Protecting & Handling Confidential Information
The security and confidentiality of confidential information should be of the utmost importance to a company. This section will provide you with resources on protecting confidential information, including the receipt and handling of the confidential information of third parties.
Protecting & Handling Confidential Information – Topics
Confidential Information Basics
Protecting Company Confidential Information
Receiving Confidential Information from Third Parties
Nondisclosure Obligations and Agreements
Protecting Confidential Information as a Trade Secret
Employee Responsibilities
Confidential Information Basics
You can have written or verbal forms of confidential information. An example of an issue with confidential information, under an NDA, is what do you do about verbal information that’s transferred between two parties?
Every employee should understand the basics of identifying and handling of company and third party confidential information. This begins when a new employee joins your company and should be periodically refreshed to accommodate new and ongoing relationships.
Confidential information is generally defined as information disclosed to an individual employee or known to that employee as a consequence of the employee’s employment at a company. This information isn’t generally known outside the company or is protected by law. Confidential information can include information in any form, such as written documents/records or electronic data.
Examples of Confidential Information | |
Business & Marketing Plans | Information Received from Third Parties |
Company Initiatives
|
Company Financial Account Information |
Customer Information and Lists
|
Social Security Numbers |
Information Relating to Intellectual Property
|
Payroll and Personnel Records |
Invention or Patent | Health Information |
Research Data | Self-Restricted Personal Data |
Passwords and IT-related Information | Credit Card Information |
5 Examples of How Confidential Information Can Be Used
- Protect ideas that offer a competitive advantage, enabling a company or individual to get a head start on the competition (e.g., an idea for a new type of product or a new website).
- Keep competitors from learning that a product or service is under development and from discovering its functional or technical attributes (e.g., how a new software program works).
- Protect valuable business information such as marketing plans, cost and price information and customer lists (e.g., a company’s plans to launch a new product line).
- Protect “negative know-how.” That is, information you’ve learned during the course of research and development on what not to do or what does not work optimally (e.g., research revealing that a new type of drug is ineffective).
- Protect any other information that has some value and is not generally known by your competitors (e.g., a list of customers ranked by how profitable their business is).
Protecting Company Confidential Information
Confidential Information plays an important role in business competitiveness and success. It is also necessary to ensure protection of company trade secrets under state or federal laws. These laws require that a company’s confidential information is subject to reasonable efforts to maintain its secrecy. Accordingly, the following practices should be considered.
- General safeguarding. All confidential information of a company should be restricted from the view of the public – i.e., only those that have agreed to keep it confidential should be allowed to view the information. Reasonable efforts should be made to protect trade secrets.
- Safeguarding of electronic information. Access to computer systems containing confidential information should be restricted to only those that are under an obligation to keep the information confidential. Employees’ logins and passwords should not be shared with others.
- Restricted distribution. Distribution of confidential information should be restricted to those who have a legitimate business need to know it whenever feasible.
Receiving Confidential Information from Third Parties
If you’re the receiving party, you’re getting confidential information from another party. It may very well be that the relationship comes to an end. It may go sour, or you might just move on to other relationships.
If not handled carefully, the receipt of confidential information from third parties can subject a company to unwanted competitive restrictions or liability. Accordingly, the three practices below should be taken into consideration.
- Company personnel should avoid receipt of the confidential information of third parties unless the receipt is covered by a Non-Disclosure Agreement (NDA), or agreement waiving the disclosing party’s rights, approved in accordance with a company contract management policy.
- Distribution of third party confidential information to employees should be restricted to those who have a legitimate business need to know it. Disclosure of third party confidential information to another third party may be done only in accordance with the terms of the applicable NDA and after consultation the company’s legal team.
- Never use third party confidential information obtained through inappropriate means such as misrepresentation or omission of important facts.
Nondisclosure Obligations and Agreements
At the heart of it, an NDA includes a promise not to disclose confidential information. There are also other things that can be included in those agreements.
Choosing the Appropriate NDA
A company’s legal team should maintain non-disclosure agreements (NDA) to be provided for use in the following situations:
- Two-Way NDA. Covers mutual sharing of confidential information between a company and a third party. This imposes confidentiality obligations on both parties.
- One-Way NDA Out. Covers only disclosure of confidential information by a company to a third party. This imposes no confidentiality obligations on the company.
- One-Way NDA In. Covers receipt of confidential Information from a third party. This only imposes confidentiality obligations on the company. The third party is under no confidentiality obligations.
NDA Considerations Relating to IP
An NDA does not determine ownership of IP. NDAs are to be used for the purpose of protecting information at the stage where companies are determining whether to enter into a business relationship with another company. Because an NDA does not determine ownership of IP, no actual work (such as development work) should be undertaken under an NDA. Such work should be undertaken only after a definitive agreement which addresses IP ownership has been entered into.
Performing work under only an NDA leaves open the question of who owns the IP that arises out of that work. Consequently, a company may have to expend significant and unnecessary funds determining, and perhaps engaging in litigation, to determine ownership of that IP. When a company decides it wants to enter into a business relationship with another company, and before work commences in that relationship, a company’s legal team should be notified so that an agreement addressing IP ownership can be entered into with the other company.
Protecting Confidential Information as a Trade Secret
Anything that a company regards as its confidential property, treats as confidential, and prevents access by others is something that can be protected by a trade secret.
A trade secret is a type of confidential information that receives additional statutory protection according to various state, federal and local laws. A trade secret is information that:
- Is not generally known to the public – in other words, it is confidential information
- Confers some sort of economic benefit on its holder (where this benefit should derive specifically from it not being publicly known, not just from the value of the information itself)
-
Is the subject of reasonable efforts to maintain its secrecy
While trade secrets can carry more value than ordinary confidential information, it is important to handle both with heightened scrutiny when sharing with parties outside a company or in situations where public disclosure is possible.
Employee Responsibilities
Confidential information often derives its value from its ability to be used for some purpose within a company. Employees in various parts of a company should be aware of proper handling and safeguarding of company and third party confidential information.
Each employee should have the following responsibilities under a confidential information policy:
- During employment and after the termination of employment, an employee should hold all confidential information in trust and confidence. The employee should only use, access, store, or disclose confidential information as appropriate in the performance of their duties for the company. An employee should comply with all applicable state and federal laws and company policies relating to access, use, and disclosure of confidential information.
- An employee should only store or communicate confidential information using a company’s information systems.
- An employee should not remove materials or property containing confidential information from the department unless it is necessary in the performance of the person’s job duties. If an employee works outside of the office, they should take steps to ensure that confidential information is secure and is protected from theft or disclosure to unauthorized persons.
- An employee should not seek to obtain any confidential information involving any matter which does not involve or relate to the person’s job duties.
- If an employee has any question relating to appropriate use or disclosure of confidential information, the employee should consult with appropriate company personnel.
- Each employee should promptly report to the their supervisor, any known violation of a company’s confidential information policy by the employee or a third party.