Do Your Programmers Use LinkedIn? They May Be Leaking Secrets, Whether They Know It Or Not

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

At just about every major chain, employees have agreed to lengthy nondisclosure agreements, whereby they have agreed not to "disclose" any "confidential information." The problem is that most employees don't think of updating their LinkedIn profile as a disclosure. Even more significantly, they don't think of a lot of their day-to-day operations as confidential information.

Nowhere is this more true than with retail IT talent, talent that is marketed by touting the various applications people have worked on and the specifics of problems they have solved. In LinkedIn, all of those apps and problems/solutions are located right next to their employer's name. Doesn't take a lot of sleuthing to figure out quite a bit about that chain's confidential operations. Fear not, though. This information is generally only being read by your direct rivals.

With most NDAs, confidential information has a specific definition and wouldn't include stuff like, "Hey, I am a Unix guru." This really isn't an issue about violation of an NDA (OK, sometimes it is); it is about good operational security. For that, users need better education and training about the risks of disclosure, the company needs to decide what it wants to protect, and the chain needs to be vigilant about appropriately trolling social networking sites for public information about themselves or their partners that might cause harm.

This process, called Open-Source Monitoring, must be done well and done legally (with respect for privacy) or it can be a public relations and legal nightmare. But when done well, Open-Source Monitoring can give a retailer advance (or at least real-time) information about a potential data leak.

Let's face it. Just about everything happening in your company is being posted online by someone. A store clerk just ate a tasty burrito—wham! It's on her Twitter feed. A fire drill causes employees to stand in the cold for 10 minutes, and poof! Not only is it on someone's Facebook site, but there's a picture of shivering executives. Much of this information is harmless. But much of it is not.

Cyberthieves, competitors, fans and others are constantly trolling social networking sites for information they can use to learn what you are doing. If Apple hires a new employee with expertise in interactive displays (as evidenced by the employee's change in his or her LinkedIn profile), then the world (and Apple's competitors) know something is up with a new product that might have interactive displays. If the CEOs of two companies post identical locations at Foursquare, then could a secret merger chat have just been revealed? If a technical person posts his or her previous position (system architect, Sears), with skills and responsibilities (designed a Web-based payment and inventory system using C++, which integrated inventory and cost modeling with blah, blah, blah), a good social engineer can use this information to learn exactly what type of system and services a competitor is about to start using.Moreover, knowing more about the platform, hardware, software and architecture, hackers can target relevant employees (heck, their names, addresses and contact information are already posted) to get even more data from them. Indeed, hacker boards and other forums are filled with precisely this type of information.

When a key executive, salesperson, marketing executive or other user of Twitter, Facebook or LinkedIn departs the retailer's employ, this inevitably leads to the question, "Who owns this account?" Unless retailers take steps to protect this data, a simple noncompete probably won't protect this stream of information.

Moreover, social networking sites also create opportunities for employees to (inadvertently or deliberately) post sensitive or proprietary information. This, in turn, violates nondisclosure agreements and puts a retailer's business at risk.

In the real world, sales and marketing people are either provided with or independently create contact lists, sales leads or other ways of reaching out to potential customers. They are paid to do this, and they use company time and resources to do so. Where an employee has either a noncompete agreement or a nondisclosure agreement that covers the use or dissemination of such information, then taking this information with them after they leave typically constitutes a breach of the agreement (depending on its terms). But what happens when that information is created on a public database like LinkedIn?

Take the example of Brelyn Hammernik, formerly of TEKSystems in Minnesota. After Hammernik and TEKSystems parted ways, she updated her LinkedIn profile, thereby informing all the people connected to her on LinkedIn that she was no longer employed by TEKSystems. The noncompete she signed contained language that allegedly precluded her from communicating with any of her former professional contacts who she developed while with or for TEKSystems. Moreover, by listing the fact that she had moved to a new employer, is the new employer now liable for inducing Hammernik to violate her noncompete? The same rationale would apply if any other social networking media is applied—Twitter, Facebook, etc.

Had Hammernik, subject to a noncompete, sent a letter (you do remember letters, don't you?) to all of her former professional contacts saying, "Oh, by the way, I am no longer with TEKSystems, I'm now with xxx. Here is my new contact information," this would almost invariably be considered a prohibited "communication" with the professional contacts. The same would be true of individual E-mails. In Hammernik's case, TEKSystems has sued its former employee in Minnesota alleging that, by updating her LinkedIn profile to show her new employment status, she was tacitly inviting her previous customers to come to her new employer.

Similarly, when Noah Kravitz left the employ of mobile phone site, where he was known for (and paid for) writing blogs, vlogs and product reviews, in addition to posting to his Twitter feed @PhoneDog_Noah, the question remained, who "owns" his 17,000 followers? Clearly, Kravitz created his extensive Twitterverse at the behest of his employer, probably using that company's resources, computers and, of course, time. But is much of the goodwill engendered by his Twitter postings enured to the benefit of PhoneDog?Kravitz could not simply take the @PhoneDog_Noah moniker with him. It would likely violate PhoneDog's trademarks, in addition to creating substantial confusion about who Kravitz represents after his employment. But could PhoneDog mine the 17,000 followers? Could Noah?

For months after leaving, Kravitz maintained the @PhoneDog_Noah handle (he claims with the blessing of the company). He increased the number of followers to over 22,000. Enter the lawyers. They claim Kravitz' Twitterverse constitutes a proprietary customer list that he "stole" when he left. They also claimed damages equal to $2.50 per follower per month. What a mess.

So, how can a retailer prevent these problems? As lawyers and auto mechanics say, "You can pay me now, or you can pay me later." The key here is to manage both employee and customer expectations before the crisis. So, if Mrs. Fields leaves the cookie company, not only does the company retain the trademark, but it also may retain her domain name and quite possibly her Twitter feed, Facebook page and LinkedIn profile. Like so many other things in life, planning is important.

Thus, in addition to having the relevant employee sign a noncompete or nondisclosure agreement, you should define exactly what you mean to prohibit. Can the employee notify (directly or indirectly) clients about his or her change in employment status? Can they post this information on their LinkedIn profile or Twitter feed? Do these activities constitute a violation of the noncompete agreement?

To avoid any ambiguity, any noncompete agreement should expressly state what activities constitute a violation of that agreement. You should also consider having an agreement about not only the use of social media by employees but ownership of social media data, too. This agreement should make it clear that employees are responsible for ensuring confidential information, proprietary information and sensitive business information are not to be shared on social media sites. It should also make it clear that the employer may monitor any communications the employee makes—even those made from home—if those communications are in a public media like a social media site.

Companies also need to consider under what circumstances they intend to "friend" any of their employees' social media sites like Facebook. Although I would recommend employers do this, there are things employees may say in these social media sites in a semipublic forum that can be a violation of noncompete or nondisclosure agreements.

LinkedIn has the potential of becoming the next contacts database, even though it exists on the cloud and employees don't "steal" it when they leave the company. Wise retailers should decide in advance who owns this valuable business resource. If they don't, it's just up for grabs.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.