In today’s increasingly litigious and highly competitive workplace, confidentiality is important for a host of reasons:
Failure to properly secure and protect confidential business information can lead to the loss of business/clients.
In the wrong hands, confidential information can be misused to commit illegal activity (e.g., fraud or discrimination), which can in turn result in costly lawsuits for the employer. Many states have laws protecting the confidentiality of certain information in the workplace. The disclosure of sensitive employee and management information can lead to a loss of employee trust, confidence and loyalty. This will almost always result in a loss of productivity.
What Type Of Information Must Or Should Be Protected?
Confidential workplace information can generally be broken down into three categories: employee information, management information, and business information.
Employee Information: Many states have laws which govern the confidentiality and disposal of “personal identifying information” (e.g., an employee’s Social Security number, home address or telephone number, e-mail address, Internet identification name or password, parent’s surname prior to marriage or driver’s license number).
The Americans with Disabilities Act of 1990 (ADA) requires employee medical and disability information be kept confidential and limits access to those employees who have a “business need-to-know” (e.g., supervisors who need to know about restrictions on the work of an employee or other reasonable accommodations that need to be made, safety personnel handling medical emergencies, government officers investigating complaints of disability discrimination).
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates healthcare providers’ use and disclosure of individually identifiable health information (known as Protected Health Information).
The Immigration Form I-9s must also be protected from accidental disclosure. The information contained on these forms (e.g., national origin, age) should be kept confidential so as to avoid discrimination claims from employees.
Management Information:
Confidential management information includes discussions about employee relations issues, disciplinary actions, impending layoffs/reductions-in-force, terminations, workplace investigations of employee misconduct, etc. While disclosure of this information isn’t necessarily “illegal,” it is almost always counterproductive and can seriously damage the collective “psyche” of a workplace.
Business Information:
We oftentimes refer to confidential business information as “proprietary information” or “trade secrets.” This refers to information that’s not generally known to the public and would not ordinarily be available to competitors except via illegal or improper means. Common examples of “trade secrets” include manufacturing processes and methods, business plans, financial data, budgets and forecasts, computer programs and data compilation, client/customer lists, ingredient formulas and recipes, membership or employee lists, supplier lists, etc. “Trade secrets” does not include information that a company voluntarily gives to potential customers, posts on its website, or otherwise freely provides to others outside of the company.
What Steps Can Be Taken To Better Protect Confidential Information?
Develop written confidentiality policies and procedures: Every business/organization should have a written confidentiality policy (typically in its employee handbook) describing both the type of information considered confidential and the procedures employees must follow for protecting confidential information. At the very least, we recommend employers adopt the following procedures for protecting confidential information:
- Separate folders should be kept for both form I-9s and employee medical information.
- All confidential documents should be stored in locked file cabinets or rooms accessible only to those who have a business “need-to-know.”
- All electronic confidential information should be protected via firewalls, encryption and passwords.
- Employees should clear their desks of any confidential information before going home at the end of the day.
- Employees should refrain from leaving confidential information visible on their computer monitors when they leave their work stations.
- All confidential information, whether contained on written documents or electronically, should be marked as “confidential.”
- All confidential information should be disposed of properly (e.g., employees should not print out a confidential document and then throw it away without shredding it first.)
- Employees should refrain from discussing confidential information in public places.
- Employees should avoid using e-mail to transmit certain sensitive or controversial information.
- Limit the acquisition of confidential client data (e.g., social security numbers, bank accounts, or driver’s license numbers) unless it is integral to the business transaction and restrict access on a “need-to-know’ basis.
- Before disposing of an old computer, use software programs to wipe out the data contained on the computer or have the hard drive destroyed.
A confidentiality policy should also describe the level of privacy employees can expect relating to their own personal property (e.g., “for your own protection, do not leave valuable personal property at work and do not leave personal items — especially your purse, briefcase or wallet — unattended while you are at work”) and personal information (e.g., “your medical records are kept in a separate file and are kept confidential as required by law”).
Finally, all businesses/organizations should have their confidentiality policies reviewed to ensure compliance with state law. For example, the New York Employee Personal Identifying Information Law, which became effective January 3, 2009, requires the creation of policies and procedures to prevent the prohibited use of “personal identifying information” and requires employers notify employees of such policies and procedures.
Train management and employees on confidentiality policy: Oftentimes, simply having a written confidentiality policy is not enough. In order for the confidentiality policy to be effective, managers, supervisors and employees must be educated on confidentiality issues and the company’s policies and procedures. Management and employees should be allowed an opportunity to ask questions about the policies, and everyone should be trained to avoid putting sensitive information in e-mails. Many companies and organizations include this training as part of the new-hire/orientation process.
Management should also be instructed as to the proper way of communicating with the company’s inside and outside counsel so as to ensure that certain work-related documents and e-mails are protected by the attorney-client privilege.
Enforce Confidentiality Policy:
This is one of the most important steps a business/organization can take to protect its confidential information, and unfortunately, it’s oftentimes the one step that is ignored. All the policies, procedures and training in the world will not matter if those policies and procedures are not enforced. In order for a confidentiality policy to have “teeth,” employees who violate the policy must be disciplined in accordance with an employer’s corrective action procedures.
Consider Having New and/or Current Employees Sign a “Non-Disclosure” Agreement:
These agreements go by many names. Sometimes they are called “non-disclosure agreements,” and other times they are called “proprietary information agreements.” Regardless of title, these agreements are contracts designed to protect the confidential “business information” described above (e.g., “trade secrets”). These agreements are vital to most businesses today, especially considering the ease in which employees can now electronically transfer large amounts of information, much of which would be incredibly damaging in the hands of a competitor.
When it comes to confidentiality, prevention and deterrence is key. The first question we ask our clients when they contact us in response to a potential confidentiality breach is “do you have a confidentiality policy and/or non-disclosure agreement?” The stronger your policies and agreements, the better you are prepared to take quick and effective action to protect your business/organization. Of course, we are always available to counsel employers in the area of confidentiality and to develop policies and agreements that provide businesses with the proper safeguards.