide.

To measure yourself against our IP and data-handling checklists, and to ensure you’ve got the right measures and protections in place, take a look at our IP guide and our suite of data protection guides.

And it’s not just your own confidential information that needs to be kept safe.

The laws on data are growing ever stricter and more exacting too – particularly regarding customer data, such as names, contact details, order details, and other sales activity that’s shared with you.

How you ask for, handle, use, and store customer data, online or offline, is all subject to legal obligations that you must comply with to avoid fines and other undesirable legal consequences.

You might handle these types of data, but you do not necessarily own them or have unconstrained freedom to determine what to use them for.

You’re entitled to protection

Having your confidential information taken or distributed can cause your business huge problems – such as voiding your patent applications or providing competitors with your trade secrets.

There are essentially only four scenarios in which it’s ok for your confidential information to be shared:

• If you’ve granted permission
• If it’s in the best interests of the public (usually something that only a court or regulator can determine, not just anybody)
• If it’s required by law (e.g. as part of an investigation or court action)
• If it’s naturally entered the public domain (e.g. if you’ve sold products to customers who are publicly displaying them, so it’s clear they are your customers and what they are buying from you)

In any other situation, it is not ok and you are entitled to prevent that information from being shared in any way, including by legally obliging others to take on responsibility for protecting it too.

To prevent this from happening to your business, there are two main areas you need to concentrate on: how you share your information and how you work with the people you share it with.

How to manage the people who hold your information

1. Draft non-disclosure agreements for all parties to sign – NDAs clearly set out what information mustn’t be openly shared with other.

2. Make use of employment contracts – clearly state confidentiality terms, restrictive covenants (what kind of work employees can’t do during their period of employment with you or for a set timescale after leaving the company), and the consequences of breaching the terms

3. Have a clear, well-communicated position on confidential information (the best way to do this is to spell it out clearly in employment contracts and/or any supporting data and/or information related employment policies.

Then ensure all staff and contractors or other workers understand what you consider to be confidential and non-disclosable

4. Have a clear and accessible data management policy which defines appropriate storage locations for information.

This should ensure that all staff, contractors or other workers understand which tools and software are to be used to store different types of information

5. Limit access to information: ensure that employees only have access to information and systems that they need access to

6. Carry out thorough reference checks on new hires – to prevent entering business relationships with untrustworthy individuals

7. Train employees about how information could be unintentionally leaked – such as leaving their computers open around other people, discussing the information with colleagues in public, losing their mobile equipment in public places or not acting reasonable in keeping it safe from theft, etc.

8. Manage leavers and equipment they’ve used effectively: collect all equipment and confidential information from leavers of the company before they leave the building on their final day – whether they are employees, freelancers, or other workers

9. Don’t let leakages go unchecked or unactioned – otherwise you might be at risk of tacitly consenting to, contributing to, or worsening the disclosure situation

What employees do with data can sometimes be unforeseen but there are real risks to be aware of.

A large supermarket chain recently found itself held responsible in the UK courts after a malicious data breach by one of their own employees.

The employee had been caught trying to sell the details of 100,000 of his colleagues on the dark web.

Subsequently, some of the affected members of staff brought a group litigation against their employer and although the supermarket was found to not be directly responsible, they were still found to be liable for the actions of one rogue employee.

When important information leaks even despite your best efforts

Even if you follow all of the above advice, it’s still possible that someone lets something slip.

As long as your information is classed as a business secret, (it’s not public knowledge or public property, and it doesn’t have consent to being shared), it’ll be protected by the law of confidence.

It will also be protected by the contract law, providing you have confidentiality terms in documents such as your employment contracts and NDAs.

In practice, this won’t undo the fact of the leak or the damage that you may suffer as a result.

But it will provide you with the right to compensation for the damage that you suffer and, potentially, with the ability to mitigate that damage from spreading and having greater impact.

How much and what form that compensation takes will depend on whether you have contractual protections in place or you’re relying on the more general law of confidence.

Your remedies may potentially even extend to application of some of the criminal laws, such as those relating to conspiracy, industrial espionage and/or theft – though these types of action can be costly to pursue.

What to do if you suspect or know that your confidential information has been taken or shared

1. Be clear on if and how the information has been taken and disclosed – and by whom. Then try to prevent further disclosure and damage happening

• • It can often be difficult to prove that someone has unlawfully disclosed your confidential information, especially if there is no ‘paper trail’, such as an email or evidence of copying from one source to another. Many damaging disclosures can take place verbally.
  • Following the evidence trail, keeping a record of it and closing it down to prevent further leakage, where you can, is really important.

2. Speak with the discloser, especially if they are an employee or a contractor providing you with services. You may need to remind them of their obligations to you and potentially, if it’s an employee, to initiate your disciplinary process

3. Try to settle the matter between you – by asking the person leaking the information to return the information immediately and to formally agree to not share any more confidential information.

Get that commitment in writing – a clear email confirmation would be sufficient

4. You could consider using mediation if the person leaking the information disagrees with your accusation and denies leaking or sharing confidential information belonging to you.

Mediation involves a trained third party helping you both to reach an agreement without the need for more drastic action that is time consuming, expensive, and that can affect your public profile, like starting a court action

5. A last resort may be to start a court action – if there’s been a serious breach of a confidentiality contract or NDA and you’re likely to suffer substantial harm as a result of the disclosure.

A court can make a particular type of order called an injunction, requiring that all copies of your confidential information are returned, that no further disclosures may be made and that compensation for any damage you have suffered because of the unlawful disclosure is paid to you by the discloser