One challenge that keeps General Counsel and business owners up at night is data security. Without question, focusing on the technology side of the data security equation is important. Also important is proactively addressing a common source of data breaches … employees. A recent case involving an employee taking his employer’s confidential information on his way out the door — unfortunately not an unusual scenario — offers helpful lessons for employers trying to protect their data.
*The facts described in this post are summarized from a published court decision, Badger Daylighting Corp. v. Gary Palmer, Case No. 1:19-cv-02106-SEB-MJD (S.D. Ind. September 20, 2019) [accessible below]. Nothing in this post is intended to suggest whether the facts are true.
Badger Daylighting Corp. (Badger) provides non-destructive hydro-excavation services. Mr. Palmer worked for Badger for approximately seven years, the last 5½ as a Regional Manager. His Regional Manager duties included “managing and growing significant customer accounts; identifying opportunities for his sales team; maximizing his team’s performance on sales targets; teaching Area Managers how to identify opportunities and grow the business; developing and executing sales strategies; and forecasting, managing, and reporting sales activity.” In addition, he had responsibilities for management and recruitment, and he had extensive access to Badger’s confidential information.
When Badger promoted Mr. Palmer to Regional Manager, he signed a non-compete, non-solicit, and confidentiality agreement.
- The agreement, which restricted Mr. Palmer’s disclosure and use of confidential information, defined “confidential information” as:
Information which has been created, discovered, developed by or otherwise become known to [Badger]…which information has commercial value to [Badger], including but not limited to trade secrets, innovations, equipment designs, processes, computer codes, data, know how, improvements, discoveries, development, techniques, marketing plans, strategies, costs, customers, and client lists, or any information the Employee has reason to know [Badger] would like to treat as confidential for any purpose, such as maintaining a competitive advantage or avoiding undesired publicity, whether or not developed by the Employee.
- The confidentiality provision also provided:
Unless previously authorized … [u]pon termination of employment, the Employee shall return to [Badger] any and all property and records of [Badger] in his possession, at [Badger], at his personal residence or elsewhere…
- The agreement also contained non-compete provisions, which prohibited Mr. Palmer from, among others:
. . . (b) Within…Georgia, Florida, Tennessee, North Carolina, South Carolina, Alabama, Virginia, Mississippi, compete in any manner with [Badger], or own, manage, operate, control, be employed by, participate in, or be connected in any manner with the ownership, management, operation or control of any business which competes directly or indirectly with [Badger]; . . .
Mr. Palmer resigned from Badger to take a job as President of Southeast Connections, LLC’s (SEC) hydro-excavation services line, which SEC eventually spun off as Hydro Excavators, LLC (HydroX). When Mr. Palmer resigned from Badger, he would not say where he was going to work.
Shortly before announcing his resignation, Mr. Palmer downloaded more than 5000 documents from his Badger-provided computer onto a large external hard drive. The documents and data included “budgets; emergency response plans; employee contact information; customer contact information; contract pricing and bid information for specific customers; strategic plans; organizational charts; job descriptions; regional compensation planning information; financial reports and statements; employee training materials; business development planning materials and goals; master servant agreements and compiled lists of master servant agreements; equipment drawings; and employee salary information.”
In the course of litigation, Mr. Palmer did not disclose the existence of the hard drive containing the improperly-obtained data despite being asked questions aimed at eliciting such information. Badger conducted its own forensic investigation of Mr. Palmer’s Badger-provided computer and discovered the data that Mr. Palmer took without permission. Badger informed Mr. Palmer’s counsel of this development, who explained to the Court that Mr. Palmer’s failure to reveal the existence of the hard drive was simply due to it having “slipped his mind.”
Mr. Palmer accessed the hard drive containing Badger’s information after his employment with Badger ended. Further, two documents were located both on that hard drive and on Mr. Palmer’s SEC/HydroX computer, including an “Emergency Response Plan” that was virtually identical to the Badger Emergency Response Plan except for removal of the Badger name.
Court Ruling: Non-Compete Provisions
Badger claimed that Mr. Palmer’s employment with SEC/HydroX was a breach of his non-compete agreement with Badger. The Court decided not to issue an injunction on this basis, concluding that Badger was not reasonably likely to succeed on this claim. The Court concluded that, under Indiana law, the non-compete likely was too broad to be enforceable because it prohibited Mr. Palmer from working for a competitor in any capacity.
The Court’s discussion of the non-compete provides some helpful lessons.
- Courts applying Indiana law may not be inclined to enforce non-compete provisions that prohibit employees from working for competitors “in any manner” or “in any capacity,” or that contain similarly broad restrictions.
Court: “As noted by Mr. Palmer, numerous Indiana state and federal courts, including ours, have declined to enforce noncompete provisions such as Badger’s that prohibit employees from working for competitors ‘in any manner,’ deeming them overbroad.”
- Similarly, courts applying Indiana law may not be inclined to enforce non-compete provisions that prohibit employees from “competing in any manner” or working in “any competitive capacity.”
Court: “The question before us then becomes whether Badger’s proposed blue-penciling, which would limit Mr. Palmer from competing in any manner, as opposed to working in any manner, saves the provision. We do not believe that it does. On the spectrum of enforceability, this revision teeters precariously close to the unenforceable ‘working in any manner’ language and is significantly broader than language held to be enforceable by Indiana courts.”
- Courts applying Indiana law are inclined to analyze whether a non-compete agreement’s restrictions are limited to positions or services that are analogous to the position or services that the employee actually performed.
Court: “This principle—that non-compete provisions should limit their restraints to employees’ future employment involving positions or services analogous to those actually performed by the employee—is embodied in Indiana case law.”
