Michael D. Moberly May 3, 2012
We can presume that a significant percentage of employees enjoy and likely receive some, albeit cathartic, satisfaction talking about their work. The array of on-line (social media) platforms that are readily available and through which people (employees) can converse about their work often times in substantial detail.
Most companies with even a modicum of understanding about the vulnerability and risks such open source conversations pose, endeavor to mitigate such risks and sustain the proprietary nature – trade secret status of designated information assets through restrictive covenants included in employment contracts, i.e., non-disclosure and/or confidentiality agreements or NDA’s and CA’s respectively. Exacerbating the open source social network posting phenomena of course, is how seasoned competitive analysts can derive actionable intelligence from these sources which, among other things may reveal a company’s plans, intentions, and capabilities, i.e., projects, launches, etc.,
Most NDA’s and CA’s I’ve seen however, are brimming with a myriad of do’s, don’ts, procedures, and potential sanctions to those who breach the now mandated confidentiality. While I’m confident they exist to the contrary, I see few NDA’s or CA’s that address the all-important ‘why this information warrants protection’ question. I’m suggesting including explanatory contractual language (in NDA’s and CA’s) directed to inquisitive twenty-something’s why certain company information must remain proprietary or secret should not be dismissed or overlooked. To be sure however, I’m not referring here to categories of information and/or data that are already mandated kept free from breaches, i.e., HIPPA or similar regulatory mandates.
For a generation of ‘twenty something’ employees who appear undaunted by regular postings of what preceding generations would characterize as personal, even perhaps private information, on their preferred social media platforms; answering the relatively simple question about why it’s important to safeguard particular (company held) information is, in my view, an overlooked and under-studied necessity.
Warranted or not, the proverbial twenty something’s have earned a reputation as being a primary source where information breaches are likely to emanate which I am inclined to believe and thus favor including a realistic answer in NDA’s and CA’s to the ‘why this information warrants protection’ question. I am not suggesting the answer be framed as a discussion or an option, rather a straightforward answer. One very viable and understandable answer to that question lies in…the economic fact that 65+% of most company’s value, sources of revenue, and building blocks to achieve growth and sustainability evolve directly from intangible (mostly information-based) assets!
In other words, providing a sound(contractual-based) rationale for sustaining trade secrecy or its cousin, proprietary status, can, I believe, in many circumstances, will serve as an additional and probably equally effective risk management tool insofar as safeguarding a company’s valuable and strategic information assets.
I recognize that I am hardly the first practitioner to raise – frame the issue in this manner. But, I suspect, in this social media era, assuming a twenty-something employee fully appreciates the connection between signing an NDA during their employee orientation process and the (real and contributory) value of that information, which in most instances, they have yet to see, let alone access, is a fairly weak assumption.
I remain skeptical therefore, that employees who seemingly find it both acceptable and desirous to post what heretofore has justifiably been private (life) matters on their social media platforms will become information asset protection (security) zealots overnight. But, let’s be clear, this post is not about characterizing all twenty-something employees as being naive and potential-inevitable sources of information breaches or leaks
Ester Dyson, a re-known information technology consultant, once said on a related matter, that ‘the trick (to information asset protection) may not lie in trying to control the number of copies, or even the ability to copy for that matter, rather it may have more to do with influencing a relationship with originators and users of information’. For the 90+% of new and existing employees, whom studies assure us will never become an ‘information leaker’, I agree!