Protecting Confidential Information From Departing Employees

by Michael D. Gifford
Howard & Howard Attorneys PLLC

An undeniable tension exists between providing employees with confidential information and protecting that data from potential misuse.

Employers often need to trust their employees with valuable, confidential information. Many employees cannot function properly without access to information on processes, procedures, product performance, pricing, discounts and other information that the employer does not want to share with the public in general, and competitors in particular.

Employees equipped with a laptop or BlackBerry often maintain access to confidential information regardless of time or location. Often, that access makes them better employees, but it also risks unwanted disclosures, or even theft, of that information. Departing employees may forward data to personal accounts or copy it to portable media like CDs or flash drives. Although such acts often create a forensic trail, it may be time-consuming, difficult and expensive to prove. Even with a restrictive covenant forbidding departing employees from taking confidential information, obtaining an injunction or temporary restraining order may be difficult.

Two recent court decisions may help swing the balance back in the employer’s favor. In Sunbelt Rentals v. Ehlers, the Fourth District of the Illinois Appellate Court reversed an established line of decisions and made it easier for employers to obtain injunctions against former employees violating restrictive covenants. Illinois courts have traditionally required employers to prove that the restrictions were reasonable in duration and geographic scope, and that they served a “legitimate business interest.” Courts found a legitimate business interest where: (1) the employer had a near-permanent relationship with the customer, (2) the employee would not have had contact with the customer absent the employment, and (3) the employee attempted to profit from confidential information gained in the employment. Previously, every district of the appellate court had applied that requirement, often placing a high hurdle in the employer’s path to an injunction.

In Sunbelt Rentals, the court rejected the legitimate business interest element and held that “courts at any level, when presented with the issue of whether a restrictive covenant should be enforced, should evaluate only the time-and-territory restrictions contained therein.” In that case, a restriction of one year and 50 miles was held reasonable.

Should employers immediately impose restrictive covenants on all their employees? Not necessarily. First, standing against a line of prior decisions makes this issue ripe for review by the Illinois Supreme Court. However, this case has been settled, and will not be reviewed on appeal. Any consideration of this new rule must await a future decision. Second, the law remains unchanged in most of the state outside the boundaries of the Fourth District, including Peoria, Chicago, the St. Louis Metro East area, and Rockford. Also, new restrictive covenants would need to survive as a valid contract, including the requirement of consideration—the employer would have to give the employee something of sufficient value to validate the contract.

Further, do not assume that the legitimate business interest element is completely gone, even within the Fourth District. Among the factors a court may consider in evaluating the time and territory restrictions is the nature of the interest being protected. The more widespread the employee’s duties and the customers with which he or she dealt, the wider a territory will be reasonable. The more specialized the knowledge and the type of business competition involved, the longer a time may be reasonable.

Employers have also utilized the federal Computer Fraud and Abuse Act (CFAA) against disloyal employees. One of the leading decisions in this area was issued by the Chicago-based U.S. Court of Appeals for the Seventh Circuit in International Airport Centers, LLC. v. Citrin. The CFAA criminalizes access to a computer that is either “without authorization” or that “exceeds authorized access.” In Citrin, the court held that an employee’s disloyal use of a computer by copying information while planning to depart is without authorization and a violation of the CFAA. Even if the employee would otherwise have had access, the disloyal use served to void that right. Not every court has agreed with this approach, and the U.S. Supreme Court has not yet addressed the issue. Nonetheless, at least within the Seventh Circuit (including all of Illinois), the CFAA provides employers a potential weapon.

There exists an undeniable tension between providing employees with confidential information necessary to do their jobs, and protecting that data from potential misuse. What should employers do?

  1. Consider the need for a restrictive covenant for all employees accessing confidential data or involved in important business relationships. Assess the information that the employee could take if departing, and how that would hurt the business. Restrictions should be crafted to address those concerns, rather than assuming that some stock formula of time and distance will always be appropriate and legally enforceable. One size does not fit all. Document the process by which your time and distance limits were reached and the specific interests being protected. The employee should acknowledge those interests in the document.
  2. Take reasonable steps to limit access only to the confidential data needed by employees to perform their duties. Preventing unnecessary access is better than trying to recover data after the employee leaves.
  3. Meet with employees and clarify the information that the company claims as confidential. That clarification confers value, whether or not an employee leaves. Have the employee acknowledge the scope of confidential information and his or her duty to maintain confidentiality.
  4. Require employees to acknowledge the restricted purposes for which they may access confidential information and that accessing that information for any other reason is a violation of the CFAA.

The time devoted to preventative efforts to protect your confidential information is better spent than the time and money expended after the fact to recover that data and remedy the damage caused by disclosure. iBi