Develop written confidentiality policies and procedures: Every business/organization should have a written confidentiality policy (typically in its employee handbook) describing both the type of information considered confidential and the procedures employees must follow for protecting confidential information. At the very least, we recommend employers adopt the following procedures for protecting confidential information:

Separate folders should be kept for both form I-9s and employee medical information.

All confidential documents should be stored in locked file cabinets or rooms accessible only to those who have a business “need-to-know.”

All electronic confidential information should be protected via firewalls, encryption and passwords.

Employees should clear their desks of any confidential information before going home at the end of the day.

Employees should refrain from leaving confidential information visible on their computer monitors when they leave their work stations.

All confidential information, whether contained on written documents or electronically, should be marked as “confidential.”

All confidential information should be disposed of properly (e.g., employees should not print out a confidential document and then throw it away without shredding it first.)

Employees should refrain from discussing confidential information in public places.

Employees should avoid using e-mail to transmit certain sensitive or controversial information.

Limit the acquisition of confidential client data (e.g., social security numbers, bank accounts, or driver’s license numbers) unless it is integral to the business transaction and restrict access on a “need-to-know’ basis.

Before disposing of an old computer, use software programs to wipe out the data contained on the computer or have the hard drive destroyed.

A confidentiality policy should also describe the level of privacy employees can expect relating to their own personal property (e.g., “for your own protection, do not leave valuable personal property at work and do not leave personal items — especially your purse, briefcase or wallet — unattended while you are at work”) and personal information (e.g., “your medical records are kept in a separate file and are kept confidential as required by law”).

Finally, all businesses/organizations should have their confidentiality policies reviewed to ensure compliance with state law.

Train management and employees on confidentiality policy: Oftentimes, simply having a written confidentiality policy is not enough.

In order for the confidentiality policy to be effective, managers, supervisors and employees must be educated on confidentiality issues and the company’s policies and procedures. Management and employees should be allowed an opportunity to ask questions about the policies, and everyone should be trained to avoid putting sensitive information in e-mails. Many companies and organizations include this training as part of the new-hire/orientation process.

Management should also be instructed as to the proper way of communicating with the company’s inside and outside counsel so as to ensure that certain work-related documents and e-mails are protected by the attorney-client privilege.