Category: Privacy and Data Policy

Employee Non-Disclosure Agreements and Enforcement.

Drafting and enforcing NDAs requires considerable thought, care, continual maintenance and a skilled legal advisor. It is an area rife with risks and traps; and employers who believe they can “gag” their employees, by simply requiring them to sign a broadly worded agreement with heavy penalties, may be in for a rude shock.

How Weak Are Employee “Nondisclosure Agreements”? The Answer May Make You Gag

Gregory W. McClune
We live in a world of “leaking” and threats of dire consequences for the leakers. Does an employer have the legal means to prevent disclosure of information acquired during employment? Likewise, can an employer seek legal redress for such disclosures?

In late 2016, the Virginia-based political journalism company, Politico, published an article revealing that the Trump Transition team had required all its “members” (presumably including its employees) to sign a “non-disclosure agreement” (NDA) “to make certain they keep all of their work confidential.” According to the article, such agreements were standard in the Trump organization. The article stated that the NDA prohibited an employee or volunteer from “disclosing info about major portions of the transition work, like policy briefings, personnel material, donor info, fundraising goals, budgets, contracts, or any draft research papers. It also demands that if anyone on the team suspects a colleague of leaking material, he or she must tell transition team leadership. And it gives the Trump team grounds to [fire] those who run afoul of the rules.” (A mandatory “snitch” clause?)

Would such an agreement be enforceable against an employee or volunteer? We will answer that question at the end of this article.

Drafting and enforcing NDAs requires considerable thought, care, continual maintenance and a skilled legal advisor. It is an area rife with risks and traps; and employers who believe they can “gag” their employees, by simply requiring them to sign a broadly worded agreement with heavy penalties, may be in for a rude shock.

The problems are many. First, this is an area that is primarily enforced by state law, and the states are far from uniform in viewing the enforceability of NDAs. Thus, a non-disclosure provision enforceable in one state may be struck down in another. Employers who operate in multiple states will have to ensure it is compliant with the laws of all those jurisdictions.

Most jurisdictions will decline to enforce an overbroad definition of “confidential information.” To that end, an Illinois court refused to enforce an NDA that sought to protect against the disclosure of information concerning “any methods and manners by which Employer leases, rents, sells, finances, or deals with its products and its customers.” (Trailer Leasing Co. v. Associates Commercial Corp., 1996 WL 392135, at *1 (N.D.Ill. July 10, 1996)).

Similarly, an employer’s attempt to seal an employee’s lips forever will find little sympathy in the courts. A Virginia court invalidated an NDA on two grounds. It found that the employer had attempted to preclude an employee from disclosing any information concerning the business of the employer to any person. Thus, the prohibition was “not narrowly tailored to protect the legitimate business interests” of the employer. The court explained that the provision was so overbroad that, as written, it prohibited the employee from telling a neighbor anything about the employer – including information that was not proprietary in nature or worthy of confidence – for the rest of her life. (Lasership, Inc. v. Belinda Watson and Midnite Air Corp., d/b/a Midnite Express, 79 Va. Cir. 205 (1979)).

Some state courts (e.g., Georgia, New York, and Illinois) may “blue pencil” a defective agreement; that is, excise the offending provisions and allow the remainder of the agreement to be enforced. But even if an employer finds itself in one of those jurisdictions, there is no guarantee the judge will undertake that exercise as he/she may find the offending portion key to the whole agreement and, therefore, strike the entire NDA.

Recently a court in North Carolina invalidated an NDA on a different basis that, if followed by other courts, could have far-reaching consequences. The court invalidated the entire NDA because there was no additional “consideration” (i.e. the employee gave up his/her rights but received no additional compensation or other item of value). (Roundpoint Mortgage Co. v. Florez, 2016 NCBC 17 (Feb. 18, 2016)).

There are yet other traps for the unwary. This year a federal appeals court struck down a “confidentiality agreement” that sought to preclude an employee from sharing “private employee information (such as salaries, disciplinary action, etc.)“ because the restriction unlawfully impinged on the employees’ rights, under Section 7 of the National Labor Relations Act, to discuss such matters. (Banner Health System v. N.L.R.B., 2017 WL 1101104 (D.C. Cir. 2017)).

Finally, even if an employer crafts a compliant NDA it will lose its power to enforce the NDA if it is lax in the treatment of confidential information. A written agreement does not supplant the need for sound business practices which safeguard such secrets and prevent disclosure. Moreover, an employer will enhance its chance of enforcing an NDA by periodically reinforcing the need for confidentiality, conducting regular training on the proper handling of confidential information, etc.

So, back to the Trump transition team and its NDA; would that have been enforceable? We have not had access to the full agreement so we are not in a position to be definitive. However, we are mindful of that old story about a physician coming across a victim lying on a public sidewalk. When asked by a bystander in the gathering crowd how the victim was doing, the physician, after a brief examination, responded: “Well, only two of the wounds are fatal; the others aren’t so bad.”


