General Practice, Solo & Small Firm DivisionMagazine
Volume 17, Number 3
DON'T LET YOUR FIRM'S PROPRIETARY INFORMATION WALK OUT THE DOOR
BY SAMUEL LEWIS
I was at a party recently when an acquaintance, Steve, who owns a computer training and consulting business, struck up a conversation.
"I need a little advice," he said, looking rather depressed.
"What's the problem?" I asked. "Why so down?"
"Well, the problems started a few weeks ago when one of my consultants left. Almost immediately, I discovered that he was contacting all of my clients. Clients-some of whom are longtime friends-started calling me to let me know that they'd heard from my former employee soliciting their business. You can imagine how upset I was when I figured out that this consultant was running through my contacts list alphabetically. He must have copied the centralized contacts list off the company computer system and taken it with him."
It was about then that Robert, a real estate partner with the small law firm across the hall from mine, walked over. "What's wrong, Steve? The computer business not what it's cracked up to be?" Steve glared at Robert, and I asked Steve to continue.
"I thought that contacting my clients, running through my company's contacts, was bad enough. That was just the beginning. I began to suspect that the consultant had been preparing this move for quite some time. I mean, it just didn't make sense that this guy could run out and in the course of about a day have a company ready to go, and start selling software specifically designed for my clients. If nothing else, it would take time for him to begin developing the software. I'm not saying it would take months to put together the software-which it might, depending upon how involved the software is-but it certainly would take more than a few days. The guy started selling software to my clients the day after I fired him."
Robert butted in again. "Can't stand a little competition?"
"Competition I don't mind," Steve quickly replied. "But this is worse. In addition to using my client contact list, it appears he used my company's computers to develop the software he's selling my customers. Yesterday, my system administrator pointed out that the consultant had installed programming software on the notebook computer he had used while he was an employee. The system administrator also discovered files relating to the software being sold to my clients. I hired the consultant to write instructional materials for my clients, not to develop software he could sell to them." Steve paused for a moment, took a sip of his drink, and continued. "To add insult to injury, I contacted the consultant and demanded that he provide me with his password so that I could open the e-mail still stored on the computer he used. We're talking about e-mail sent through his account on our company's e-mail system, not his personal e-mail account. He refused, saying that the e-mail contained on the computer was of a personal nature. He also threatened to sue me and my company for invasion of privacy if I opened the e-mail. Now I'm not sure what to do."
"At least I don't have to worry about problems like that in my firm," said Robert.
Steve could hardly contain himself. "You're crazy," he said. "I know you've had quite a few associates come and go in the last two years. Now that I think about it, you've also had your fair share of secretaries and paralegals. Do you have any clue what they've copied off your computer system? Do you know what they do when you're not watching?"
Robert turned to me. "He may have a point, but what can I do? I mean, I can't very well tell my associates how they can use the computer, or my secretary that she can't send and receive personal e-mail, can I?"Reality and the Revolving Door
As any practitioner can tell you, we live in cynical times. Sadly, the days of putting in five or ten years of service at a firm and eventually being rewarded with partnership are gone, replaced by the proverbial "revolving door." At times, the revolving door seems to be spinning out of control, and nobody-partner, associate, paralegal, or secretary-is immune to its dizzying effects. As we grow accustomed to this new mobility, we also must begin to wrestle with a myriad of legal issues. Although we may be conscious of certain issues-health insurance, retirement and profit sharing plans, severance pay-there are less conspicuous issues that sooner or later will confront nearly all businesses, including law firms.
Without a doubt, the Internet and the increasingly ubiquitous computer have changed the way we work, play, and even define our existence. Computers have become so common in the practice of law that there is one on nearly every lawyer's desk, and even the smallest of firms have Internet and e-mail access for lawyers and secretaries. The advantages of living in a connected world are clear: We can work and communicate more efficiently (at least that's the theory; try to ignore the fact that you found your secretary or associate playing "elf bowling" or some other game du jour downloaded from the Internet or received via e-mail). The simple truth is that law firms today could hardly function without these devices, even considering the diversions they bring.
In the rush to get connected, very few firms (and your clients are no different) considered putting together formal technology policies. Even if your firm has an employee handbook or policy manual, chances are good that the handbook is silent when it comes to technology issues. If your firm falls into this category, let me suggest that it's time to rethink whether you need a technology policy (and if right now you're saying to yourself, "My firm isn't big enough to justify the formality," then you probably need one more than you know).
