What to Do if Your Non-Disclosure is Breached
A non-disclosure agreement (NDA) is a common and effective legal tool for protecting confidential information. In fact, many Silicon Valley startups require their employees to sign confidentiality agreements or clauses before they begin their employment.
As an example, Sabeer Bhatia, the founder of Hotmail required over 400 of – not only his employees but also his friends and roommates – to sign non-disclosure agreements and claims that his efforts in protecting confidentiality helped his business to keep a 6-month lead in front of his competitors.
Sabeer eventually reaped the financial results of his hard work by selling Hotmail to Microsoft for a reported $400 million in stock. You may or may not be a startup but let’s say that you’ve done the right thing and made it a requirement that all your employees sign a non-disclosure before they started employment with you.
But now one of them has breached your non-disclosure agreement. What do you do?
The risk of an employee breaching this kind of legal agreement can happen to anyone.
Consider the case of Coady v. Harpo, Inc., 308 Ill.App.3d 153 (1st Dist. 1999).
A disgruntled ex-employee of the Oprah Winfrey television series threatened to report her experiences as an employee of the television series.
The ex-employee contended that although she had signed her agreement to a confidentiality policy that was meant to last ‘forever’, she was still entitled to exercise her rights of free speech and free press in revealing confidential information about her ex-employer.
Although the Illinois court stated that it was generally against restraints of trade, it found that the confidentiality requirements did not preclude the ex-employee from seeking employment elsewhere. She was only restricted from revealing confidential information about her ex-employer. The confidentiality obligation was therefore, upheld.
How breaches can occur
A breach of non-disclosure over confidential information by an employee can happen in many ways including conducting activity of the following without authorization:
- Talking about your confidential information to another over a beer.
- Showing confidential documents, strategies, formulas, plans, recipes, designs etc to another.
- Publishing confidential information in an online article, blog or social media account.
- Revealing a prototype of your product to others when it is not meant to be launched yet.
- Exposing your secrets to a newspaper reporter, journalist or blogger who shares this information to the world through mass media (for example, Edward Snowden).
- A disgruntled employee stealing your confidential information and taking it with them when they leave.
- Conspiring with an external party and passing on your confidential information to them.
- Making photocopies of your confidential information and giving these to your competitors for personal or financial benefit.
- Using your confidential information to set up a competing business against you.
Remedies for breaches
Monetary damages (which can include larger exemplary damages and attorney’s fees under the new Defend Trade Secrets Act 2016 for stolen trade secrets) are usually provided for in this kind of agreement.
But unfortunately, unless you’re suing an unusually rich employee or a company which has conspired with your employee to appropriate your confidential information, the employee may not have enough money to pay the damages.
A more effective remedy may be to obtain an injunction to stop the employee from breaching your confidential information further or from ever being able to use your information.
There’s also nothing to stop you from taking employment-related measures such as disciplining the employee, requiring the employee to return all confidential information and barring him or her from further accessing any confidential information and firing the employee.
What to do if your non-disclosure if breached
Step 1: Seek advice for an attorney
Turn over your signed non-disclosure agreements over to your attorney. Your attorney can look over the facts and provide you with guidance on what needs to be done next. The attorney can also discuss damage control options to minimize the exposure of your confidential information and possible losses.
On top of this, your attorney can also give you a realistic idea of the options that you have open to you and what chances of success you have with each option.
For example, you may decide not to take the matter to court directly but to use arbitration instead.
If the confidential information that was exposed or stolen relates to trade secrets, you need to establish that you have taken reasonable security measures in protecting your confidential information (such as using passwords, keeping confidential information in a locked compartment etc).
You should also ensure that you have followed the terms of your non-disclosure yourself as demonstrated in the case of Convolve, Inc. And Massachusetts Institute of Technology v. Compaq Computer Corporation and Seagate Technology, LLC.
In this case, Convolve and MIT, who alleged that the non-disclosure agreement had been breached, were unable to prevail because they had not followed their own requirements as set in the signed agreement: all information that’s confidential to be marked as “confidential”.
Step 2: Collect evidence
Once you suspect – or realize – that your confidential information has been stolen or exposed without authorization, you should start conducting investigations and preparing a trail of evidence that you can use to support your claim later.
The sooner you start collecting evidence, the easier it will be for you to prove your case and you also lessen the risk of any evidence being accidentally or purposefully erased.
