Skip to Content

The Top 10 Ways Companies Can Protect Their Confidential Information and Relationships When an Employee Joins a Competitor

Ellis Winters

Ellis & Winters

A long time ago, there was a beardless comedian named David Letterman.  He did a nightly show that you couldn’t stream, pause, or download.  And it always included a Top 10 list.

Through two recent decisions, you could say that the North Carolina Business Court has picked up Dave’s mantle of the Top 10 list, albeit far more professionally and subtly than Dave.  These decisions have provided a nice Top 10 list of steps that employers can take to better protect their confidential information. 

In this post, we will examine those two decisions.  We will start with Encompass Services, a case that we discussed last week in the context of the Computer Fraud & Abuse Act, the North Carolina computer trespass statute, and per se section 75-1.1 violations.  In Encompass Services, a former employee allegedly took confidential information to his new employer.  We will also look at Mechanical Systems & Services, Inc. v. Howard, another Business Court opinion involving a similar factual situation.  The court’s analysis in Mechanical Systems is particularly helpful for employers that are drafting (or re-drafting) restrictive covenants to protect their proprietary information and customer relationships.

We will walk through the lessons from each case in a bit, but any good punchline needs a good setup.  So we will start with the factual background of each case.

Encompass Services, PLLC v. Maser Consulting P.A.

Encompass Services provides land surveying services for oil and gas transmission pipelines.  It finds new business through confidential, competitive bidding.  To stay competitive, Encompass has compiled a library of confidential and proprietary documents developed over years to assist in building out the bids. 

Encompass took steps to protect the information, such as requiring employees to sign employment agreements that included a confidentiality provision and memorializing those requirements in the company’s handbook.

But Encompass had a few holes in its process.  Its employees did not receive company-issued cell phones or other external storage devices, so they used personal devices.  Encompass also had no policy restricting the use of personal storage devices.  The Business Court noted that this “inevitably” led to employees downloading and storing the company’s information on personal external storage devices or personal cell phones.

Christopher Hilsman, an Encompass employee, used a personal external storage device and a personal cell phone to access and store the Encompass data.  Over time, he built a “massive” repository of the company’s data on his personal devices.

Hilsman then accepted a job with a competitor.  He notified Encompass that he was resigning and provided his two weeks’ notice.  That same day, Encompass notified its vendor that Hilsman’s access should be revoked effective after the two-week notice period, but the vendor failed to implement this revocation until four months later.

When Hilsman joined the competitor, he brought his Encompass repository with him and continued to access the Encompass system because his access had not been deactivated.

Hilsman used Encompass’s information at his new job.  He based a bid for his new employer on an Encompass template, and he adjusted a project bid to undercut Encompass’s prices.

Encompass sued Hilsman and his new employer, including claims for misappropriation of trade secrets and violation of section 75-1.1 (along with a computer trespass claim that we previously discussed).

Encompass survived summary judgment on its misappropriation of trade secrets and section 75-1.1 claims.  But the Business Court cautioned that a jury might ultimately be troubled by the company’s failure to implement and properly enforce the confidentiality policies, particularly regarding the personal storage devices.

Mechanical Systems & Services, Inc. v. Howard

Mechanical Systems involved a similar fact pattern.  Mechanical Systems sued two former employees and their new employer, including claims for misappropriation of trade secrets, breach of non-solicitation agreements, and section 75-1.1 violations.

Mechanical Systems claimed that the former employees attempted to recruit its employees and solicited its customers in violation of a non-solicitation agreement.

The defendants moved to dismiss.  The Business Court allowed several of the claims to proceed, including the misappropriation claim and the related section 75-1.1 claim.

But the Business Court dismissed parts of the non-solicitation claims.  Continuing a trend that may worry employers (see other examples here and here), the Business Court held that the customer non-solicitation provision was overbroad and therefore unenforceable.

First, the employee’s duties at Mechanical Systems were limited to one area of the business, but the non-solicitation provision would bar him from approaching customers regarding any of the company’s business.  The non-solicitation provision did limit the scope of customers, such as customers with whom the employee directly worked or from which the employee gained confidential information through his employment.

