Home & Office

2001: Protecting intellectual property

How monitoring the workforce can protect both the employer's property and the employee's livelihood
Written by Andrew Swinton, Contributor

In 2001, there were tens of thousands of layoffs in the tech industry, with companies like Marconi shedding 10,000 employees since January. When thousands of employees are laid off, the economics of the industry means it happens fast, with few people thinking what might be lost in the process.

However, there is a growing prospect of disgruntled employees deliberately stealing intellectual property (IP), damaging their former employers' reputations or, in extreme cases, attacking their previous employer's products.

For example, on 9 September, HP alleged that a departing employee sabotaged performance tests of HP's Superdome Unix server, crippling sales.

Such incidents aren't isolated, and Elizabeth Oberle-Robertson, counsel with law firm Jones Day, says firms need to take steps to protect themselves from staff they have laid off.

"You need to take time to manage your IP as with these layoffs," she says. "On a long-range basis you can make sure you have the right policies and practices in place on your ongoing employees. So when an employee joins the company you make sure the confidentiality agreement is signed. Make sure the employees are constantly monitored in terms of use of email. So as not to fall foul of privacy and Human Rights Act protections, also make sure that employees are constantly apprised of the importance of IP."

Cyberliberty advocate Yaman Akdeniz notes that under the Regulation of Investigatory Powers Act there are laws for business practice legislations developed by the Department of Trade and Industry. The Act uses wide powers for employers to intercept all forms of communication including telephone and Internet communication. Akdeniz believes the monitoring of employees goes too far.

"I can understand that certain communications have the potential for abuse," he says. "Where a system is going to be hacked, for example, you need to monitor communication.

"When it comes to content of communication, there needs to be clear-cut regulation. The internal regulations need to be open and transparent, and you as an employee need to know what sort of practice is employed by your employer," he says.

Robertson stresses the importance of managing the layoff process to minimise the risk of an employee backlash. "In the UK things would have been slightly different concerning the HP case for example, because in a layoff situation there are obligations to consult employees and manage the process. In the UK such acts of sabotage would be against the employee's duty of good faith in their dealings which they owe to an employer and like in the US they can get sued for those actions."

She said that communicating with employees gives them a chance to vent their spleen, as well as to better understand why they are being laid off. The UK is ahead of the US in this aspect, Robertson believes; in the US there is no minimum period of employment, and workers can arrive at the office to find that they've been "pink slipped" -- that their jobs are simply over.

Even so, employers here need to be extremely cautious when cutting the jobs of people who may handle significant intellectual property, Robertson says: "That includes monitoring emails, it includes making sure that whilst a person is still an employee, going through their computer and deconstructing what they might have removed from your system."

She recommends that employees be monitored beginning when it is announced that there will likely be terminations. Most employers regularly monitor their employees' computer use during their employment and monitor how much time their employees use to do their Internet shopping, for example.

Experts insist that problems like the Norton Rose case in December 2000, where a law firm employee was caught forwarding an email containing sensitive personal details on a global scale, could have been avoided. The majority of firms now have email policies in place that can ensure similar email abuse is stopped.

The standard policy is that a company will permit reasonable use of the Internet by employees is restricted in the same way that reasonable use of the telephone is allowed, in that it cannot be used for any illegal activities, or for improper use that may damage the reputation of the employer.

A "tickler" system would typically monitor employees every 4 to 6 weeks, checking Internet traffic, email use and Web visiting pattens and look for anything odd. The tickler is now considered a standard tool for HR and IT departments. Keyword tracking is also a monitoring tool.

Occasionally material is noticed by HR that is inappropriate in a work context and it necessary to issue a warning of gross misconduct or sack the employee if necessary. So employers must have a policy in place that advises that they are being watched.

Yaman Akdeniz points to a draft code being developed by the Information Commissioner, which is more limited than the DTI regulations, focusing on monitoring employees for the prevention of hacking and other technical crimes. "When it comes to monitoring content of communications, they should be subject to data protection laws. Just because you are ill, for example, your employees can't monitor or open your emails unless you authorise them," Akdeniz says.

The top three 'employee exit crimes' are outlined by Robertson:

  • Taking confidential intellectual property with you as you leave employment. "One out of every three senior employee that leaves will take confidential information. Your target there is your competitor. When people have exit interviews, they should be reminded of the obligation that they have returned everything that belongs to the company. Then if it becomes clear that material has been removed you have a breach of contract against an employee."
  • Causing sabotage to the existing employer. "This can come in two forms. One is damaging equipment, although that is on the whole very rare. More likely is removing stuff from files so that when the employee leaves it makes it more difficult to pick up the pieces of the project."
  • Badmouthing the former employer, going to the customers and ruining the effect of the goodwill. "This reflects badly on the person smearing their previous employer so is generally counterproductive."

Robertson points out that in the course of retrieving intellectual property, companies should avoid involving customers or other third parties. For example, a company might be alerted that a former employee has taken source code to a competitor when a customer decides to shift to a competing product; any action you take could backfire. "You would then be involving your customer in your dispute, which is never good business. What you tend to have is the customer doesn't want to deal with either the former employee or you anymore," Robertson says.

Equally, managers must avoid making their remaining employees feel like criminals through over-zealous monitoring -- an issue that has moved into the limelight since the events of 11 September.

Since September, employers in the private and public sectors have stepped up monitoring, but sometimes with the risk of creating a siege mentality. In Australia the government have been described as out of control and in a panic about terrorist acts. The chairman of Electronic Frontiers of Australia Kim Heitman told ZDNet Australia, "The threat of terrorism might pass but the threat to civil liberties will be set in concrete."

For all job and work-related news, or to search for a job and get information on training, go to ZDNet Jobs

See ZDNet UK's Christmas & New Year Special for our look at the tech world in 2001, and what's coming up in 2002, plus a shopping guide with reviewers' best buys.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forum.

Editorial standards