How can employers protect sensitive info while offering transparency? Lawyers outline legalities, best practices
Recently, Meta issued a stern warning to employees about leaking company information.
News outlets obtained copies of a memo issued by the chief information security officer (CISO), Guy Rosen, telling staff that the company would take appropriate action, "including termination," if it identified leakers.
"We recently terminated relationships with employees who leaked confidential company information inappropriately and exfiltrated sensitive documents," Rosen said, according to Fortune.
The memo came shortly after Meta CEO Mark Zuckerberg lamented in an all-hands meeting about leaks.
"We try to be really open and then everything I say leaks. It sucks," he said in the meeting, which also leaked and was reported by various news outlets.
With many employers keen to provide employees with some transparency about their plans, strategy, outlook, and successes and failures, how can they avoid the huge risk of employees leaking confidential information?
Balance with transparency
It’s about balance, according to John Hyde, founding partner of Hyde HR Law in Toronto.
“You have to assume that [it could be shared], and you have to assume that there's always a distinct possibility somebody could disclose that information illegally or to a competitor.”
The bottom line? An employer should consider disclosing information to employees on a need-to-know basis, he says.
“If you don't need to know, then why disclose it? Number two… think about the information you're disclosing before you do it. If it became public, could that information hurt you? Could it hurt your brand?
“So, there has to be some employer responsibility too, in terms of what the message is.”
Communication is key, according to Tanya Walker, managing partner at Walker Law in Toronto.
“You have to explain the importance of having transparency: You want to have transparency in your company, it helps employees, it helps the company, and that helps everyone keeps their jobs.
“And also explain that if the leaks lead to a lack of transparency, it won't help anyone at all.”
Workplace policies to combat leaks
It’s also crucial to have the right workplace policies that allow for greater transparency by outlining what’s allowed or not allowed when it comes to handling sensitive company information.
A policy is “an absolute must,” says Hyde, though he adds there is also a common law duty of loyalty, of good faith that goes back and forth in a relationship.
“And part of that includes the necessity, the loyalty to the company to keep matters confidential,” he says.
The workplace policy should be clear and outline the employees’ rights, obligations and penalties for breaching a confidentiality clause, says Walker.
“You should get your employees to sign off on it... just because you have it there doesn't mean that they read and understood it. I would even say go the extra step and provide training on a yearly basis, and have the employees sign off that they've understood that so they can't say they didn't.”
The employer should also consider the nature of the information when it comes to framing the issue, she says, citing as an example a leak of sensitive information by an employee at Ontario Power Generation.
“[That] leak was very extreme compared to a leak of Mark Zuckerberg answering questions for an audience. So, it's not just one answer fits all. You have to look at the type of information that you're trying to protect, and a client list for business may have different, appropriate policies compared to confidential information of the government agency that pertains to national security.”
Walker offered a list of some of the questions the workplace policy should cover include:
- What information does the employer want to protect?
- How should employees protect that information?
- What is an appropriate way to handle confidential information?
- How will an investigation of breaches be handled?
- What will happen if the employee acts contrary to the policy?
Seniority and confidentiality with policies
The employee’s position in a company can also make a difference for workplace policies. At the executive level, individuals are usually subject to written employment agreements that provide a multitude of clauses, says Hyde.
These can include a covenant with respect to confidentiality, non-solicitation and non-competition.
And the higher a person goes up, the more likely that they have fiduciary duties to the employer to act in good faith, he says.
“It is based on issues of the employer's reliance upon the individual... not only by a factor of the job function, but also in relation to the reliance on that person to keep confidential, important information, whether it be simply information as to how the employer operates, or information with regard to customers.”
Walker agrees that the employer should have a separate policy for someone who's in a fiduciary role — but there should also be safeguards in place for all levels of employees, such as restricted access to a shared drive.
“You have to make sure that it's on a need-to-know basis, because... it's just a huge risk, and it's very hard for employers in this province to really do something about it right away in terms of terminating someone. So… the onus is on the employer to protect itself.”
Does employee monitoring make sense?
An employer may also be tempted to monitor employee communications to ensure confidential information is not being shared externally. But that’s a tricky area.
“We have to keep in mind the Working for Workers Act, 2022… where Ontario employers with greater than 25 employees have to have a written policy on electronic monitoring and e-surveillance,” says Walker.
