The U.S. Supreme Court recently suffered an unprecedented breach of protocol when Politico published a leaked draft copy of one of the court’s opinions.
It is a potent reminder that even an institution with the strongest culture of confidentiality can suffer a catastrophic breach. Now, more than ever, companies require appropriate safeguards to protect their confidential information and protocols to ensure an effective response to any leak that might occur.
Preventing a Leak
When it comes to information security, a good offense is one of the best defenses. Companies that take proactive measures to protect, track, and secure their data will not only deter leaks, but will also be positioned to identify the source of any leak and contain the fallout.
Limit Access. Secure confidential or sensitive documents within the company. Limit access to those with a need to know. The fewer individuals with access, the less likely a leak will occur and the easier it will be to identify the source.
Track Access. For the most sensitive information, it’s not enough to simply restrict access. Companies need to log who accessed the information and when. By storing sensitive information on a virtual private network or document management system, a company can use log-in credentials to identify when an employee accessed particular documents. Some systems even permit tracking of when a document is opened and how long it remained open.
Control Access. Companies should also control what their employees can do with sensitive information that they are allowed to access. For the most highly confidential documents, companies might restrict an employee’s ability to download the document, print the document, or email the document outside the organization. Companies might also prohibit employees from accessing corporate systems and data from their own (non-company) computers and devices. Additionally, companies can block employees from logging into personal email accounts and messaging apps from work devices.
Of course, some of these restrictions can decrease efficiency. Others might lower morale or generate resentment at what employees perceive to be unnecessary restrictions. Companies will need to balance these competing interests as they develop appropriate polices for their business, given their industry and risk profile.
Create a Culture of Confidentiality. Developing shared understandings is essential. The Supreme Court leak reverberated through the legal community because, as any court-watcher knows, the court and those who work there are notoriously tight-lipped about its inner workings and deliberations. Confidentiality is practiced by both justices and those who work for the justices as an essential component of the court’s institutional work, allowing the court to speak exclusively through its written opinions.
Companies should strive for a similar culture of confidentiality. Employment agreements should impose confidentiality obligations. Employees should be required to certify their compliance with those obligations annually or at some other periodic interval. And employees should be trained on maintaining confidentiality.
Training should include information about the employees’ confidentiality obligations and emphasize the company’s requirements. It should also offer practical advice for protecting the company’s confidential information to minimize the likelihood of an unintentional leak or breach. Perhaps most importantly, in building that culture of confidentiality, companies should ensure employees understand that confidentiality advances the company’s mission and directly contributes to its success.
Mitigating the Damage of a Leak
When a leak does occur, companies must respond swiftly to identify its source, minimize further dissemination, and evaluate the scope of the breach.
Investigate. The first step should be a thorough and efficient internal investigation. Until the leaker is identified, anyone at the company should be considered as the potential source. For that reason, only a small number of corporate employees should be involved in conducting, managing, and overseeing the investigation. If information about the investigation becomes widely known, the source may evade detection or otherwise undermine the investigation. Engaging outside counsel to investigate the leak may be preferable, rather than relying on in-house lawyers.
Sequester the Confidential Information. A company must immediately work to mitigate the damage from the leak. It should seek assurances that further breaches of confidentiality will not result, and that the recipient of the information will not further disseminate or distribute the leaked information. Those assurances may be easier to obtain in some instances than in others.
Manage Public Relations. Depending on the nature of the information, a leak could result in significant public scrutiny of the company. The leak might be viewed as an embarrassing failure of competence. Worse still, it might reveal information about the company that portrays the company poorly or that generates a negative public reaction. In responding to a leak, a company cannot ignore the public relations component.
Consider Legal Action. A company that suffers a leak should also carefully consider its legal options. For example, a company might seek a court order prohibiting further use or dissemination of the information. A company may also be able to recover losses associated with the leak—particularly if it violated an employment agreement or involved the company’s trade secrets. Where the information is extremely sensitive or further dissemination may result in liability or business risk, a company should immediately assess the legal options available with outside counsel.
Institute Reforms. A leak investigation should not only identify the leaker, but it should also identify any systemic failures that permitted the leak. Investigators should evaluate where the company’s existing confidentiality protocols broke down and recommend changes that might prevent a similar leak in the future.
This article does not necessarily reflect the opinion of The Bureau of National Affairs, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.
Justin V. Shur is a partner at MoloLamken LLP in the firm’s Washington, D.C., and New York offices who focuses on white collar matters, internal investigations, and other litigation. He is experienced in conducting internal investigations into leaks of confidential information and representing plaintiffs pursuing trade-secret misappropriation claims, among other civil matters.
Eric R. Nitz is a partner at MoloLamken in Washington, D.C., who focuses on white collar matters, internal investigations, and other litigation. He is experienced in conducting internal investigations into leaks of confidential information and in representing plaintiffs pursuing trade-secret misappropriation claims, among other civil matters.
Walter Hawes is an associate at MoloLamken who focuses on complex civil litigation, regulatory investigations, white collar matters, and appeals.