Second, the non-solicitation provision defined “Company” to include “subsidiaries” and “all other affiliates.” This extended the prohibition to subsidiaries and affiliates with whom the employee did not necessarily have any relationship.

Finally, the company’s restriction applied in any geographic location where the company was located.  This broadened the reach of the provision far beyond where the employee worked.

The Punchline:  The Top 10 Things Employers Should Do To Protect Their Confidential Information

Encompass Services and Mechanical Systems provide several helpful pointers for employers to protect their confidential information and relationships.

  1. Offboarding process. Offboarding processes are a critical component of protecting confidential information.  Make sure that your organization has a strict offboarding process that includes retrieval of company assets, termination of network access, and a reminder of any ongoing restrictive covenant obligations.
  2. Onboarding process. As we saw in Encompass and Mechanical Systems, the new employers were sued by the former employers.  Employers should do everything possible to avoid ending up in a lawsuit brought by their new employees’ former employers.  Companies should have policies in place that prohibit the use of prior employers’ confidential information.  Onboarding employees should be aware of this policy and asked to sign an agreement to abide by the policy.  
  3. Personal storage devices. External storage devices are convenient, but they frequently lead to problems with confidential information.  When an employee who used personal storage devices leaves a company, the employee is often taking the company’s confidential data with them (either intentionally or unintentionally).  Similarly, when new employees are onboarded and are able to connect a personal external device, they may onboard a former employer’s confidential information.  Companies can prohibit the use of external storage devices and utilize software that prevents an employee from connecting external storage devices or thumb drives to company property to avoid receiving another company’s confidential information. 
  4. Bring-your-own-device policies. Many companies have shifted to a bring-your-own-device policy for cell phones rather than maintaining corporate devices.  The cost savings are the justification for the shift, but there is a corresponding loss of control over the employer’s confidential information when a company requires its employees to use their own devices to complete their work.
  5. Terminating departing employees’ access. It seems very basic, but companies frequently forget to deactivate employees’ building and server access.  Other times, as in Encompass, the company remembers but something goes wrong in implementing the deactivation.  This is a critical step to protect your data and to demonstrate to a court later that you were protecting your data.  Disable access as soon as employment ends (or even sooner—see No. 1).
  6. Paying out a two-week notice period. The two-week notice period can be a very valuable transition period to allow customers to learn a new contact and to allow an employee to learn the ropes of the departing employee’s position. It’s also a great time for the departing employee to lift all the information the employee believes may be helpful in the new position.  When an employee is going to work for a competitor, the employer should strongly consider paying out the two weeks and cutting access on the day that notice is received.
  7. Consider the protected parties in restrictive covenants. When drafting an agreement designed to protect confidential information, the tendency is to include every possible entity—subsidiaries, affiliates, successors, assigns, etc.—that might need protecting.  That tendency led Mechanical Systems to include all affiliates and subsidiaries.  But courts have invalidated provisions that include such broad language.
  8. Consider the scope of the restrictive covenants. Like with the definition of company, employers will often broaden the restrictive covenant to include all customers (actual, potential, and imaginary), all locations, and all products.  But courts have increasingly invalidated such clauses that restrict broadly without sufficient connection to the employee’s role, responsibilities, and territory.
  9. Review restrictive covenant obligations. The law continues to change (sometimes rapidly) in this area.  Companies can find themselves with limited protections if restrictive covenants have become outdated and may no longer be valid.
  10. Following policies and procedures in place. Make sure the policies and procedures are not platitudes.  Follow through on the requirements, both to protect confidential information and to be able to demonstrate to a court that the company has taken those steps consistently.

It turns out that this Top 10 list is considerably less funny than Letterman’s Top 10 lists, but hopefully these lessons provide some guidance to employers. 

For our next post, we will be dropping watermelons off the side of a building.


Author: Jeremy Falcone


November 9, 2021
Posted in  Per Se Violations Privacy and Data Security