A decade ago, employees moving to a different company would often grab a few pens and pencils from the stationery cupboard as they left the office. However, modern technological developments have given departing workers access to a wealth of confidential information which could prove useful in their new job. Dan Martin, HR Zone business editor, examines what HR departments can do to prevent intellectual property (IP) theft and the process to follow should pilfering be discovered.

Technology’s to blame

Businesses have without doubt benefited massively from developments in information technology. From email and the internet to online accounting systems and data storage, technology has speeded up business processes allowing those of all sizes to operate more efficiently. However, at the same time, that same technology has meant it has become easier for those intent on stealing information to achieve their aims.

Simon Janes, a former detective at New Scotland Yard specialising in IT security operations, now runs the Computer Forensics Alliance (CFA), an organisation which offers an investigation service for firms hit by employee theft. He argues that modern technology has made company information much more valuable. “Years ago some company secrets were stolen but they were generally in a four draw filing cabinet which couldn’t be sneaked out of the building”, he says. “Nowadays, information is more valuable. It is processed stored and almost a commodity.”

The size of technology has also contributed to the problem. As systems have progressed, the kit for using them has got smaller. Tony Heywood, from Hummingbird, says devices such as USB sticks and MP3 players mean even relatively technologically inexperienced employees can easily steal information. He comments: “Using a simple MP3 player, someone with reasonable experience can steal information which even an experienced examiner would be hard pressed to find.” Simon Janes agrees saying that mobile phones acting like talking computers and wireless connections are helping to make it simpler to steal valuable information.

Stop it before it happens

Contract clauses

HR departments have a key role to play in the prevention of IP theft, even before an employee joins the company. Many businesses fall foul of thieves because they fail to take the problem seriously meaning effective preventative measures are not put in place.

Hummingbird’s Heywood argues that HR’s role in the issue compares to the function of airport security officials in preventing terrorism. “Airports make the effort to stop people taking dangerous material onto planes but the real substance of prevention is the screening and intelligence before suspected terrorists get on board,” he says. “HR departments should be a bit like the airport screeners.”

Ensuring contracts of employment are appropriately worded and contain the relevant protections should be HR’s first action in preventing IP theft. “Without express terms confirming an employee’s duty not to disclose confidential information an employer has to rely on implied terms which do not offer as much protection,” says Helen Badger, associate solicitor at Browne Jacobson. “HR departments therefore need to understand what the potential risks are and what type of confidential information the company needs to protect in order to draft appropriate contractual clauses.”

What needs to be protected will vary according to the particular organisation although it is advisable for firms to avoid using vague terms in contracts such as “all confidential information”. Badger recommends that where there is specific information which needs to be protected, such as a manufacturing process or design, the number of employees party to it should be kept to a minimum. “The more people that know about it the less likely it is a court will deem it to be sufficiently confidential to warrant protection,” she says. “Where such information is disclosed, it is important the employer impresses to the employees to whom it is disclosed, the highly confidential nature of the information.”

Communicating unacceptability

Communicating to the entire workforce that IP theft is unacceptable is also vital and should be an action in which HR departments take a lead. CFA’s Janes argues that many employers fail to take the problem seriously which communicates to workers an aura of acceptability. “Awareness and education is key,” he says. “There are people out there who don’t stop and think about IP theft and believe it’s wrong. It’s like drink driving 15 years ago when many people thought it was fine to have a few pints and drive a car. Now most people accept it’s morally wrong to drink and drive.”

Gardening leave

In addition to contract clauses and employee education, most experts agree that gardening leave has a part to play in the prevention process. However, gardening leave will fail to achieve its aim if it is not managed properly.

Under the procedure, used mainly in sales environments, a departing employee is prevented from going to work for another firm to whom information might be useful for a limited period of time in the hope that the information will become less valuable. However, to ensure this course of action works, firms must include an express right to place an employee on gardening leave in the contract. “It is also important that there has been no breach of the employee’s contract of employment prior to them being placed on gardening leave which would entitle the employee to claim that the contract has no effect,” says Badger from Browne and Jacobson. “To ensure there are no breaches of contract employers need to be careful to follow any contractual procedures properly and not cut corners in trying to dismiss an employee they believe to be guilty of IP theft.”

Although gardening leave does have some value in theft prevention, it does not work on its own. It should form part of a business’ entire employee exit procedure. Janes believes it is important for HR to review the way they deal with all elements involved when an employee leaves. “One major thing that causes problems is not having a proper exit procedure,” he says. “When an employee is asked to return company assets such as floppy disks, USBs and laptops, it should be clear who takes them and who makes sure the company has got them all back.”

Share the love

It may be obvious but a key procedure in IP theft prevention is cooperation between company departments. If HR managers do not communicate effectively with their IT counterparts, companies can leave themselves more open to problems. As Heywood says: “HR should let IT know well in advance that someone is leaving rather than the morning of or the day before.” That way, system logins and other IT access can be shut down. There’s little point in sending someone on gardening leave if they still can still get to company data.

The value of monitoring

Monitoring employee use of technology systems is another method which can assist in the prevention process although firms should bear in mind the legal implications. It is crucial that staff are informed that their use of systems might be monitored otherwise firms risk breaching data protection legislation. Badger advises HR to ensure policies are in place to notify employees their use of systems may be monitored. “Organisations need to carry out impact assessments in which they weigh up the intrusion in to an employee’s personal life, against the needs of the business,” she says. “Where the potential intrusion is limited as much as possible and the risks to the business of information being taken by employees and used to their benefit is great, you should be able to justify the monitoring process.”

Heywood says although firms must bear in mind the human and data protection rights of their staff, monitoring should generally not be problem. “Firms should employ a wholesale approach to information,” he adds. “If the IT systems put in place are suitable, there is nothing to stop people from only having access to information appropriate to their job.”

Heywood claims that monitoring can also help in identifying employees who are intending to get another job. “People who chose to leave a job often give no verbal indication to the company,” he says. “If a firm has got systems in place to monitor unusual IT activity, employers will be alerted to someone who may be intending to leave.”

When thieves strike

Unfortunately, employing all the prevention measures in the world will not necessarily mean that corporate information is not stolen by employees. A determined worker with knowledge of IT is quite likely to get hold of the data he or she requires.

When thieves do strike and suspicions are raised, HR departments should proceed carefully in their response. Employers should inform a person under suspicion the reasons for the investigation stating on what grounds the decision has been made.

“Firms should investigate carefully,” Janes says. “It’s very easy to make a knee jerk reaction without knowing all the facts. For example, an e-mail address on a suspicious message does not necessarily mean that person did it. Initially allegations may initially be made about someone but it may turn out that it’s someone else trying to put another employee under suspicion.”

Effective cooperation between HR and IT is again important in this area. It is very easy for allegations of IP theft to be made and HR departments to steam in and examine computers for evidence. However, without specialist knowledge it’s very possible that such evidence will be lost. Therefore, HR should always remember to call in the IT experts, whether that be internally or externally.

“The worst thing an unknowledgable employer can do is start messing around with the employee’s computer,” Janes added. “If that happens, when investigators are called in they might find HR has destroyed all the evidence and nothing more can be done. If in doubt, seek proper advice on what to do.”