Many companies rely solely on non-compete and confidentiality agreements to protect themselves from getting stung by departing employees. But these steps do not address the ownership of your organization’s information.
Employment lawyers recommend that all firms both large and small—establish information security policies (ISPs). By formalizing who can access the data that flows into and out of your company, you can stake a legal claim to ensure your information doesn’t fall into the wrong hands.
The federal government recently announced regulations that require all health-care providers to develop and implement ISPs. These regulations will most likely serve as a template for other industries to draft similar policies.
Consider these points when creating your policy:
Think low-tech. Don’t assume that you’re safe just because you operate a business that doesn’t rely on dozens of fancy mainframes. You need to identify the extent to which all your information is valuable and sensitive.
Open your file cabinets. You may find production records, client lists and accounting or personnel material that could harm or embarrass your company or your employees. Storing this material under lock and key isn’t enough; you also need to specify in your ISP that these types of documents are confidential.
Specify ownership. Every ISP should clearly state that the company owns and controls the information in its possession and the hardware and software in which it resides. The policy needs to explicit forbid employees or contractors (current or past) from using the information for non-business activities and for removing or altering it without proper authorization.
Educate and enforce. The ISP should identify enforcement measures your company will take to protect its information and punish individuals who violate the policy. At the same time, it should emphasize the need to raise awareness among employees about the importance of safeguarding internal data. For example, you may want to assemble an “information security team” consisting of a cross-section of employees who help craft the policy and monitor its application.
Get signatures. Have all employees sign your ISP. Also require all vendors or contractors (from the cleaning crew to computer repair specialists) to sign the policy.