Whistleblowers, WikiLeaks and corporate confidence: how to protect your brand

With the recession biting infto Britain’s workforce, the number of disgruntled employees and ex-employees is ever-increasing, as are the means for them to vent their frustrations against their employers in public. This article examines how you can prepare yourself and what you can do to stem the leaks.

It is easier than ever to disseminate information on the web. Employees who have a grudge against their employers have more access than ever to a wider audience. You can disseminate commercially sensitive information on Wikileaks or an ever-growing list of trade leak sites; or via Twitter, blogs or consumer forums. Even the Wall Street Journal has got involved with their website ‘Sharehouse’, which aims to ‘uncover fraud, abuse and other wrongdoing’.

WHAT IS WIKILEAKS AND IS IT IMPENETRABLE?

The ascendancy of Julian Assange’s media star means WikiLeaks is no longer faceless, but it is still described as the world’s first stateless news organisation. While the exact contours of its legal and administrative structure are unknown, it is a semi-terroristic, hydra-like organisation, which gives it the appearance of being untouchable. For individuals, governments and corporations it can pose a tremendous risk.

The website allows different users to upload documents anonymously and a team of reviewers, many of whom are volunteers from organisations such as Guardian, Der Spiegel andTheNew York Times, decides what is published. The reviewers use cryptographic techniques to protect sources and host their servers in several jurisdictions including Sweden, Iceland and Belgium – countries that provide a degree of protection for freedom of expression, which appears to amount to legal immunity.

As well as famously attacking governmental institutions, WikiLeaks has carried out concerted and prolonged attacks on corporations, including:

  • exposing 205 companies owing above €45m to an international bank and exposing alleged mismanagement and debt claims made against it;
  • disclosing documents showing several alleged international tax avoidance schemes by the structured capital markets division of Barclays; and
  • whistleblower information on the insider trading programme at J.P. Morgan.

Such leaks have a drastic effect on reputation and a knock-on effect on share price. Even the mere threat of an online attack is enough. In a 2009 Computerworld interview, Assange claimed to be in possession of ‘5GB from Bank of America’. In 2010 he told Forbes magazine that WikiLeaks was planning another ‘megaleak’ early in 2011, from inside the private sector, involving ‘a big US bank’ and revealing an ‘ecosystem of corruption’. Bank of America’s stock price fell by 3% as a result of the announcement.

WHAT ARE YOUR OPTIONS IN DEALING WITH WIKILEAKS?

Commercial pressure does not seem to affect WikiLeaks. MasterCard, Visa and PayPal, as well as WikiLeaks’ Swiss bankers and Amazon, have all terminated agreements with the site, but were in turn targeted by pro-WikiLeaks hackers. Some servers bowed to governmental pressure and refused to host the site, but WikiLeaks survived on back-up servers in other countries that were activated if the primary site went down. There are mirrors of the site hosted on different servers around the world – WikiLeaks is currently mirrored on 1,010 different sites.

WikiLeaks claims to have fought off more than 100 legal challenges successfully and even winning an injunction against the site might do more harm than good.

This does not mean you are powerless against it – WikiLeaks is not the impenetrable fortress it first appears. However, you should weigh up the circumstances of each case to see whether legal recourse would do more harm than good, and you may be better served by a substantive PR and media campaign.

WHAT LEGAL TOOLS ARE AT YOUR DISPOSAL IN RELATION TO YOUR EMPLOYEES?

You have the right to protect your company’s confidential information from unlawful disclosure by disgruntled employees. Your company’s information will be protected by the law of confidence if it is:

  1. confidential in nature; and
  2. disclosed in circumstances importing an obligation of confidence.

This is wide enough to mean that your company has rights against the employee who picked up the information and the third party recipient.

The information must be inherently confidential rather than day-to-day trivia and it cannot be public knowledge (see Salman Engineering Co Ltd v Campbell Engineering Company Ltd[1948]). Confidential information can include:

  • technical know-how;
  • formulae or recipes not capable of being analysed in the final product;
  • processes;
  • business methods;
  • financial or statistical information;
  • customer lists;
  • plans, sketches and drawings;
  • improvements to products or processes; and
  • computer programmes.

