When the draft document overturning Roe v. Wade was leaked to the press, many senior HR executives took notice. The leak brought to mind the theft of proprietary information within their own organizations. How can employees be deterred from walking off with company trade secrets and other information targeted by competitors?
"Insider threats have long been a threat when it comes to disclosure of sensitive information," said Risa Boerner, an attorney with Fisher Phillips in Philadelphia. "Having appropriate policies in place and limiting access to confidential and sensitive information can greatly reduce the potential for disclosure of that information."
Training employees on confidentiality and security policies can also be an effective method of reducing the potential for disclosure of sensitive information.
As for the judiciary, "I suspect courts from the Supreme Court down to the trial level will begin to implement tighter security measures to prevent future releases," said Adam Herzog, a plaintiff's attorney with Katz, Marshall & Banks in Washington, D.C.
"That said, the relationship between judges and clerks is a special one, and I'd like to think that despite this episode, judges will continue to place a high degree of trust and faith in their clerks," he added. A clerk is the most likely suspected source of the leak.
If the identity of the person who released the draft opinion comes to light, "I expect that person will be subject to criminal liability for, among other things, theft of government property. In the event we learn that a justice was actually responsible, which would be shocking, I believe that impeachment is possible."
Employer tools to prevent breaches of confidentiality are statutory and contractual, Herzog noted.
Important statutory protections include the federal Defend Trade Secrets Act and the state version—the Uniform Trade Secrets Act. The Computer Fraud and Abuse Act prohibits the unauthorized access of employer documents, but a Supreme Court case applied a narrow interpretation of what constitutes unauthorized access, Herzog noted. Employees also owe a legal fiduciary duty to employers, which can be breached in some cases by an employee who misappropriates or improperly uses an employer's confidential information.
Not all confidential information qualifies as trade secrets, so employers commonly insist that employees sign confidentiality agreements and nondisclosure agreements that extend protections for employer information beyond what statutory and common law provide.
"The more clear and precise definitions included in the agreements, the better the protections against information theft for employers," he said. "The more steps employers take to delineate information they actually want protected as secret and confidential, the more effective they will be from preventing releases in the first place and the more likely they will be able to take action against employees who engage in improper disclosures."
"Employers should have strong confidentiality policies in place and should reinforce those policies through training conducted on a regular basis," Boerner said.
She added that employers should consider limiting access to confidential information on a need-to-know basis with appropriate security in place to restrict access.
"Employers can also reduce the risk of disclosure of confidential information by implementing security controls, including for example restricting or eliminating the use of external storage devices, limiting or eliminating the use of cloud storage accounts to which employees might otherwise upload sensitive information, and logging and monitoring access to highly sensitive data within the company's systems," she said. "Monitoring of e-mails sent from the employer's system to external accounts can also help to quickly identify the potential dissemination of confidential information by employees."
Liability concerns for breaches of confidentiality include potential civil claims, regulatory investigations, or penalties resulting from the disclosure of personally identifiable information (PII), personal health information (PHI) or payment card information (PCI), Boerner noted.
Civil claims may include negligence claims as well as class-action lawsuits resulting from a data breach incident. Some state data breach notification laws provide for private rights of action.
Companies also could face invasion of privacy claims, she added.
As for HIPAA, its application "is widely misunderstood," Boerner said. "HIPAA does not protect all health information. It only applies to covered entities and business associates."
"Many times, breaches will not trigger HIPAA because the information involved is not actually used or maintained by a HIPAA-covered entity such as a health benefit plan," explained Tim Stanton, an attorney with Ogletree Deakins in Chicago.
Responding to the Release of Confidential Information
Once an employer is on notice that there has been a release of confidential information, the business should take steps to recover the information, avoid further dissemination and immediately suspend the access privileges of the employee responsible for the disclosure, if that individual is known.
The employer should "quickly identify the nature of the information and determine whether it contains protected information that may trigger data breach or other notification obligations, including PII, PHI, PCI or other sensitive data," Boerner said.
"Public policy concerns can and do trump employer confidentiality interests in many instances—especially in whistleblower contexts," Herzog said.
Whistleblower protections rarely protect employees who disclose confidential information via the press or social media, he noted. Practical considerations, however, may prevent employers from choosing to discipline employees who share information that finds a sympathetic public audience, he added.
Allen Smith is the Manager of Workplace Law Content for the Society for Human Resource Management, where he oversees employment law coverage. For a complete list of articles, visit Allen's SHRM author page.