Without good evidence, you take the risk of conducting an unsuccessful lawsuit which could result in you being penalized for lack of evidence which could result in you having to pay the defendant’s attorney’s fees or being accused of defamation.
Often, it’s not easy for an employer to start snooping around employee’s files or computers without arousing suspicion (which could alert the employee that did the breach) so it may make more sense for you to hire an external investigator to do the investigation work for you secretly.
What has been stolen? As part of your investigation, you need to establish what has been stolen:
- Is it trade secrets?
- Is it a particular design?
- Is it a prototype?
Bearing in mind applicable privacy laws and your own company policy on access to your employee’s emails and files, you should investigate files and emails sent outside your company’s network and check to see if there are any documents that are physically missing.
If you believe that your confidential information has been shared or exposed to a competitor and used in their products or services, you can buy a copy of their product or service to see if you can reverse engineer or recognize your confidential information being used in these products and services.
Who is involved in the breach?
If your employee has published something publicly, it’ll be obvious that she/he has breached your confidential information.
If not, employees who have direct access to your confidential information should be investigated.
If you have a disgruntled employee who’s about to leave or has left your employment and has moved to a competitor, it’s understandable that you may suspect that this person has something to gain by stealing or exposing your confidential information.
However, your employee may not be the only one involved in the breach. It’s important that while you are doing your investigation, that other employees are not alerted to the investigation being done so as not to tip off a potential crime partner.
Or, it may be a collaboration between several of your employees or a collaboration with an external party who seeks to gain from the breach.
If you’re unable to obtain direct evidence, circumstantial evidence can also be used such as unusual activity from the employee’s end such as copying down large amounts of confidential information without any reasonable explanation for doing so or suddenly wanting to work late nights and weekends when it hasn’t been his or her habit to do so.
When you have sufficient evidence to point to the individual or individuals involved in the breach, you should note down current addresses and where confidential information might be stored.
This is especially important if you intend to apply for an ex parte seizure order under the Defend Trade Secrets Act 2016.
In addition to identifying the individuals or entities involved, you can also obtain financial information about these individuals to decide if it’s worth pursuing monetary damages against them.
How the breach was done?
Along with your collection of evidence of who was involved in the breach, you should also collect evidence on how the breach occurred:
- Was data taken out of secure electronic files?
- Were documents stolen or photocopied?
- Is the employee who breached your data having lunch consistently with a competitor?
Don’t forget that you should check email records, telephone records and computer usage.
If you’ve a handy IT person around, you can also retrieve records that have been deleted but are stored on a backup system.
Step 3: Determine the significance of the breach
If you decide to pursue your remedies in a legal court, you’ll eventually have to prove the monetary value of your confidential information. Not only is this necessary to determine the extent of any payable damages but also to establish the significance of the breach.
Monetary damages can be calculated by looking at profits that another has earned from using your confidential information or the profits that you lost due to the breach of non-disclosure agreement.
Your attorney will be able to provide you with assistance on how to work out the monetary value of your confidential information, especially if it’s intangible at the moment. The more evidence you can collect, the easier it will be for you to make your case.
Step 4: Review your procedures
While you’re doing your investigations, you may discover some gaps or loopholes that need to be improved to increase your security.
You should take this chance to examine what needs to change within your own internal procedures and policies. Also note if the clauses of your non-disclosure agreements need to be amended.
More effective internal procedures and policies could include:
- Clearly marking confidential information as such
- Ensuring that confidential information is separately stored from ordinary confidential information in a secure location
- Conducting an exit interview for disgruntled employees
- Or increasing training for existing employees on how to look after confidential information
Other legal choices in case of breach
Any breach of your non-disclosure agreement is essentially a breach of contract.
Besides pursuing remedies for a breach of contract, you may have other legal options open to you including:
- Misappropriation of trade secrets if the confidential information qualifies as a trade secret under common law, the Uniform Trade Secrets Act (UTSA) or the new Defend Trade Secrets Act 2016
- Breach of patent or copyright if you have an existing patent or the confidential information qualifies as a copyright and breach of fiduciary duty (normally applies to directors or executive officers).
It won’t be an easy journey once a breach of your confidential information occurs but the better prepared you are, the less stressful it will be.
Credits: Icon Security Breach created by Saishraddha Malage from the Noun Project.