It’s a company’s worst nightmare – a rogue ex-employee with confidential company information blogging and emailing about that sensitive information, in particular alleging an unreported security breach by the company. (An alleged security breach caused by the loss of backup tapes, involving the loss of personal information, including names, addresses, social security numbers, payroll data, checking account and credit card information on approximately 400,000 customers.) But, if the former employee signed an employee covenants and non-disclosure agreement, an agreement in which the former employee agreed to maintain the confidentiality of company’s business information, the company can go to court and seek enforcement of the agreement. Problem solved, right? No. When the company in the Cambridge Who’s Who Publishing, Inc. v. Sethi case went to court and sought enforcement of their agreement in the form of an injunction to restrain the former employee’s continued disparaging remarks by blog and email, the company’s request was denied. Oh my!
In January 2011, the New York Supreme Court denied a company’s injunction requesting that a former employee be prohibited from making disparaging comments about the company. Cambridge Who’s Who Publishing, Inc. v. Sethi, 009175/10, NYLJ 1201482619238 (Sup. Ct. Nassau Cty. Jan. 25, 2011). A key factor in this denial was that the former employee was using social media and email to discuss a matter of public concern – an alleged security breach. The court stated that discussions on matters of public concern are protected by the U.S. Constitution. The judge acknowledged that the former employee’s intent may have been to disparage the business or to retaliate against the company for his discharge; but nonetheless, the content of the communication – the loss of personal information “implicates the economic interests of a large number of people” and that is protected free speech under our Constitution. The court held that the company had failed to establish ‘extraordinary circumstances’ to justify restraint on prior speech and denied the company’s injunction.
The true issue in this case is not the enforcement of the employment agreement, but the alleged security breach. So, remove the issue of the security breach. Arguably, if the former employee had not blogged or emailed about a security breach – a matter of public concern, then the company could have successfully enforced their employee covenants and non-disclosure agreement.
Protect your company with employee covenants and non-disclosure agreements, but add an Information Management and Information Protection Program. These defensible programs are designed to help your business find, use, manage, and protect company information by marrying policy/procedure and the right technology. In the case above, if the company had implemented Information Management and Information Protection Programs (and followed them), the company would have known if and where personal information resided on their backup tapes. They could have used appropriate technology, such as encryption to protect the personal information. (Under many states’ Breach Notification Laws, loss of encrypted information does not require disclosure.) And, if the company did experience a security breach, under their Information Protection Program, they would have made the appropriate timely disclosures to government and their customers, as required by law.
Don’t wait for the nightmare of an ex-employee, social media, and a security breach. Remove the security breach component by proactively establishing Information Management and Protection Programs, in addition to your employee covenants and non-disclosure agreement. If and when a security breach occurs, your company will be ready to respond appropriately and confidently. And, if a former employee makes disparaging comments about your company, the court can focus on the non-disclosure agreement, not on the security breach.
Author: Lisa J. Berry-Tayman, Esq., CIPP is the owner of Information Consulting, a consulting group focused on information management, information protection and e-discovery. She may be reached at LBTayman@InformationConsulting.biz or at 317-908-0377.