Fixing a Leak

There are lessons to be learned from the recent turmoil at Hewlett-Packard Co. But the lessons are not all clear or obvious.

To find out who was leaking confidential information from board meetings, H-P officials obtained personal phone records of several independent, outside H-P directors. The ensuing scandal has resulted in extensive press coverage, criminal investigations by a California prosecutor and the FBI, and an inquiry by a congressional committee.

What H-P set out to do – put a stop to serious breaches of confidentiality – seemed appropriate. But how it was done raises questions about how far a company can go in protecting confidential information.

Confidential is certainly an important concern for all business organizations. And companies have significant legal rights to protect against leaks of confidential information to people outside the company. As the H-P situation shows, however, there are limits to how those rights can be enforced.

Corporate employers have substantial rights to monitor, record, and review employee voice and data communications on company phone, Internet, and computer systems, And many companies exercise those rights, A recent survey by the American Management Association (mentioned in a September 11, 2006 article in the Wall Street Journal) revealed that over three-quarters of companies monitor internet usage, over half of companies store and review e-mails, and half of companies review computer files.

In attempting to stop a leak of confidential information, H-P officials were protecting an important corporate policy. But there were two things that were different than most corporate confidentiality investigations: the H-P case involved an independent outside director – not an employee; and it involved personal – not corporate – phone records. The first lessons learned in the H-P situation are that there are different rules for directors than for employees, and different rules when it comes to personal, outside-of-work activities. When directors are involved or personal activities are involved, companies should only act with prior legal advice and involvement.
And here are some other lessons and reminders:

Before monitoring phone, e-mail, or computer records or files, companies should adopt a written policy on electronic equipment use and electronic communication which clearly puts employees on notice that there is no expectation of privacy with respect to those records and that the company reserves the right to inspect those records at anytime with or without prior notice to employee.

The written policy on electronic equipment use and electronic communication should be communicated to each employee at the time of hire and periodically during employment

Even though policies on electronic equipment use and communications can be enforced, management should be careful about when and how the policies are enforced. The idea of privacy runs deep in the mind of the American public; and the psychology of the workplace can be damaged by overly stringent enforcement of computer and e-mail policies. Enforcement of the policies, however, must be uniform and consistent to avoid sending employees mixed messages regarding the company’s rights and expectations.

Companies must be careful to review any policies on whistle blowing to be sure that they do not conflict with policies on confidentiality.

Personal records – phone, computer, files, etc. – are almost always off limits. Any investigation that leads outside a company’s own computer and data systems should only be done with advice of competent outside legal counsel.
To the public, employees are often viewed as the underdog, and the company as the bad guy.

Negative publicity in the media is a bad thing for a company and can quickly snowball out of control Forgetting the ripple effect of bad public relations is a major mistake.
There are lessons in the H-P fiasco – ones that the H-P board and management are learning the hard way. One of the most important lessons is surely the most basic: when emotions run high and extreme actions are considered, think twice and three times – about the risks, about the ramifications, and about the public relations impact. And, when all else fails, a good does of common sense goes a long way.
 
This article is intended for general informational purposes only, and should not be construed as legal advice. Always contact your legal counsel for advice or answers to your questions.