In a sobering reminder that online social media is changing the way many companies do business in unforeseen ways, a federal court recently shot down an employer's trade secret claim based largely upon the availability of information via the internet.  In Sasqua Group, Inc. v. Courtney, a magistrate judge for the United States District Court for the Eastern District of New York held that although an employer's customer list may have been a trade secret years ago, "the exponential proliferation of information made available through full-blown use of the Internet [presents] a different story."  The district court subsequently adopted and approved the magistrate's lengthy and detailed opinion.

Sasqua Group is an executive search consulting firm specializing in the recruitment and placement of professionals for the financial services industry.  When it parted ways with a former recruiter named Lori Courtney, Sasqua sought an injunction to preclude Courtney from misappropriating its trade secrets.  According to Sasqua, Courtney had access to its customer database prior to her departure, and the database was the "lifeblood" of its business.  The database contained client contact information, individual candidate profiles, contact hiring preferences, employment backgrounds, descriptions of previous interactions with clients, resumes and other information.  From Sasqua's viewpoint, the database was highly proprietary.  Courtney had a different perspective, and the Court agreed.

Courtney testified that "virtually all personnel in the capital markets industry...have their contact information on Bloomberg, LinkedIn, Facebook or other publicly available databases."  During the hearing, Courtney was asked what she would do "if she had amnesia tomorrow, lost her blackberry" and "needed to identify" decision makers and prospective clients.  Her answer resonated with the court: she would use the internet and the vast amount of information available on it, which she claimed she could find through a five-minute search.  Courtney explained that she could start with LinkedIn "because people put their whole profile on LinkedIn."  She explained that if she wanted to find the decisionmaker at a particular company, she could simply enter the name of the company in the search box.  Seconds later, she would have a list of employees, their positions, current title, prior jobs, undergraduate school, dates of attendance, experience, objectives, and even contact information.  If she wanted more information, she could do a search on Google and she would have thousands of search results, many of which pointed to news stories recounting companies' hiring plans.  The court concluded that the information publicly available "exceeded the amount and level of detail contained in the Sasqua database."  The clients, their contact information, and other data was readily accessible.

Does this mean that employers seeking trade secret status for customer lists and related information should throw up their hands and surrender?  No.  This case presents a textbook example of what not to do if an employer regards its client information as confidential.  For starters, Sasqua did not require Courtney to sign a confidentiality or nonsolicitation agreement.  Nor did it take reasonable measures to protect the database in question.  Its computers were not password protected; all employees had free access to the database, including at work and remotely from home.  The database did not contain legends designating confidential information embedded within its pages to remind employees that the information was confidential.  The database was shared with potential business partners without restriction.  Firewalls and security software were not installed.  As the court stated, "Sasqua failed to take even basic steps to protect the secrecy of the information contained in its database."

The "takeaway" from this case is not that social media and the proliferation of information via the internet will undermine protection of customer lists and related information.  Rather, the lesson is that employers need to be vigorous in the efforts to keep their secrets secret.  A copy of the magistrate judge's opinion and the district court's confirmation is available in pdf format at the bottom of this post.  As always, please feel free to share your comments, thoughts and questions in the comment section below.

Sasqua Group Magistrate's Report & Recommendation.pdf (202.46 kb)

Sasqua Group Order Adopting Magistrate's R&R.pdf (11.84 kb)

A sales manager has signed a contract with his employer agreeing that client lists are confidential and agreeing not to solicit clients for a period of six months after the end of his employment.  Shortly after resigning to join a competitor, the sales manager updates his LinkedIn profile to reflect that he has changed jobs and is now working for the competitor.  The profile update is broadcasted by LinkedIn to the sales manager’s contacts, which includes dozens of the clients he serviced at his previous employer.  Has the sales manager breached his contract?  Arguments can be made on both sides.

The former employer will argue that its customer list is confidential and that the sales manager obtained his knowledge of the clients’ identities by virtue of his employment.  The employer will note that even novices on LinkedIn understand that the service will notify contacts of a user’s profile updates.  After all, why bother updating your profile if you don't intend to share this information with others? And many, though admittedly not all, courts have held that contacting former clients regarding a change in employment constitutes a solicitation.  See e.g., Merrill Lynch v. Schultz, 2001 WL 1681973, *3 (D.D.C. 2001) (noting that “such initiated, targeted contact is tantamount to solicitation because there is no reason to believe that a customer on the receiving end of such a [communication] does not assume that the [employee] wishes for him to transfer his account.”).

