Privileged information

Both clients and design consultancies must have security measures to safeguard sensitive information, argues litigation solicitor Ian Hargreaves

If you tend to leave sensitive client information on the desk it’s high time to consider the possible repercussions of your actions.

Fmcg giants Unilever and Proctor & Gamble have finally settled a commercial espionage dispute, which has been ongoing for six months. It is reported that Proctor & Gamble, owner of brands such as Pantene and Vidal Sassoon, admitted spying on Unilever’s hair-care division (Salon Selectives and Finesse). It is believed that Proctor & Gamble has agreed to pay Unilever $10m (£7m) and allow an unusual third party audit to monitor its own haircare division. This should surely set alarm bells ringing and prove a salutary lesson to the business community, especially consultancies that rely heavily on research and development, marketing and brand names.

According to the Futures Group, 60 per cent of US companies have an organised system for collecting information on rivals and 82 per cent of companies with a revenue of more than $7 billion (£5 billion) make systematic use of it.

In April, Proctor & Gamble revealed that the competitor-intelligence contractors they had hired had taken improper steps in gathering information on Unilever’s haircare division. The agents were said to have posed as market analysts and to have rummaged through rubbish bins outside Unilever’s Chicago offices, taki

ng approximately 80 documents during a six-month period.

Proctor & Gamble admitted to spying and took immediate steps notifying Unilever, also dismissing at least three employees who were involved. Though Proctor & Gamble has protested that the activities were not in keeping with its policies and that the actions of its agents had violated the company’s ethics, it would be naive of the business world to believe that commercial spying is a rare phenomenon.

As brands, product designs and marketing initiatives become ever more important to the success of many client companies, the precautions that clients and their consultancies put in place regarding such threats must increase.

Business success is driven more than ever by information, which the Department of Trade and Industry recently described as a company’s most valuable asset. As well as a natural desire to protect a company’s key information, there is also a legal requirement to protect information – for example, personnel records – and companies must be careful not to fall foul of the Data Protection Act. A number of preventative, practical steps can be considered.

First, a company must assess how confidential information may threaten its business. The threat can manifest itself in various ways, including: disaffected staff and insiders – motivated by personal gain or out of revenge; fortuitous access – where documents are left unattended and information brokering; and organised crime – information being stolen to order.

Preventative steps of both a legal and practical nauture must then be taken to avoid the loss of confidential information. Confidentiality agreements with third parties and employees are essential.

Such agreements have a dual purpose: they indicate how the receiving party is expected to behave and what the sensitive issues are, and, second, they vary/ extend the protection that the law provides in relation to a party’s confidential information.

Employees and confidential information are a dangerous mix. Confidentiality agreements/ clauses and restrictive covenants, especially in key employees’ Contracts of Employment, need to be tightly drafted. Although they need to be extensive in their reach, care must be taken that they are not too wide and against public policy in that they are anti-competitive and a restraint of trade.

Design businesses should consider the need to set up internal controls and implement a secure document management system. Employees’ awareness of the risks needs to be raised and the classification and marking up of information may be appropriate. Classification should reflect the extent of damage caused if the information is leaked, although this needs to be applied consistently across the company. Furthermore, there needs to be a clear management commitment to the protection of confidential information.

Although Proctor & Gamble admitted to and has reached a compromise with Unilever regarding its commercial espionage, the dispute with Unilever serves notice that there are people out there who will take full advantage of a company’s failure or ignorance to protect its confidential information.

The potential losses can be enormous. Both practical and legal precautions are essential to give your business a chance at protecting its future.

Action to protect sensitive client information

Access to information

Limited to authorised personnel

Stored under conditions that make accidental exposure unlikely/ deliberate misuse detectable

Mark documents clearly with internal classification markings, leaving no doubt as to the sensitivity of material

IT Systems

Strongly secured with approved access controls which are highly resistant to penetration by a hacker

Effective monitoring proceedings should be in place to detect unauthorised access

Distribution

There should be accurate monitoring of the recipients of sensitive information and the recipient should confirm that he or she understands the sensitivity of the information

All copying must be authorised, with the number of copies taken limited to the number of copies required

When placed in external mail it should be in secure packaging and the sensitivity level should not be apparent from the outside covering

Where possible, deliveries should be made by a trusted individual or when sending by mail in a double-sealed envelope with the inner envelope marked with the internal security classification

Electronic/ Telephone Distribution

Faxes should only be sent over approved secure fax systems. Where they are to be sent to a particular individual, that individual should be required to collect the fax

Telephone conversations and electronic mail should be carried out over approved, secured systems

The electronic mail system should be specially secured to prevent accidental or deliberate misrouting of messages

Destruction/ Disposal

Documentation should be destroyed by an approved person or organisation

Hard disks should be destroyed by an approved company

All image, archive and back up copies should be destroyed or protected as appropriate

Out of the Office

Work carried out at home or when travelling should be approved and approved security facilities should be present

Latest articles