Antonio Suarez-Martinez, litigation partner, Edwards Angell Palmer & Dodge
Opinion: Prevent confidential leaks as there may not be a cure
28 February 2011
20 January 2014
8 July 2013
20 June 2013
28 February 2014
6 January 2014
Following the media storm caused by the publication of thousands of US diplomatic cables, Wikileaks’ ’whistleblowing’ campaign appears to be focusing on private entities.
Founder Julian Assange has indicated that he intends to publish further explosive material that he says may even “take down a bank or two”. In addition, in a very public handover, Assange was provided with two discs of information, purportedly containing lists of internationally recognisable customers of Bank Julius Baer’s offshore services, many of whom, it is alleged, are tax evaders. With the banks and even the US government apparently helpless to stop leaks of their own confidential and classified documents, do private companies have any tools to prevent it?
The reality is that most leaks in general are the result of employees. Preventative measures are thus key. They include, if commercially sensible, putting secure systems in place that retain the confidential data with only limited access. Most businesses are also protected against such disclosure under laws against breach of confidence. But businesses should ensure that adequate non-disclosure and confidentiality clauses are contained in their employment contracts. This ensures with certainty that companies have the ability to obtain injunctive relief, such as delivery of confidential information, if required.
Once information has been published, disseminated and reported widely by the media, the English courts are reluctant to grant an injunction restraining publication. For example, in Mosley v News Group Newspapers Ltd (2008) the court felt an injunction would have no practical effect after the damaging material had been published on a newspaper’s website (this was also the rationale used for ultimately refusing an injunction against Wikileaks in the 2008 US action by Bank Julius Baer).
The only exception to this was in Barclays Bank Plc v Guardian News and Media Ltd (2009), where the court held that limited publication (in this case of a four-hour duration on the newspaper’s website) would not defeat the confidential nature of the information, and in such circumstances an injunction could be granted. Companies should also note that injunctive relief may also be unavailable if the information released relates to a criminal offence committed by the business, and so the person breaching confidence is effectively acting as a ’whistleblower’.
Wikileaks, for example, has set itself out to be an ’uncensorable’ website devoted to publicising information that it believes is in the public interest. Wikileaks achieves this by creating not just one website that can be taken down with a single injunction, but through dozens of ’mirror’ sites it has set up in separate jurisdictions, with the storage of information on a cloud server, which is accessible almost anywhere in the world using an internet connection, all of which makes obtaining an injunction against the whole network practically impossible.
In the circumstances, given the practical difficulties that a company may face in obtaining injunctive relief, a proactive rather than reactive approach is encouraged. Preventative measures should be put in place. Companies should coordinate and integrate privacy and information security policies with designated administrative and physical control governing access and transfer of information. They should also look at classifying information according to different types and levels of control and categorise information according to departments, so employees can only access information needed in their jobs.
Corporates should also ensure internal whistleblowing hotlines are clearly available, where employees can record their concerns anonymously, and which will be investigated at a senior level, all of which may encourage an employee not to look outside the company to voice their concerns. If these preventative measures do not work, then any business particularly at risk of exposure should also consider having in place a rapid response team of internal and external legal and PR experts to act quickly and decisively to either prevent publication or manage the fallout.