The sales manager will undoubtedly take a different view.  He will argue that he didn’t take any records or other information with him when he left, and that the identity of his former employer’s clients has always been publicly available to anyone who wanted to look at the sales manager’s LinkedIn contacts.  He will also note that he did not initiate contact with clients.  Rather, all he did was update his profile to reflect a change in employment and sat back providing clients – or anyone else for that matter – with the option to contact him.

So who is right?  As with any non-compete case, the answer may vary on a case by case basis and require a close examination of the contract language and the surrounding facts and circumstances.  A court is likely to ask the following questions (among others):  Does the contract specify that client information (such as client identities, names, addresses, and other contact information) is confidential?  Did the former employer actually treat such information as confidential?  What is the wording of the non-solicitation agreement? 

Because the enforceability of a restrictive covenant is highly discretionary in many states, employers who seek to preclude employees from contacting clients via LinkedIn may take steps ahead of time to eliminate any confusion.  Such steps may include any or all of the following:

1. Draft non-solicitation agreements that:

• expressly preclude employees from contacting clients to notify them of the employee’s change in employment;
• specify that communications made through an online social networking website such as LinkedIn, Facebook, etc. constitute a violation of the contract.

2.  Draft confidentiality agreements that:

• expressly define confidential information to include client identities and contact information;
• unambiguously state that confidential information may not be used or disclosed for any purpose other than on behalf of the employer, including through social media.

3. Include a social media paragraph in non-competes that specifically addresses the use of computers and social media.  The paragraph should state that:

• It is not intended to limit the scope of the confidentiality and non-solicitation covenants;
• Employees may only use the employer’s computer systems (e.g., computers, internet, servers, internal e-mail, external e-mail, World Wide Web access, etc.) for business purposes only.  Recognizing the rigid – perhaps impractical nature of this restriction – the agreement may provide that incidental personal use of computer systems is permitted, but state that such usage shall not violate the terms contained the confidentiality and non-solicitation provisions; 
• All e-mail and internet usage is subject to monitoring and that access to any website on the Internet must be for legitimate business only;
• The Employer may choose to block access to certain sites on the Internet at its discretion, and that available access to a site does not constitute approval to use or access that site by the employer.
• The employee is not permitted to have a webpage or website on the Internet for business purposes through a provider without prior written approval from the employer.  This includes social networking sites like Linked-In for business purposes.  The employee should agree that mentioning his or her affiliation or employment with the employer on these types of sites without prior written approval of the content by the employer is not permitted.  If the employee is permitted to connect with clients via LinkedIn, they should be required to set their settings so that other users cannot see their contacts. 
• The employee agrees that the use of text messages, e-mails, IM’s, and/or other communications via Blackberry or other wireless service/devices not routed through the employer’s systems is not permitted for business communications with Clients;
• The employee agrees that participation in chat rooms or other online forums for business purposes is not permitted, and that the employee will not direct Clients to chat rooms, blog sites, or other social networking sites which contain information prohibited by the employer or applicable regulatory authorities;
• The employee agrees that he or she will not discuss the employer, its business relationships, its managers and employees, its customers or its products/services in any chat room or other online forum without prior express written permission from the employer’s management;
• The employee agrees that the restrictions outlined above apply to his or her use of any computer (within or outside of the employer) for any business purpose.

In short, businesses that do not address social networking through their contracts and written policies may find that they have a critical security gap in the protection of their trade secrets and customer relationships. 

Michael R. Greco is a partner in the Employee Defection & Trade Secrets Practice Group at Fisher & Phillips LLP.  To receive notice of future blog posts either follow Michael R. Greco on Twitter or on LinkedIn or subscribe to this blog's RSS feed.

Any business that does not have a social networking policy or does not train its employees on the do’s and don’ts of social networking may have a critical security gap in the protection of its trade secrets, and its confidential and proprietary information and may be exposing itself unduly to harassment, hostile work environment, defamation and numerous other legal claims. Chances are that one-quarter to perhaps as much as one-half of your workforce (or more if your workforce is younger) are regular users of social networking websites.  And that number is likely to increase.