Court Ruling: Breach of Confidentiality; Violation of Indiana Trade Secrets Law
The Court determined that Badger likely could prove that Mr. Palmer’s confidentiality agreement was enforceable and that Mr. Palmer breached it and also violated Indiana’s trade secrets law. The Court issued the following preliminary injunction:
Defendant Gary Palmer, his agents and all persons in active concert or participation with him who receive actual notice of this order, are hereby PRELIMINARILY ENJOINED until further order of this Court from possessing, using, or disclosing to others Badger’s confidential information or trade secrets.
Mr. Palmer is further enjoined from working at SEC or HydroX until he provides evidence in a proper verifiable form that he has either surrendered to Badger all the Badger documents he wrongfully took or that he no longer has access to or possession of Badger’s confidential information and trade secrets and that no third party to whom he may have distributed these materials continues to retain them in derogation of his requests that they be returned to Badger.
Lessons: Confidentiality Agreement; Trade Secrets
- A confidentiality agreement that states that “all business information and materials” are confidential is probably too broad to be enforced under Indiana law. Limiting the definition of confidential information to that which has commercial value, provides a competitive advantage, or using similar limitations likely will solve that problem.
- Confidentiality agreements do not necessarily have to be limited in geographical scope or in duration to be enforceable.
- It remains important for an employer to show the reasonable efforts that it took to protect the security of the data and other information that it claims is confidential.
- At the injunction stage, when a significant amount of documents are at issue, an employer does not necessarily have to prove that each individual document is a trade secret or contains confidential data.
Court: “[Mr. Palmer] criticizes Badger for not explaining how each of the individual 5000 documents qualifies as a trade secret or confidential information. We are unpersuaded by his criticism. Indiana courts have not placed such a burden of proof on plaintiffs, particularly at this stage of a litigation when they are tasked with expeditiously evaluating thousands of documents that an employee indisputably wrongfully took.
We are further unpersuaded by Mr. Palmer’s criticisms because he never disputes that at least some of the documents qualify as confidential information or trade secrets. If the documents were without any value, it is a mystery why Mr. Palmer was moved to steal them on his way out the door en route to his new position with SEC and why he subsequently provided evasive and obfuscating answers in his response to Badger in a transparent attempt to keep Badger from uncovering the nature and extent of his theft. We thus are satisfied that Badger has shown a reasonable likelihood of proving that at least some of the documents taken by Mr. Palmer qualify as trade secrets or confidential information.”
- Illegally taking and retaining an employer’s data and other property creates a risk of misappropriation sufficient to warrant an injunction, in some cases even if the employee returns such property.
Court: “We cannot accept Mr. Palmer’s belated assertion that his relinquishment of the hard drive eliminates any risk of misuse or misappropriation of the documents. Mr. Palmer’s persistent refusal to disclose, first, that he had actually taken the documents and, thereafter, to explain or confirm whether he saved them anywhere else or given them to a third party leaves us wary. His feigned naivety and cavalier assertion that no continuous risk of misappropriation exists is unconvincing. If true that his dead of night downloading of these documents had “slipped his mind,” surely he would have been reminded of his actions when at the time of his resignation his supervisor reiterated his obligations under the Agreement, or when Badger brought this lawsuit, or when he was asked pointedly in discovery interrogatories whether he had any access to Badger documents. Mr. Palmer’s apparent disingenuousness has not helped his cause in trying to convince us that he no longer retains any access to the documents. His repeated lack of candor has created a level of distrust that neither the Court nor Badger can wish away or ignore.”
- An employer does not have to prove that an employee actually used stolen data or other information in order to get an injunction.
Court: “Mr. Palmer has directed us to cases involving decisions not to enjoin defendants who did not use the documents and did not steal any documents from their former employers. [citations omitted]; [Dkt. 63, at 22]. He has ignored other cases where defendants’ bad behavior created a reasonable likelihood of plaintiffs’ success on the merits of their claims, even in the absence of evidence of actual use.”
- Taking an employer’s proprietary data may present an ongoing threat of potential or actual misappropriation, especially when the court cannot be certain that the employee no longer possesses the information in question. This threat may result in a restriction on the employee’s ability to work for a competitor even in the absence of an enforceable covenant not to compete.
Court: “Until we can be more confident than we are now, upon a proper evidentiary showing, that Mr. Palmer no longer possesses or has access to Badger’s confidential information and trade secrets, the harm Badger faces due to an actual or threatened misappropriation of these materials greatly outweighs any harm Mr. Palmer may suffer in not being able to work for SEC/HydroX during this period of uncertainty.”
- Consider limiting non-compete agreements to employees who are in a position to harm your business by competing. There is a trend toward banning such agreements as applied to certain individuals, if not altogether.
- If you can obtain sufficient protection with a narrowly drawn non-solicitation agreement rather than an agreement that prohibits work in a geographic area, consider the former. Agreements that do not effectively require a person to relocate in order to work may be viewed more favorably by prospects, employees, and courts.
- Keep in mind that the “law” of non-competes varies by state. Off-the-shelf agreements, or agreements used by another business, may prove to be of limited value when it is too late to do anything about it.
- A confidentiality policy in a handbook might not provide the protection you need, especially if your handbook, like so many, states that it is NOT a contract.
- Consider a confidentiality agreement carefully tailored to your specific situation. Such agreements provide a great opportunity to address not only use, transfer, and disclosure, but also how you wish to handle confidential information on employees’ personal devices and your expectations regarding the return of confidential information. As with non-competes, off-the shelf confidentiality agreements, or using another business’ agreement, can be of limited value if they are not drafted in compliance with applicable state law.
- Consider a written protocol/checklist for use when onboarding an employee and for use at termination. Include how you will address confidential information on employees’ personal devices.
- For more on data security and e-discovery, check out our Firm’s e-discovery blog.
(This post is not legal advice. Consider consulting with a lawyer about specific situations.)