Protecting the data jewels

In the casino industry, one of the most valuable assets is the dossier that casinos keep on their affluent customers, the high rollers. But last year, casino operator Harrah's Entertainment filed a lawsuit charging that a former employee had copied the records of up to 450 wealthy customers before leaving the company to work at competitor Thunder Valley Casino.

The complaint said the employee was seen printing the list -- which included names, contact information and credit and account histories -- from Harrah's database. It also alleged that he tried to lure those players to Thunder Valley. The employee denies the charge of stealing Harrah's trade secrets, and the case is still pending, but many similar cases have been filed in the past 20 years, legal experts say.

While savvy companies are using business intelligence and CRM systems to identify their most profitable customers, there's a genuine danger of that information falling into the wrong hands. Broader access to those applications and the trend toward employees switching jobs more frequently have made protecting customer lists an even greater priority.

Fortunately, there are managerial, legal and technological steps you can take to help prevent, or at least discourage, departing employees from walking out the door with this vital information.

Legal steps

For starters, organizations should make sure that certain employees, particularly those with frequent access to customer information, sign nondisclosure, noncompete and nonsolicitation agreements that specifically mention customer lists. Through these documents, employees "acknowledge that they will be introduced to this information and agree not to disclose it on departure from the company," says Suzanne Labrit, a partner at law firm Shutts & Bowen.

Although most states have enacted trade-secrets laws, Labrit says they have different attitudes about enforcing these laws with regard to customer lists. "But as a starting point, at least you have this understanding (with employees) that the customer information is being treated as confidential," Labrit says. Then, if an employee leaves to work for a competitor and uses this protected customer data, the employer will more likely be able to take legal action to stop the activity. "If you don't treat it as confidential information internally," she says, "the court will not treat it as confidential information, either."

It's also important to educate employees about the confidentiality of customer lists because many people wrongly assume they're public information, says Tim Headley, a partner at law firm Gardere Wynne Sewell. "Most people think they can take the lists with them," he says. "You have to show that you've kept it a secret and told employees it's a valuable secret. (Customer lists) are at the core of how you bring revenue into the company. These are the decision-makers who are willing to buy your product."

Headley recommends that managers inform employees about court cases involving stolen customer lists and occasionally warn them that the company will prosecute anyone who steals trade secrets. "Companies should have periodic lunchroom meetings just to remind people" about trade-secret policies, Headley says.

If a company suspects that an ex-employee who signed a nondisclosure agreement has given its customer data to a competitor, Labrit recommends taking quick action. That includes obtaining a temporary restraining order to prevent the employee from using the information. The main reason is for the employer to get relief, she says, but the move also sends a message to other employees that the activity won't be tolerated. "If you don't do it, the next time someone gets ready to go, they'll think they can get away with it," Labrit says.

Management moves

From a management and process standpoint, organizations should try to limit access to customer lists to only employees, such as sales representatives, who need the information to do their jobs. "If you make it broadly available to employees, then it's not considered confidential," says Labrit.

Physical security should also be considered, Labrit says. Visitors such as vendors shouldn't be permitted to roam free in the hallways or into conference rooms. And security policies, such as a requirement that all computer systems have strong password protection, should be strictly enforced.

Companies should instantly shut down access to computers and networks when employees leave, whether the reason is a layoff or a move to a new job. At the exit interview, the employee should be reminded of any signed agreements and corporate policies regarding customer lists and other confidential information. Employees should be told to turn over anything, including data, that belongs to the company.

In addition, employers should track the activities of employees who've given notice but will be around for a few weeks. This includes monitoring systems to see if the employee is e-mailing company-owned documents outside the company.

Some organizations rely on technology to help prevent the loss of customer lists and other critical data. Inflow, a provider of managed Web hosting services, uses a product from Opsware that lets managers control access to specific systems, such as databases, from a central location.

The company also uses an e-mail-scanning service that allows it to analyze messages that it suspects might contain proprietary files, says Lenny Monsour, general manager of application hosting and management. Inflow combines the use of this technology with practices such as monitoring employees who have access to data considered vital to the company.

A major financial services provider is using a firewall from Vontu that monitors outbound e-mail, Webmail, Web posts and instant messages to ensure that no confidential data leaves the company. The software includes search algorithms and can be customized to automatically detect specific types of data such as lists on a spreadsheet or even something as granular as a customer's Social Security number. The firm began using the product after it went through layoffs in 2000 and 2001.

"Losing customer information was a primary concern of ours," says the firm's chief information security officer, who asked to not be identified. "We were concerned about people leaving and sending e-mail to their home accounts." In fact, he says, before using the firewall, the company had trouble with departing employees taking intellectual property and using it in their new jobs at rival firms, which sometimes led to lawsuits.

Beyond its desire to protect competitive information, the financial services firm is bound by federal regulations to safeguard the integrity of certain types of information. "We're constantly (looking) for things that could be violating laws," the executive says. Still, he says, the firewall isn't a cure-all. The firm also uses noncompete and nondisclosure agreements as deterrents to stealing information.

Rising risk

Vijay Sonty, chief technology officer at advertising firm Foote Cone & Belding Worldwide, says losing customer information to competitors is a growing concern, particularly in industries where companies go after many of the same clients.

"We have a lot of account executives who are very close to the clients and have access to client lists," Sonty says. "If an account executive leaves to join a competitor, he can take all this confidential information." The widespread sharing of corporate data, such as customer contact information, has made it easier for people to do their jobs, but it has also increased the risk of losing confidential data, Sonty says.

He says the firm, which mandates that some employees sign noncompete agreements, is looking into policies and guidelines regarding the proper use of customer information, as well as audit trails to see who's accessing customer lists. "I think it makes good business sense to take precautions and steps to prevent this from happening," Sonty says. "We could lose a lot of money if key people leave."

Gray areas

Customer lists are a hotly contested area of trade-secret law, in part because emotions run high when an employee leaves to start a competing business and tries to steal the ex-employer's customers.

But that's not necessarily illegal, legal experts say, because customer lists aren't automatically considered a trade secret. Courts generally look at the following factors in determining whether a customer list is a trade secret:

-- Is it really secret? It's not a trade secret unless you've taken reasonable steps to keep it secret, such as marking it "confidential" and keeping it in a locked facility or in a password-protected computer system with access controlled on a need-to-know basis.

-- Is it really valuable? It's not a trade secret if you can easily collect the information from the telephone book or publicly available sources. The more effort or money the owner spends to develop the information -- and the more that information provides a competitive advantage -- the more likely it will be considered a trade secret.

So, a report identifying the company's most profitable customers -- extracted from a well-secured CRM system and marked "confidential" -- has a good chance of qualifying as a trade secret, legal experts say.

-- Mitch Betts

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about Betts GroupHarrah's EntertainmentOpsware

Show Comments
[]