It is becoming more and more common to see news headlines announcing data breaches that result in confidential business and consumer information being stolen. Companies from Home Depot to Target to JP Morgan, as well as millions of customers have been affected, and hundreds of millions of dollars will be spent on investigations, revamping security protocols, and compensating and retaining customers.
Less commonly reported, but equally problematic, is the all too common situation of employees stealing confidential data and business information. With the proliferation of email, portable electronic storage devices such as USB drives, and wireless networks, coupled with the emergence of the cloud, protecting against internal data theft is as important for companies today as protecting against hackers.
The risks are real. A 2009 study conducted by the Ponemon Institute revealed that 59% of employees who resign or are asked to leave take confidential or sensitive business information with them. The costs of such thefts are significant. The National White Collar Crime Center reported that: “It is estimated that losses due to employee theft can range from $20 to $90 billion annually to upwards of $240 billion a year when accounting for losses due to intellectual property theft.” In addition, employee theft “accounts for approximately 30 to 50 percent of all business failures.”
No industry is exempt from these dangers. In fact, the construction industry is particularly susceptible to the dangers of employee data theft. Most construction companies now rely on computers and related software for the entire lifespan of projects, including estimating, bidding, scheduling, claim and change order preparation, billing, and a variety of other tasks. A variety of proprietary information such as profit margins, labor rates, target jobs, and client lists are contained in such materials. Moreover, construction companies are inherently decentralized with employees at the home office and on job sites, which means email and remote access to computer networks is often required, and monitoring is more difficult.
The vulnerability of construction companies to theft of confidential information is underscored by the fact that there are published opinions dealing with such issues from state and federal courts across the country, including in Washington, Texas, New York, California, Georgia, Michigan, Pennsylvania, and Oregon. The multitude of reported cases is all the more significant due to the fact that the vast majority of lawsuits do not generate published opinions.
A Case Study
Given the level of employee turnover in the construction industry, and the ease at which such information can be taken, construction companies need to be particularly mindful of putting protections in place. Consider the following scenario, based on an actual case: A project manager asks his employer to renegotiate his compensation package, but makes demands the company feels to be unreasonable, and is told “no.” The project manager responds by getting a new job with a key competitor. Before resigning, the project manager stays late one night and downloads not only information regarding historical information regarding prior jobs, but also all available information on key projects on which the company plans to bid (including partially prepared bids), as well as current jobs. The information fits on a portable drive no larger than a pack of playing cards, and no one is aware that the information has been copied.
The employee also disrupts current projects by contacting equipment and material suppliers directly and cancelling orders, and informing subcontractors that a project has been terminated for convenience. While the company is scrambling to fix those problems, the employee organizes an exodus of other employees who join him at his new employer. The departed employees then begin submitting bids on projects with enough knowledge to slightly undercut their former employer.
The former employer eventually realizes what is happening and files a lawsuit against the employee. However, by then, the key competitor has been awarded and started work on a large project both companies bid on, and an existing project is behind schedule due to critical materials not being delivered on time due to the now former employee cancelling an order. Similarly, a long-standing customer cancels a job as work is about to begin, to avoid being dragged into the dispute.
Although the lawsuit filed by the former employer settles on favorable terms before trial, a large job was lost, key executives are forced to devote weeks of time to the case instead of on profit-generating activities, a relationship with an existing customer has been harmed, tens of thousands of dollars in attorneys’ fees were spent, and the company will never know for sure whether its competitor retained a copy of confidential information.
In all likelihood most or all of these problems could have been prevented with advance planning. However, many construction companies lack sufficient safeguards to protect themselves from the damage a disgruntled employee can cause. To avoid situations like the one described above, companies should consider implementing or upgrading a number of important and overlapping safeguards.
First, all companies with employees should have an employee handbook in place that is provided to all employees and updated on a regular basis. The handbook should contain at least the following:
• An acknowledgement that all confidential information the employee learns of during his employment, regardless of whether it raises to the level of a trade secret, belongs to the company and cannot be disclosed during the employee’s employment or following the end of the employee’s employment, regardless of the reason the employee leaves.
• A policy describing exactly how employees are entitled to use and disseminate company confidential information. Included in this should be limits on when employees are entitled to copy, download, and email documents and other electronically stored materials.
• A policy with strict limits on how employer issued computers, cell phones, and other electronic devices can be used.
• A policy allowing employers to monitor employee email.
• A policy that governs steps departing employees must take with regard to returning electronic devices upon resigning or being terminated.
• A policy that strictly limits the copying of company information and data.
• A clause in which the employee affirms his or her understanding that they owe the company a duty of loyalty.
• A provision that in cases where the employee releases such information or is about to release such information the company is entitled to have a court issue an injunction preventing the employee from using or releasing the information.
• A clause providing that in the event the employer gets an injunction, it is entitled to recover its attorneys’ fees from the former employee.
Further, unless the company is in a state like California that generally prohibits non-compete agreements, companies should strongly consider requiring all new employees to sign non-compete agreements upon being hired. Such agreements should restrict employees from working for competitors in certain geographic areas for a specified amount of time following the end of employment. They should also contain clauses providing for the issuance of injunctions to stop violations as well as the award of attorneys’ fees.
Also critical are electronic safeguards. Companies should consider restricting employees’ ability to install software on company issued computers and other electronic devices, and limit (by written policy and in practice) employees’ ability to download information and documents. Consideration should be given to banning employees from downloading information to USB drives, portable hard drives, and CDs, or at least restricting the ability to do so to a limited group of employees. Restrictions and safeguards should also be considered on whether employees are permitted to access company email accounts and computer systems with their own electronic devices. Certain information should also be password protected and accessible by need to know employees only.
Additionally, companies should have policies and procedures in place for what happens when an employee resigns or is terminated. To that end, the company should create and retain a ghost copy of all computers and other electronic devices the employee used. Email accounts should be maintained for easy access and, to the extent possible, a review should be undertaken of what the employee had been accessing, downloading, and copying in the weeks and months prior to his resignation
Although there is no perfect way to protect against a determined and disgruntled employee, having the proper safeguards in place ahead of time can significantly reduce both the risks and the damage that can occur due to employee theft.