Any formal technology policy should cover three basic issues: privacy of employee communications, ownership of intellectual property, and maintenance of trade secrets. Including these issues in formal technology policies can help avoid headaches when employees leave. Fail to address these issues and eventually you'll be facing headaches similar to those outlined above.The E-mail You Send May Not Be Your Own
According to a recent New York Times report, 45 percent of employers admitted that they monitor employees' phone calls, computer files, or e-mail messages. It is also increasingly common to find corporations imposing strict rules on how and when an employee may browse the Internet (and the penalty for violating these rules may be termination). Lawyers are not immune to such measures; some law firms have started monitoring their lawyers' e-mail. Given these trends, it's no wonder this is the most hotly litigated subject matter to be included in a formal technology policy.
In general, e-mail is protected by a variety of state and federal statutes-most notably the Federal Electronic Communications Protections Act (ECPA)-that impose criminal sanctions for interception of e-mail. While these protections exist for our personal communications-just as they do for telephone calls made from our own homes-the rules are a little different when it comes to e-mail sent from the workplace. It is still possible that the same statutes may apply in the workplace, but many courts subscribe to the view that e-mail, and everything else on the employer's computer, belongs to the employer.
In the few reported cases relating to monitoring or interception of an employee's e-mail, courts generally have been willing to disregard an employee's right to privacy in e-mail sent from the workplace or via an employer's e-mail system. In one of the first reported invasion of privacy cases relating to e-mail, the Eastern District of Pennsylvania held that there was no "reasonable expectation of privacy in e-mail communications voluntarily made by an employee to his supervisor over the company e-mail system notwithstanding any assurance that such communications would not be intercepted by management" (Smyth v. Pillsbury Company, 914 F. Supp. 97, 101 (E.D. Penn. 1996)).
The Smyth court went even further, holding that if the court had found that the employee had a reasonable expectation of privacy given the circumstances, it would not consider the interception of these communications to be a "substantial and highly offensive invasion of [the employee's] privacy." While Smyth's precedential value has not been directly challenged, its lack of reasoned analysis has resulted in much criticism from academics and practitioners alike. However, even relatively well-reasoned opinions have given little value to an employee's right of privacy in e-mail sent via the employer's e-mail system (see Andersen Consulting v. UOP, 991 F. Supp. 1041 (N.D. Ill. 1998)).
Before you conclude that you can read your employees' e-mail without adverse consequences, think again. The determination of whether an employee has a right to privacy in e-mail turns, in large part, upon whether the employee has a reasonable expectation of privacy in the e-mail at issue. Many factors are taken into consideration in determining whether a reasonable expectation exists. For example, does allowing an employee to safeguard his or her e-mail with a password provide the employee with a reasonable expectation of privacy? An appeals court in Texas has answered the question with a no, holding that the e-mail contained in the company computers were "merely an inherent part of the office environment" (McLaren v. Microsoft Corporation, 1999 WL 339015 (Tex. App. Dallas) (unpublished)).
In an effort to clarify an employee's rights in e-mail communications and computer documents, several states have considered legislation. This fall, California's legislature passed a bill (SB 1016) that would prohibit an employer from secretly monitoring e-mail or "other personal computer records generated by an employee" and would create criminal sanctions for employers who violated the proposed law. The proposed legislation also required that an employer who engages in monitoring prepare and present a written policy to all employees, and obtain signatures from the employees indicating that they have been advised of the policy. The California legislation was vetoed by the governor, but it seems likely that similar legislation will be passed at some point in the not-too-distant future.
Even in the absence of such legislation, inclusion of rules relating to e-mail in a formal technology policy may serve as the employer's "get-out-of-jail-free card." One court has already ruled that by having an employee sign a formal technology policy indicating that e-mail was to be used only for work-related purposes and that all e-mail was subject to review by individuals other than the recipient, an employer did not violate the employee's privacy rights by reading the employee's personal e-mail sent over the company e-mail system (see Bourke v. Nissan Motor Corp., No. B068705 (Cal. Ct. App., July 26, 1993)). At the very least, inclusion of rules relating to e-mail in a formal technology policy may help limit an employee's claims for invasion of privacy when an employer finds it necessary to review an employee's e-mail.Who Owns the Novel on the Disk?
