When we think about trade secrets, we usually focus on keeping our own data safe. But an even bigger risk comes from hiring employees who can infect our systems with confidential information from a competitor. Companies often learn this the hard way. Boeing’s hiring several managers from Lockheed led to a $615 million fine and indictments of the individuals. Hilton poached two Starwood executives to create a competing hotel brand, but they came with thousands of documents and prompted a lawsuit that killed the project and cost $150 million to settle. Recently a similar situation at Zillow required a $130 million settlement.
Contamination also happens through lower level staff. In a survey by Symantec, over half of employees who left their jobs reported keeping data that belonged to their employers, and most of them planned to use it in their new positions. And perhaps most worrying, 68% of them said that their current employers take no action to protect against improper use of third party data.
Worrying but perhaps not surprising. As in other aspects of human behavior, denial plays a leading role here. Employees, anxious to please and “hit the ground running,” convince themselves that downloading a few files for “reference” isn’t wrong. And employers in competitive industries, happy to get access to experienced talent, often ignore the warning signs.
The bad news is that, left alone, third party data infection can gestate for many months or years while it worms through a company’s systems, projects and products, emerging to cause disruption and lawsuits, often long after the bad actors have moved on. The good news is that this is a risk that can be managed, and in the process you can also help prevent your own information from leaking outside the company.
In highly competitive industries with high labor mobility, recruiting poses a conundrum that many managers prefer not to dwell on. The best new employees come from the competition, because they’ve got “relevant experience.” But extending this logic increases the risk: the perfect hire is the one who comes with whatever it takes to solve our problems and leapfrog ahead: the one who has worked on an identical project or product and knows the competitor’s strong and weak points. Any company that projects ambivalence about these ethical risks is bound to attract individuals who are prepared to take risks too, increasing the chance of a trade secrets train wreck.
Proper management of the process begins with designing and advertising the recruitment. What will the announcement say about the job requirements? Ideally, the qualifications should be expressed in generic terms, avoiding anything that could be interpreted as trolling for a source of competitive data.
Of course, if the recruiting isn't entirely honest, and the company is interviewing the competitor's staff in order to find out what they're working on, that's a different kind of risk, layering fraudulent motives on an already tricky transaction. So establishing clear policies and providing appropriate training for the recruiters is critical.
Indeed, guidance and training are especially important for those who conduct the pre-employment interview. Guided by a checklist (see box for a sample), they should be motivated to learn only what is needed in order to assess the candidate's general knowledge and skill set, that part of their experience that they are entitled to take with them. This basic rule has to be communicated to the candidates as well, warning them that they are not to reveal sensitive information of any kind.
This should be confirmed with a brief acknowledgement like this one:
To: Widgets, Inc.I am applying for employment with Widgets, Inc. I assure you that:
Dated: ________________ Signed: _________________________
Occasionally you will want to bring on someone who has been a key performer for a competitor. Highly-placed managers in research and development or marketing are especially likely to cause serious concern when they change jobs. Even if they aren’t subject to a non-compete agreement or a post-employment invention assignment (both issues that require specialized advice), hiring them from a competitor can provoke a lawsuit based on the idea that the person knows so much, and the new job is so much like the previous one, that they can’t possibly do the new one without compromising the confidential information that they know. Whether or not a court might issue an injunction based on a threat of "inevitable disclosure" (a subject for another newsletter) is not the main point; merely provoking litigation is harmful enough.
So when you're dealing with one of these high-level hires, always get advice of experienced counsel in order to identify all the risks and potential mitigation strategies. In special cases you may also need to pay for an attorney for the candidate, to provide a buffer of independent advice on how to leave the current job "clean" and reduce the likelihood of a lawsuit.
You face a similar kind of heightened risk when trying to hire a group of employees from a competitor. The competitor’s speculation is easy to understand: with so many qualified individuals out there, the only reason for going after most or all of a team can be to cause damage, and perhaps also get access to an array of special knowledge that will allow your company to move into a new area or product line, implying an intent to steal trade secrets. This, the competitor will allege, is a “raid." Litigation is likely.
Here, we have to confront the same paradox represented by the “perfectly informed” individual hire who knows everything about what the competition is doing: the potential value is high but so are the risks. And those risks can be much higher with a group, not only because there are more people to make mistakes, but also because the competitor is more likely to feel injured and take aggressive action.
The most common source of a group hire is a current or former manager of the team. Consider someone you already employ who used to be a manager for one of your competitors. One day he or she announces a “great opportunity” to capture some extraordinary talent, a group of people who have let it be known that they are ready to consider leaving. The manager knows them all personally, can tell you who are the stars, what special projects they worked on, and even how much you might have to offer in order to get them to move.
This may in fact be an excellent opportunity, but it is filled with risk that has to be managed. The manager likely has special obligations not to use information about the candidates that was learned while leading them. Your first step normally should be to separate your current employee from the recruiting process. Then bring in legal counsel to make sure that you have protocols in place that reduce the worst risks and that cloak your discussions with a privilege against disclosure, in case there is a lawsuit.
Once these precautions have been taken, you can proceed with interviews, ensuring that the same sort of warnings are given and documents signed as would be required for a single individual. Throughout the process, you should communicate to all involved that the company has a strong policy of respecting the rights of others, that your interest is only in the candidates’ general skills, and that you insist that none of the competitor’s confidential information find its way into your organization.
The company’s culture of respect for others’ information rights should be reinforced during the orientation process. As with the pre-employment interview, your goal is to impress on new employees the importance of coming to the new position “clean.” They have to understand that there is no advantage – and there is considerable risk to them personally – in trying to prove themselves by bringing with them the work they did before.
The “on-boarding” process can be a real opportunity to reinforce the importance of the company’s policies and the confidence you have in the new employee’s ability to get the job done only with the skill and general knowledge that they have accumulated during their career. Be sure to go carefully through the various forms and contracts that have to be signed, and make sure that the new hire knows where to go to get answers or address any concerns about information security.
Hiring consultants and contractors poses more risk than regular employees. Because the relationship is short there is less loyalty built into it, and management needs to be tighter. Also, contractors have often been working recently for competitors, and consultants typically are doing that simultaneously. They bristle with current and potentially dangerous information. Required to do the best they can for you, they engage in mental gymnastics to keep all of their known data properly categorized and walled off.
As with other areas of information security, this is a problem of risk assessment and management. You need to protect yourself first with contracts that make it clear that you don’t want importation of anyone else’s confidential data, putting responsibility on the consultant to prevent that. But before entering into the arrangement at all, you should confront any potential conflicts of interest, forcing the consultant to consider and articulate exactly how your concerns will be met.