Definitely Not ‘Yours, Mine and Ours’

Definitely Not ‘Yours, Mine and Ours’

By Philip A. Toomey
Tips on Legally Protecting Your Customer Database

Sure, it’s a nice feeling when you’ve inspired an employee to start his or her own enterprise, but it’s like a cup of cold water thrown in your face when you discover that he or she has absconded with your customer names and information. So what can you do to keep this from happening?

There are six steps you can and should take to protect yourself from day one with each new hire. But first, you should understand the difference between two often-confused documents: the non-compete agreement and the non-solicitation agreement.

Non-Compete vs. Non-Solicitation

A non-compete agreement attempts to limit a trade or occupation engaged in by a former employee-effectively blocking that employee from starting the same type of business in a specified geographic area for a specified amount of time.

With a non-solicitation agreement, although a former employee can open a business in the same category as yours and without geographic limitations, he or she may be prohibited from soliciting your customers or employees.

What constitutes solicitation is a little complex and varies somewhat from state to state. In California, a former employee can use your proprietary customer information to announce the name, phone number and address of his or her new business. Anything beyond that, however, violates the anti-solicitation law. Your legal counsel can help you understand the line between what is allowed and what is not for your particular business.

It is important to note that while many states allow reasonable non-compete agreements, California does not-except when they are combined with a purchase of equity in a company. Therefore, it is particularly critical that businesses with employees in California to be careful not to engage in an unfair business practice by requiring employees to sign such an agreement, while at the same time, having effective non-solicitation policies and practices in place.

Note that the jurisdiction for non-solicitation agreements lies in the state where the employee works, not where the company’s headquarters are or where the database is stored. Multi-state operations need to consult with counsel to ensure that the agreement used does not violate laws in the state of the actual employment.

Six Steps to Protect Your Information

Give your database-protection efforts teeth by following these key guidelines:

Step One: Put Your Policy in Writing

You need a written policy establishing that information about customers, suppliers and employees is considered a trade secret of the company. Make sure every new hire receives a copy of this policy. While it is acceptable to give this to your employees as part of an employee handbook, it is better to present it with the initial employment package and have it signed by the new hire.

Step Two: Ensure That Every New Hire Signs

Absolutely everyone should sign a non-solicitation agreement, from management to grill staff. The college student attending your drive-thru could move quickly through the ranks and be off to start his or her own business before you realize it. If you don’t have a non-solicitation agreement in that young entrepreneur’s employment file, you’ll be left in the lurch when he or she takes off with your customer data.

It’s best to have employees sign an agreement at the time of employment. They can sign later, but then you’ll have to compensate them in some way for giving up a legal right. This “additional consideration” could be a flat amount of money, a pay raise, an extra day off or something similar.

Step Three: Physically Protect Your Data

If an employee cannot get to your data, he or she won’t have an opportunity to use it. Prevent unauthorized downloading of your proprietary customer information by disabling USB ports, CD drives or other means of physically transferring the data on computers in public access areas, including laptop computers. You can also protect access at the software level.

Step Four: Limit Employee Access to Necessary Customer Information

If your business uses swipe cards or similar devices, make sure the information that shows up on the register screen is only as detailed as what your employee needs to provide the proper customer service. For instance, if the customer’s address and telephone number aren’t necessary to complete a transaction, don’t display it.

If you want to take security a step further, you can direct customers to a dedicated website to change their street address, e-mail address, telephone number, and so forth, rather than giving your employees the capability to change that information.

Step Five: Keep Your Eyes Open

Even with all these security precautions in place, you need to monitor your employees’ interactions with proprietary information to make sure the system remains secure. Remember, technology is constantly changing, and what kept someone out of protected files last week may be easily foiled this week.

Step Six: Make Sure They Leave Your Valuables at the Door

When an employee leaves your company, conduct an exit interview and retrieve all proprietary information and documents in the employee’s possession.

When All Else Fails Ö

Even with all the above precautions in place, you may discover that a former employee is using your proprietary customer data. So what do you do?

Start by immediately contacting your legal counsel. You have two options going forward. One is to simply let it go. Sometimes this is the best choice, especially if you’re going to have to put your customers into the middle of a lawsuit by asking them to confirm that your former employee has contacted them. But if you “let it go” once, you will probably be prevented from later claiming that the information is protected in any action against future offenders.

The second option is to commence litigation. This process begins with a cease and desist letter, including a demand for the former employee to surrender all of your company’s database information in his or her possession within 24 hours. Unfortunately, these demands are typically ignored.

The next step, if necessary, is to file a lawsuit seeking a temporary restraining order against use of the information. The suit will also seek a preliminary injunction, which protects your data during the 12-18 months it takes to get to trial. Preliminary injunctions are usually the end of the battle, because the data will more than likely not be useful to the former employee a year to a year and a half later. From there, your attorney will guide you through the rest of the litigation process.

Although it may seem like a lot of work to establish and enforce information protection measures, it really is a small investment when you compare it with the value of all your proprietary customer data. It’s worth the effort and the time to keep what’s yours, yours.

Posted in: Articles

Leave a response