By Holly J. Gregory* and Rebecca Grapsas*

Boards should consider assessing the effectiveness of their compliance programs now in light of the DOJ’s recent guidance on evaluating compliance programs — whether or not the company currently has any compliance issues.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient. As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or officers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

Oversight of a company’s “tone at the top” and its compliance program designed to establish and maintain that tone and detect problems is an important board responsibility.As fiduciaries, directors are required to assess the company’s compliance program in light of the legal and regulatory compliance framework and ensure that the company has appropriate compliance-related reporting and information systems and internal controls in place. It is a business judgment for the board to determine what compliance program best suits the company’s needs and the level of compliance risk it is willing to take.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or of cers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

The standard for effectiveness in compliance program design is set forth in Chapter 8 of the United States Federal Sentencing Guidelines, which provides that a company must:

Establish standards and procedures to prevent and detect criminal conduct

Ensure board oversight of the compliance program

Appoint a high-level individual (such as a chief compliance of cer) who has overall responsibility for the compliance program

Exercise due diligence to exclude unethical individuals from positions of authority

Communicate information about the compliance program to employees and directors

Monitor the compliance program’s effectiveness

Promote and consistently enforce the compliance program

Respond to violations and make necessary modi cations to the compliance program (US Sentencing Commission Guidelines Manual §§ 8B21(b), 8C25(f))

The Principles of Federal Prosecution of Business Organizations in the US Attorneys’ Manual provide that prosecutors should consider specific factors (known as the “Filip Factors”) in conducting corporate investigations, determining whether to bring charges and negotiating plea or other agreements. These factors include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The Department of Justice (DOJ) emphasizes that critical factors in evaluating a compliance program are “whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives” US Attorneys’ Manual § 9-28.300, General Principle; § 9-28.800, Comment (2015)

In February 2017, the Fraud Section of the DOJ issued a resource entitled Evaluation of Corporate Compliance Programs. The document provides more speci c examples of how federal prosecutors will evaluate a company’s compliance program in the process of

The DOJ’s recent guidance for evaluating corporate compliance programs is also discussed in the most recent issue of Sidley’s Anti-Corruption Quarterly.

investigating and resolving an enforcement matter. The document emphasizes that “the Fraud Section does not use any rigid formula to assess the effectiveness of corporate compliance programs.” The document is the latest communication forming part of the Fraud Section’s Compliance Initiative, which began with the Fraud Section’s hiring of Hui Chen as full-time compliance counsel in November 2015.

The document contains probing questions regarding the following eleven “sample” topics:

1. Analysis and remediation of underlying misconduct (including root cause analysis and prior indications)

2. Senior and middle management (including conduct at the top, shared commitment and oversight)

3. Autonomy and resources (including compliance function stature, experience, quali cations, empowerment, funding and outsourcing)

4. Policies and procedures (including design, applicability, gatekeepers, accessibility, operational integration, controls and vendor management)

5. Risk assessment (including methodology, information gathering and analysis, and manifested risks)

6. Training and communications (including form, content and effectiveness, communications about misconduct and availability of guidance)

7. Confidential reporting and investigation (including reporting mechanism effectiveness, investigation scope and response to investigations)

8. Incentives and disciplinary measures (including accountability, process and consistency)

9. Continuous improvement, periodic testing and review (including internal audit, control testing, interviews and evolving updates)

10. Third-party management (including risk-based and integrated processes, controls, relationship management and misconduct consequences)

11. Mergers and acquisitions (including due diligence process, integration in the M&A process and process connecting due diligence to implementation)

The questions are designed to look behind a company’s compliance program “on paper” and evaluate how the program has been implemented, updated and enforced in practice. Although some of the questions focus on the effectiveness of a company’s compliance program in the context of specific misconduct (for example, what caused the misconduct, whether there were prior indications of the misconduct and which controls failed), many of the questions focus on the compliance program more broadly, including, for example, whether compliance personnel report directly to the board, what methodology the company uses to identify, analyze and address the risks it faces, and how the company incentivizes compliance and ethical behavior.

Compliance program assessment is a key element of the board’s oversight of compliance programs. Boards should conduct such assessments periodically to identify areas for improvement in light of the company’s evolving risks and regulatory preferences with respect to compliance structures and practices. Periodic assessment of the compliance program, in a process overseen by the board or a board committee, helps ensure that the program continues to be “ for the purpose” by identifying areas for improvement, while also creating evidence of the company’s commitment to compliance for use in any future regulatory enforcement actions. Assessments should be risk-based to re ect the company’s changing risk environment and to help ensure that limited compliance resources are prioritized to focus on the most signi cant risks.