As lawyers, we tend to take for granted the ease with which documents are created and stored on our computers, either by ourselves or by our staff. Without question, the computer has taken most of the pain out of document creation. In many ways, computers have allowed lawyers to become more independent; to create their own documents without the necessity of dictating revision after revision. Now, it's a simple matter of sitting down at the computer, opening a document, and making changes. This new independence has given lawyers the ability to reduce overhead by reducing the lawyer's dependence upon a secretary.
The ability to create documents easily, however, has created problems in the workplace. Employees-including secretaries, paralegals, and lawyers-now have the ability to create personal documents. With this ability comes the question of who owns the documents. Unfortunately, there is no easy answer.
As with e-mail, privacy issues are involved. Thus, the circumstances of how and when the documents were created and stored must be considered. Giving an employee the ability to store documents in a private area-either on a server or on the hard disk of the computer used exclusively by the employee-or to protect documents with a password may give rise to a reasonable expectation of privacy. And if the employee has a reasonable expectation of privacy, any inspection of those personal documents without the employee's consent could amount to a violation of the employee's privacy rights.
Unlike e-mail, however, documents raise concerns beyond privacy. Let's say, for instance, that an associate in your office aspires to become the next John Grisham and spends time at the office writing the next best-selling novel about the practice of law. The associate created the novel while sitting in the office provided by the firm, with equipment and resources provided by the firm, with the expectation that the associate would render services to benefit the firm and its clients. Under these circumstances, who owns the rights to the novel? It may be necessary to determine ownership of intellectual property rights connected with the document stored on your firm's equipment.
Copyright law-which protects expression of ideas-provides no clear answers. Generally, a person who creates something like a novel-something considered to be protectable expression-is deemed to have rights in the novel from the moment of its creation. Thus, the associate may "own" the rights to the novel, as the associate created it. But the Copyright Act also contains a doctrine, known as the "work made for hire" doctrine, which creates an exception to the general rule that the creator owns the thing created. The doctrine generally requires that for a work to be a "work made for hire," the employee must create the work within the scope of his or her employment. Although the firm can argue that it "owns" the novel, it clearly faces an uphill fight convincing a court that writing novels somehow falls within the scope of the firm's employment.
Perhaps this is an extreme case. Chances are good that you'll never have an associate who writes a best-selling novel. And in most cases, the documents created by your staff will probably be of a more personal nature and not intended for public consumption. Still, the issues are the same. Your employees may own the documents they create that are not within the scope of their employment, even if they create them using your firm's equipment and resources. At the risk of stating the obvious, it is easier to determine whether something is a "work made for hire" when you and your employees agree beforehand that anything created will be considered as such.The Lawyer's Trade Secrets
Our computers hold much more than documents. They also contain information critical to our work. I know more than a few lawyers who jokingly suggest that their computers hold their entire lives. With the advent of personal information managers, docketing software, and the like, lawyers have started to manage the information critical to their practices-their calendars and their contacts or Rolodexes-with computers.
Although the question of ownership of this information is not as complex as with documents-at least the information is created or managed by your employees during the regular course of their employment-there is a twist. Copyright law generally provides no protection for information itself. Thus, your client list may not be deserving of protection under copyright law. This does not mean, however, that your client list is without value. Certainly, you would not be happy knowing that an associate or secretary had left your firm with a complete copy of your client list (which is easy enough to obtain by copying the information from the computer onto a disk). To the contrary, this may be the single greatest asset your firm has, and it is something that should be protected.
Many states-under a codification of the Uniform Trade Secrets Act-define trade secrets to include any information that derives actual or potential economic value from not being generally known to other persons who can obtain economic value from disclosure of the information, and that is subject to reasonable efforts to maintain its secrecy. Applying this definition, even your client contact list may be considered a trade secret. To protect your trade secrets, you should include provisions in your technology policy that make it clear that such information belongs to the firm, and that employees may not disclose the information to third parties. You also may include provisions preventing employees from taking copies of the information with them when they leave the firm.
Of course, it is impossible to keep track of your employees and their activities constantly. But inclusion in a formal technology policy of rules about how the firm's trade secrets can and should be handled may be just enough to provide protection. At the very least, such a policy may serve as evidence that reasonable efforts were made to protect the secrecy of the information.Samuel Lewis practices computer/Internet law and intellectual property law with the firm of Lucio Bronstein Garbett & Stiphany, P.A., in Miami, Florida. He is an adjunct professor of law at the Shepard Broad Law Center, Nova Southeastern University, Fort Lauderdale, Florida. He can be reached via e-mail at slewis@CompLaw.com.