The information has to be disclosed in circumstances importing the requisite obligation of confidence, which will occur if the obligation is:

  • implied due to a special relationship (such as employer and employee);
  • implied due to the circumstances of disclosure; or
  • imposed by contract.

The duty of confidence arises automatically in the case of employers and employees – every employee is under a duty to keep employer’s secrets (although this is qualified if you are dealing with ex-employees).

ONCE YOU HAVE ESTABLISHED THERE IS A DUTY OF CONFIDENCE, WHAT RIGHTS DO YOU HAVE?

Once received, the recipient of confidential information must:

  • keep that information confidential (unless otherwise authorised); and
  • use it only to the extent permitted.

There are certain defences to this general rule – such as disclosing for a subject of public interest, which includes disclosing unlawful behaviour to police or a relevant body – and there is regulatory protection for lawful whistleblowing.

So if you discover that an employee or third party has kept or used your confidential information unlawfully, or even just threatened to do so, you have several remedies open to you:

Injunctions and delivery of confidential information

You can apply to court to get an interim injunction or a final one to stop them from going to the press. The problem you may have is if the employee has already got the information published, although if publication has only been limited, it may not extinguish the confidentiality of the information. In Barclays Bank plc v Guardian News Media Ltd [2009], the relevant information was still held to be confidential after it had been published on the Guardian website for four hours. The court held that if it was the leak of confidential documents that was the basis for the journalism, it was not a disproportionate interference of the Article 12 rights to freedom of expression to restrain publication of the documents containing that information.

An account of profits/an inquiry into damages

If you are too late to stop publication of the information, you will be entitled either to damages for losses suffered as a result, or alternatively any profits that the employee or third party may have made.

Dismissal and post-termination restrictive covenants

It would be useful if the employee in question has confidentiality undertakings in their contract in which case you are likely to have clear evidence of breach. Otherwise the employee is likely to be in breach of their common law duty of confidence.

However, you should be mindful that employees are dismissed lawfully, otherwise you may find yourself on the wrong side of a claim for unfair and/or wrongful dismissal. You should also note that the dismissal of an employee for a ‘protected disclosure’ under the Public Interest Disclosure Act (PIDA) 1998 is automatically unfair (see box on p55).

YOU STILL HAVE REMEDIES EVEN IF YOU DON’T KNOW WHO IS ATTACKING YOU

  • You can obtain a ‘John Doe’ injunction against persons unknown. This was first ordered in a case for the author JK Rowling, where someone was trying to sell a copy of the Harry Potter book to The Sun but no-one knew who the person was. Keith Schilling established an important legal precedent by resurrecting the John Doe order, ‘last used in the 1850s in land evictions’. Once you obtain this order, as Keith Schilling explains: ‘We combined it with the principle established in the Spycatcher case that if you get an injunction against a particular person, anybody else who is on notice of it must not do any act which is inconsistent with it or they will find themselves in contempt of court.’1This is a helpful tool against third party press and internet service providers to stop them publishing information from an anonymous source such as a disgruntled employee.
  • If you are facing an anonymous blogger, you can get a ‘Norwich Pharmacal’ order to unmask them, and require them to disclose certain documents or information. You can then identify the relevant person or obtain further information pre-action, during the course of an action or post-judgment. This is helpful if you want to identify wrongdoers and the nature of the wrongdoing, trace assets and proprietary claims, obtain the source of leaked information or simply enable you to build your case.
  • Under the Civil Procedure Rules, you are entitled to apply for pre-action and third party disclosure of information.

PREVENTION IS BETTER THAN CURE

Rather than going down a costly legal route once information is leaked, it saves time and money ensuring that the proper protections are in place.

Audits

You should check the walls surrounding your confidential information for any cracks. Work out what confidential information you have in your company, where it is stored, who has access to it, and how is it used, and do a full risk analysis of possible risks of dissemination. You should also check that the correct whistleblowing policies are in place.

Confidentiality agreements
  1. Ensure all employees and workers have contracts that contain confidentiality agreements. You should also include confidentiality provisions in staff handbooks, separate collateral agreements and severance agreements.
  2. It is important that contracts are in place for every situation where you might be imparting information, such as dealing with investors, professional advisers or business associates. You should expressly state what information is to be kept secret, how long the duty lasts, and add limits on use and disclosure. The information will then be subject to clear contractual terms recognising its confidential nature.