“And then also, if your workplace is unionized, you have to ensure that any monitoring activities adhere to the collective bargaining agreement.”
If there is monitoring, employees should be made aware of that before they start employment with the company so they can’t be caught off guard, she says.
And if you are a government employee, the Ontario courts have recognized that there’s a reasonable expectation of privacy for employees’ email and work devices, says Walker.
“The Supreme Court has also held that employees do have some form of constitutional protection, a reasonable expectation of privacy with regard to the personal information on a work computer — at least where the personal use of the computers are permitted or reasonably expected.”
But it’s probably not necessary for an employer to monitor every move or decision by an employee in the workplace, says Hyde.
“An employer may wish to, under the right circumstances, monitor information that's going out of its organization, via online or otherwise, but the fact remains that employees are bound to a legal obligation: It's a duty of confidentiality, it can be expressed in a contract or can be an implied duty,” he says.
There’s also the issue of privacy, he says, but “that information is not protected under an employee's rights of privacy — particularly if the intention is to disclose that information.”
Investigating potential leaks
When it comes to investigating a potential leak, that should be handled in the same way an investigation into other employee misconduct such as sexual harassment might be, says Walker, “where you have an independent party come in and interview relevant people, check the devices and provide a report on the next steps — or whether it happened… especially when you're dealing with common law, paying in lieu of notice and punitive damages, it's a worthwhile investment.”
Potential breaches should be investigated carefully while adhering to provincial employment standards and the Personal Information Protection and Electronic Documents Act (PIPEDA) which protects how private information is collected, used or disclosed in certain circumstances, she says.
“You have to be very careful with conducting investigations, because you don't want to overstep legal boundaries, make false allegations or violate employee privacy rights.”
Protecting whistleblowers
And the risks of false allegations and invasions of privacy could be a breach of the employees’ rights under the contract, a collective agreement with the union, statutory rights under the PIPEDA or even constitutional rights under the charter, says Walker.
“You also have to consider not making an employee feel that they're precluded from whistleblowing, because they're allowed to whistleblow.”
A big consideration for employers when it comes to potential leaks by employees is whistleblowers, says Hyde.
“A whistleblower, in essence, is one of those persons that is attempting to right a wrong because of inappropriate conduct by their employer. And, of course, the public and private sector have different requirements… as to whistleblower protections,” he says.
“The point is, really, what is the intent? Is the intent to address a wrongdoing, to expose illegal, fraudulent or corrupt activity? And if that's the case, then there are generally particular entities where an individual can go to and report this.”
For example, he says, the Ontario Securities Commission, the Canada Revenue Agency and Ontario government have certain whistleblower protections.
Understanding intent of leaks
If, after the policies and warnings and investigations, an employee is found to have leaked sensitive company information, what options does the employer have?
The response can vary, but, number one, it's a question of whether or not it was an intentional or non-intentional disclosure, says Hyde, and number two, whether or not the disclosure caused damages or had the “significant potential to cause damages to the employer,” he says.
“The breach of that duty of confidentiality, or contractual duty of confidentialities, is so important to the relationship that it adversely impacts the relationship on the go forward, uprooting it, if you will, and gives cause for termination of employment, and possibly damages.”
With the Ontario Power Generation case involving the Security of Information Act, for example, there was a finding that the employee gave away information which placed critical infrastructure at risk, says Hyde.
“You have to look at the intent, but at the same time, people cannot expose information recklessly, either. And again, in that particular place or situation, there were other options for the employee to consider rather than making information public.”
In 2023, an Ontario arbitrator upheld the firing of a college instructor who leaked diversity training materials to a media website.
Progressive discipline options
If an employee misuses confidential information to benefit themselves in some way, that's highly improper, says Walker, commenting on the issue of intent: “There's just different levels to it.”
But in Canada, we believe in progressive discipline, unless there’s been extreme misconduct, she says.
“That's really the process of, number one, you have a warning; number two, suspension and then [number three] termination,” she says, “which ... could be frustrating for the employer. But if it's just a lapse in judgment, it may not justify terminating someone from their job and work.”
As for just cause — meaning dismissal for leaking information, with no notice or pay — the employer must be prepared to show willful misconduct, disobedience or willful neglect of a duty, says Walker.
“That is not trivial, and you need a high level of deliberate misconduct. So, you need that evidence.”