Social Networking -- the New Security Threat

The term “social networking” refers to the regular communication and publication on the internet of thoughts, ideas, activities, opinions and myriad other content on social networking sites, such as Facebook, MySpace, LinkedIn, Twitter, and YouTube, to name a few.  Most of these sites allow their users to post a personal profile which can contain a listing of the user’s education and work history, family, social and business relationships, activities and likes and dislikes.  LinkedIn is designed with the networking professional in mind and is tailored to business networking; whereas, Facebook, MySpace and Twitter are designed with a broader, more open freewheeling architecture that invites disclosure (and therein lies another part of the problem). These sites allow users to post status updates (in other words, whatever is on their mind) at anytime day or night from any computer with internet access or even from a cell phone, iPhone or Blackberry.  “Anytime” is a key word here.  A recent survey of 1,000 Americans by Retrevo, Inc. revealed that 48% of those polled admitted that they update Facebook or Twitter during the night or as soon as they wake up.   In addition, 19% of people under the age of 25 say they update Facebook or Twitter anytime they happen to wake up during the night compared to 11% over the age of 25.  Social networking also includes both personal and professional blogs, which now are so simple to use that a blog can be set up in a matter of a few minutes.

Careless employees can be just as damaging and just as dangerous as malicious ones.  In social settings, like social networks, people naturally gravitate to discussions about work.  The people who tweet about their haircut, the movie they just saw or what they had for dinner are also likely to tweet about coworkers, customers and the work they did that day.  Stories abound of inappropriate posts about coworkers and customers.  How often are employees observed “texting” below the table at a meeting?  One recent mobile Facebook post from a meeting tersely criticized a subordinate’s failure to comprehend and concluded that the employee “forgot to take her medication.” An employee’s “friends” or followers are also likely to extend well-beyond a small social circle. In addition to former high school and college friends, the list likely includes former colleagues, maybe ones who now work for competitors, or customers or other business relationships. It is not surprising then, according to a recent survey, that over 50% of employers believe they have a right to monitor employee postings on social networking websites.  On the other hand, 60% of employees surveyed believe their online activities are none of their employer’s business.  The inherent tension on this issue is obvious, but equally obvious is the need for a clear set of rules and expectations, particularly where your employees are regularly exposed or have access to confidential business information.

Social Networking Policies and Employee Training

The first two steps essential to reducing the security risks posed by employees engaged in  social networking are (1) having a detailed social networking policy, and (2) carefully training your employees.  It is essential to have a social networking policy that clearly establishes permitted and prohibited conduct at work and expected behavior online, regardless of whether the online conduct is for business or personal purposes.  Routine email, computer and confidentiality policies do not adequately address the risks presented.  Despite the dramatic increase in the use of social networking websites, in a survey done by the Wall Street Journal only 26% of employees said their employer had a policy regarding social networking.  An August 2009 study done of one industry found that 50% of employers reported not having a policy for employees’ online activity outside of work and only 10% reported having “a policy specifically addressing these types of social networking sites.”

Employee training is also essential if you want to meaningfully reduce your risks.  For many employees social networking online is a new phenomenon.  Many employees are not likely to instinctively appreciate the risks or intuitively understand the full scope of what is necessary to police their behavior in relation to their job.  For example a manager “friending” an employee is fraught with problems.  The employee may feel he or she has to say “yes” because to say “no” risks insulting the manager.  There is a risk that the casual “friendly” atmosphere cultivated by social networking sites may lead to inappropriately personal messages or what may be perceived as inappropriate, which could in turn create a hostile environment or otherwise encourage a harassment claim. It also gives the manager access to information that could provide the basis for a discrimination claim.

By the same token, an employer cannot issue a blanket decree prohibiting employees from using social networking sites on their own time without potentially running afoul of federal and state law.  Thus, proper training is imperative to protect the company and, in large part, to protect the employees from themselves.  Remember in almost all instances, the only online editor is the employee, who could be posting from the office or from any street corner or from any Starbucks at anytime.   Employees who understand the personal and professional risks of inappropriate activity will be much more likely to self-regulate their online behavior in an appropriate fashion.

A topic for another day are the myriad reasons for companies to take full advantage of social networking.  Many companies are already actively involved in most facets of online social media.  They recognize that social networking presents substantial opportunities for marketing, customer service, protecting brand name, keeping in frequent touch with customers, raising the company’s public and community profile and performing competitive research.  These opportunities simply underscore the need for a well thought out social networking strategy that incorporates policies and training that allow the company to reduce its risks and reap the rewards.