Note that confidentiality provisions are void in so far as they attempt to preclude the making of a protected disclosure under PIDA 1998, and they cannot be breached if the information was disclosed when making a protected disclosure. You could attempt to carve out the making of protected disclosures from the provisions but this is problematic in that it might give the impression that the confidentiality rules are inapplicable, and the carve out may be difficult to define. To be safe, an ‘absolute’ provision may be best, and will still be valid even thought it will not prohibit the making of a protected disclosure.

Restricted access to confidential information

Ensure that information is only disseminated on a need-to-know basis. Limit copies of confidential documents and restrict access. Mark documents as ‘confidential’ and employ a policy of restricted access to areas where processes and developments are made.

Whistleblowing procedures post-PIDA 1998

Ensure that you employ formal policies and procedures on whistleblowing. If anything, this conveys the message that you are concerned about malpractice, take your employee’s concerns seriously and are prepared to take actions. Cynically speaking, if this message comes across, it is also unlikely that disclosure to anyone other than your company as employer will be necessary or appropriate (or protected under PIDA 1998).

CONCLUSION

Once the dam is burst you do have legal options to stem the tide to protect your company’s confidential information from further disclosure. Far better, however, is to check the walls for any cracks in advance, alleviate any risks and prepare for all eventualities.

What protection is there for whistleblowers?

The Public Interest Disclosure Act (PIDA) 1998 was brought in following events like the Piper Alpha disaster and the Barings Bank scandal, which highlighted the fact that employees were often aware of problems and risks at work, but were too scared to blow the whistle about them.

PIDA 1998 protects employees who report malpractices by their employers or third parties against dismissal or victimisation in the following ways:

  • Dismissal of an employee is automatically unfair if the reason, or the principal reason, is that they have made a ‘protected disclosure’ under PIDA 1998 (see below).
  • Subjecting a worker (a wider definition than employee covering persons working under a contract of employment or other contract, such as home workers or agency workers) to their detriment on the ground that they have made a ‘protected disclosure’ is prohibited.

A protected disclosure is defined as:

  • a disclosure (not just a threat);
  • where the person has a reasonable belief;
  • that there has been malpractice (on the grounds that there has been a criminal offence, breach of legal obligation, miscarriage of justice, health and safety abuse, environmental damage, or concealing any of the above);
  • and discloses such to their employer (or occasionally to third parties);
  • in good faith;
  • not for personal gain; and
  • in circumstances where it is reasonable for them to make a disclosure.

The disclosure has to be made (not just threatened) and it does not have to be in the public interest to be lawful, for example in Parkins v Sodexho Ltd [2002] it was held that it could be about an employee’s own contract.

However, this protection mostly applies to responsible disclosure to the company itself. Certainly, disclosure to the media will only be protected in limited circumstances. In Smith v Ministry of Defence (MOD) [2005], security guards had contacted the press to complain about having to work with a colleague who had been convicted of indecently assaulted a child. They were dismissed for gross misconduct and made a counterclaim that they were protected under PIDA 1998. However, it was held that their disclosure was not in good faith as the motive was their revulsion at having to work with the man in question, rather than concern for the child’s safety. In addition, they should have used the MOD’s whistleblowing procedure, or gone to the nursery or OFSTED.

If your employee or ex-employee has sold their story to the press, they will need to reach a higher threshold to prove good faith. It would require them to either prove there was a high degree of urgency or that they were unable to raise concerns through other avenues. Generally speaking, if a newspaper buys a story, the worker is likely to fail the personal gain test and possibly the good faith test so cannot hide behind the protected disclosure rules.

 

Barclays Bank plc v Guardian News Media Ltd [2009] EWHC 591 QB

Parkins v Sodexho Ltd [2002] IRLR 109

Salman Engineering Co Ltd v Campbell Engineering Company Ltd [1948] 65 TPC 203

Smith v Ministry of Defence [2005] ET1401537 & 1401899/04 IDS Brief 788 MOD

NOTE

  1. Spycatcher refers to the following case: Attorney General v Newspaper Publishing PLC [1988] Ch 333, 375, 280.