Businesses need to be systematic in their approach: beginning with sound governance and extending to having a response plan, shares Tess Lumsdaine, Partner in Baker McKenzie's Employment & Compensation Practice in Hong Kong.
Headlines this year have been dominated by layoff announcements as companies face economic headwinds and uncertainty. Where there is high employee turnover, the risk of a business's proprietary information and technology being stolen by exiting employees can increase. This asset is incredibly valuable, particularly where companies are looking to it to drive productivity and to attain a competitive edge, and HR professionals will be instrumental in its protection.
When facing this increased risk, businesses need to be systematic in their approach to managing confidential information: beginning with sound governance and extending to having a response plan so they can act quickly when data theft is suspected.
The importance of good governance
The starting point of good governance will be ensuring all employment contracts have comprehensive provisions setting out the employee's obligations, and the company's rights, in respect of confidential information and intellectual property. Where an employee has access to particularly sensitive proprietary information, the employer may also consider whether the employment contract should contain a post-termination non-compete term.
The recent Hong Kong case of BFAM Partners v. Gareth John Mills* indicated that where an employer pays the employee for the duration of the non-compete period, a court may be more willing to find the employee is not significantly prejudiced by being restrained from working, and the non-compete term can be enforced.
*BFAM Partners (Hong Kong) Ltd v. Gareth John Mills & Segantii Capital Management Limited  HKCFI 2904
Deciding whether to include a non-compete provision in the employment contract of a particular employee will depend on the specific circumstances, so businesses are advised to consider the role of the individual or groups of employees within the business and adapt their approach accordingly.
Additional measures to protect proprietary information
The terms of the employment contract should be supplemented by company policies including in relation to use of company's IT systems and equipment, as well as personal devices and third party apps, such as WeChat or WhatsApp, which are used to conduct company business.
Policies must provide clear guidance on what information can be shared over such devices or platforms, and the company's rights to review and monitor their use by employees. Employees should be trained on such policies periodically and, attendance records for such training should be kept.
Businesses should also conduct regular audits to review what confidential information is stored in the company's IT systems and how it can be accessed and used. Courts in Hong Kong have been critical of businesses that treat non-confidential information in the same manner as information that is considered highly sensitive. Therefore, any information that is no longer confidential should generally be separated from confidential information and no longer be subject to the same degree of security.
Finally, organisations should consider having a standard process in place which is applied to departing employees. This may include a review of email and IT use for a set period preceding their final day of employment, and a clear protocol on ensuring all company property is returned and reviewed to see if any files have been removed or copied. Further, companies should have a robust reporting channel which can be used to report suspected data breaches. This will permit the organisation to act quickly and seek to mitigate damage, when an incident occurs.
Baker McKenzie recently conducted a survey of 600 senior lawyers at large corporations across four continents and used the survey data to prepare the Global Disputes Forecast 2023. Of these survey respondents, 62% saw data and cyber security disputes as a risk to their organisation with one of the most significant data risks arising from areas that receive less attention: physical access to buildings, disposal of paper records, or simply employees discussing the corporation’s details with friends and relatives, or in a public place.
With employees nowadays distributed across geographies and conducting business on new platforms, these security considerations need to be more closely managed than ever. If they haven't already, businesses should ensure they have clear processes for secure disposal of documents containing proprietary, sensitive or confidential information and processes for loss or theft of company hardware such as phones, laptops or data storage devices. These processes must be clearly communicated to employees. Employees must also be reminded about appropriate places and methods of conducting company business including sensitive communications.
Remote working in some jurisdictions has also seen an increase in 'moonlighting', the practice of employees working two jobs.
With this comes an increased risk of conflicts of interest or breach of confidentiality arising, particularly where the secondary role is in a similar company or sector. To manage this risk, it will be critical to ensure employment contracts contain terms regulating secondary employment in addition to terms on confidentiality or conflicts of interest.
As organisations adopt new and varied technologies, from employee monitoring and productivity systems to new communication or technology platforms and which spread across different markets, HR and IT policies will need to evolve to remain fit for purpose.
Moreover, the divergence in data protection laws across the Asia Pacific region poses major challenges to organisations and HR professionals with a regional remit are likely to have a particular challenge in staying ahead of relevant emerging laws (for example, the data protection laws, which have been enacted in China, are currently being proposed in Malaysia and Australia). These laws may impact what employee data is collected but also, what steps an organisation is required to take if they suspect there has been a data breach, including theft of data by an employee.
Acting quickly when things go wrong
When an employee is suspected of stealing information, the key is to move quickly to preserve a broad range of data including email, phone and messenger records, printer and building access logs and file transfer or access records. The more data that can be reviewed, the clearer picture an organisation can build of what information may have been compromised.
Collecting evidence and mitigating fallout in such circumstances will be a joint effort between HR, IT, security and in-house and external legal teams.
It will be important in deciding what actions you can take to minimise damage to the business: from reporting conduct to the police or regulators to commencing civil action.
Ultimately, the actions which will be available to the business, will be largely dependent on the governance in place, and how quickly an organisation can act when suspected incidents occur.
Thank you for reading our story! If you have any feedback, feel free to let us know — take our 2023 Readers' Survey here.
Image / Provided (Author: Tess Lumsdaine, Partner in Baker McKenzie's Employment & Compensation Practice in Hong Kong)