The assessment criteria should be based on the elements of an effective compliance program as described in DOJ guidance discussed above, including specific guidance from
regulators regarding the company’s industry. The assessment criteria should also reflect trends in settlement agreements, developing notions of recommended practices (both generally and within the company’s specific industry), and the practices of peer companies, to the extent that benchmarking data is available.

In conducting its assessment, the board should evaluate the following and consider how it would answer the specific questions set forth in the DOJ’s recent guidance:

■ The board’s level of oversight including availability of compliance expertise, private sessions with compliance personnel and information

■ Reporting lines and related structures

■ Experience, qualifications and performance of the chief compliance officer and compliance function

■ Compliance function responsibilities, budget and budget allocation (including employees, outside advisors and other resources), staff turnover rate and outsourcing

■ Written corporate policies and procedures regarding ethics and compliance (including legal and regulatory risks), and the process for designing, reviewing and evaluating the effectiveness of policies and procedures

■ Internal controls to reduce the likelihood of improper conduct and compliance violations

■ Ongoing monitoring, control testing and auditing processes to assess the effectiveness of the program and any improper conduct

■ Role of compliance in strategic and operational decisions

■ Key compliance risks, risk assessment processes and risk mitigation

■ Senior management conduct and commitment to compliance, and how the company monitors this

■ Communication efforts by the board, CEO, other senior executives, and middle management regarding expectations and tone

■ Education and training regarding compliance generally and the company’s program, policies and procedures at all levels

■ Understanding of corporate commitment to compliance at all levels

■ Awareness and use of mechanisms to seek guidance and/or to report possible compliance
violations, and fear of retaliation

■ Specific problems that have arisen, why they arose and how they were identified and resolved

■ Investigation protocols and experiences

■ Performance incentives, accountability, disciplinary measures and enforcement

■ Remediation and efforts to apply lessons learned

The DOJ’s recent guidance should help boards determine the assessment process that is appropriate for the company, evaluate whether the company’s program continues to be effective and t for purpose, and consider appropriate modi cations to the program.

Sidley Perspectives | JUNE 2017 • 4

*Holly J. Gregory is a partner in Sidley’s New York of ce and a co-leader of the rm’s global Corporate Governance and Executive Compensation practice. Rebecca Grapsas is counsel in Sidley’s Corporate Governance and Executive Compensation practice who works from both the rm’s New York and Sydney of ces. The views expressed in this article are those of the authors and do not necessarily re ect the views of the rm.

NB: Privacy, Data and Cookies Policy, Protects Facebook from Litigation


Privacy Policy Rescues Facebook from Costly Litigation

From Michael Best & Friedrich.

We have all gone to a website and, in accessing the website’s services, have agreed to terms and conditions that include a litany of policies, including privacy policies governing how the company maintaining the website will use our information obtained while accessing the website. One such specific website that most, if not all, of us have used is Facebook. While we may not pay very close attention to privacy policies such as data and cookie policies, those policies explain that Facebook uses cookies or browser fingerprinting to identify users and track what third-party websites users browse. Such privacy policies serve an important function for any company, including Facebook, to help protect against potential liability for use of a consumer’s information. Indeed, Facebook’s privacy policy just carried the day in getting a case dismissed against it in which the Plaintiffs alleged a litany of causes of action against Facebook, including violation of the Computer Fraud and Abuse Act, California Invasion of Privacy Act, Health Insurance Portability and Accountability Act, and other common law claims.

In Smith v. Facebook, Inc., Case no. 16-cv-1282, the Northern District of California dismissed the claims against Facebook, with prejudice, based upon Facebook’s user agreement. There, the Plaintiffs argued that Facebook violated numerous federal and state statutes, as well as common law, by tracking and collecting its users’ web browsing activity, including sensitive information from various healthcare websites. In dismissing the case, the Court found that Plaintiffs had consented to Facebook’s tracking and marketing activity when they agreed to Facebook’s “data policy” and “cookie policy” when opening a Facebook account. The Court further found that while the applicable policy provisions were broad, they were not vague and provided adequate notice of the tracking activity in which Facebook engaged. For example, a portion of Facebook’s “cookie policy” explained that “[t]hings like Cookies and similar technologies (such as information about your device or a pixel on a website) are used to understand and deliver ads, make them more relevant to you, and analyze products and services and the use of those products and services . . . we use cookies so we, or our affiliates and partners, can serve you ads that may be interesting to you on Facebook Services or other websites and mobile applications.” Simply put, Facebook’s privacy policy, which Plaintiffs had agreed to when they signed up for Facebook, was adequately clear to permit Facebook to track and collect Plaintiffs’ web browsing activity, including browsing of healthcare related information. In so finding, the Court rejected Plaintiff’s arguments that the policies were buried and overbroad.

Facebook’s recent victory is a good reminder of the importance of having a thorough and clear privacy policy. Any company that collects or uses consumers’ information should aim to have a transparent and broad privacy policy to help guard against liability.

Albert Bianchi, Jr.

Michelle L. Dama