Ownership of contacts lists after employment has ended

PennWell Publishing (UK) Limited v Isles

Who owns a contacts list maintained by an employee in Outlook on the employer's computer system? In PennWell Publishing (UK) Limited v Isles, the High Court decided that the list belonged to the employer, despite the fact that it contained personal contacts and contacts that the employee had made before his employment had started.

Background
Mr Isles, a journalist, was employed as a publisher and conference chairman for PennWell. During his employment, he created and maintained a contacts list on PennWell's Outlook system, which included personal contacts, journalistic contacts and contacts that he had made before his employment started, as well as business contacts that he developed in his role with PennWell.

After Isles left PennWell to set up a competing business, it discovered that he had downloaded the entire Outlook contacts list from his work laptop.

Isles's contract stated that all documents used during employment belonged to the company and had to be returned before he left.

PennWell applied for an injunction for the return of the contacts list. Isles argued that most of the contacts on the list were personal to him.

Decision
The High Court had to decide whether the contacts list belonged exclusively to either PennWell or Isles or whether it was jointly owned by both.

The High Court said that where an address list is contained in Outlook or a similar software that is part of the employer's e-mail system and backed-up by the employer, the database or list belongs to the employer and may not be copied or removed in its entirety by employees for use outside or after employment. The High Court said that it would be "highly desirable" for employers to publish e-mail policies to communicate this to employees. While PennWell had an appropriate e-mail policy, the policy had not been effectively communicated to Isles and, therefore, PennWell was not entitled to rely on it.

Had Isles maintained his list of contacts as a separate, private address book, he would most likely have been entitled to that list. The court distinguished between contacts developed for the purposes of employment, where removal of contact information would be detrimental to the employer, and other contacts that an employee might keep for career purposes.

The court concluded that the list belonged to PennWell, but that Isles could copy from it his journalistic contacts and those made before his employment started.

Key implications

The confusion over ownership of the contacts lists that led to this case coming to court highlights the need for clear policies on ownership of contacts information. Employers should as a minimum:

Review e-mail policies to ensure they clearly identify what information is considered to belong to the employer, and confirm that it may not be removed or copied.
Communicate e-mail policies to all existing staff and bring these to the attention of new employees.
Ensure that confidentiality and return of property provisions in contracts cover contacts information and state what information will be protected/must be returned after employment.
Consider giving employees the option of a personal contacts folder to maintain contacts that are personal and/or those that pre-date employment.

Judith Harris, professional support lawyer, Addleshaw Goddard

HR : http://www.personneltoday.com

Companies Beef Up Tech Security

By Katherine Wegert From The Wall Street Journal Online
Jane Terry has done more than her fair share of email policing.

As president of California manufacturer Ajax Boiler Inc., Terry has on two occasions caught employees breaching network security. While testing a new company software system, she stumbled upon a staff member bringing a rival's proprietary information into Ajax's system. Terry spent $6,000 fixing that problem, and hundreds more when a senior manager at the 100-employee company hacked into the network of a former employer, with whom he was involved in a lawsuit.

"We found him reading the HR manager's email," said Ms. Terry. "He was involved in a lawsuit and was probably looking for information on it. It was unbelievable."

Both staff members would have escaped notice if it weren't for a recent upgrade to Ajax's security software. The product, made by SpectorSoft Corp., a Florida company, essentially records everything employees do on their computers: what Web sites they have visited, how long they looked at a site, what emails they have sent, and more.
Nowadays, the greatest risk to company security comes from within, security analysts say. In the past, the threat had been mostly from spammers and hackers. These new threats are prompting companies to take their security measures up a notch. Employers are increasingly relying on advanced software to protect their systems.
Indeed, experts see the market for such security systems growing to $2.8 billion by 2010 from $919 million in 2005.
Even well-meaning employees can cause data-security problems. According to the Privacy Rights Clearinghouse, earlier this year the personal information of 302 households -- including names, addresses, birthdays and family-income ranges -- were posted on a public Internet site several times over a five-month period when employees at the U.S. Census Bureau tested new software while working from home. Employees breaching another company's network -- as in Ms. Terry's case -- also put businesses on the defensive.
A 2005 survey by the ePolicy Institute and the American Management Association polled 526 companies about their monitoring practices: 76% said they monitor Web connections, up from 62% in 2001, and 55% said they also look at email, compared with 47% in 2001.
"Monitoring is becoming more prevalent now than it has been," said Gartner analyst Peter Firstbrook, adding that both the insider threat and compliance issues are driving the growth. "People sending things to themselves or stealing intellectual property is a real concern."
There will always be people who try to beat the system. That is why analysts say that it is important for businesses to keep up with what is new and pick technology that can monitor, filter, block access to inappropriate Web sites and purge emails and instant messaging systems.
"You want to monitor your existing technology, but you need to stay up on what's new, especially if you have a young work force," said Nancy Flynn, executive director of the ePolicy Institute.
Software supplier Clearswift, with about $50 million in revenue a year, sells products that monitor email and Internet connections. Some applications can detect credit-card and Social Security numbers in an email message, a spreadsheet or an attached Word document; others limit accessibility of certain documents to a specific number or group of people.
"We can help stop the outbound threat," said Alyn Hockey, director of product management at Clearswift. "The real key thing about our product is that we can actually create policy rules that let people do their job without making security an inhibitor. We can encrypt mail according to policy and have different roles and responsibilities for managing the system, such as [by limiting access to] business managers and compliance officers."
Websense Inc., with $179 million in annual revenue, has a leak-prevention suite of software that discovers, monitors and prevents sensitive data from leaking out of the organization, either accidentally or maliciously, through common platforms, including email, instant messages, Web mail and network printers.
As monitoring technology becomes increasingly sophisticated and widespread, some argue that employers should respect their workers' privacy.
"Businesses have their concerns, and they're legitimate," said Jeremy Gruber, legal director at the National Workrights Institute. "But what we need is regulation. We need to see companies balance their concerns with their employees' privacy."
Email your comments to cjeditor@dowjones.com.