From the extraordinarily sensitive data they possess to the social media following they may develop, C-suite executives can do a great deal of damage to a company and its brands – intentionally or not. This risk begins with the start of employment but continues long after the executive leaves the company.
Executive employment agreements should cover four key topics: social media, security, cooperation, and developing technologies.
- Social media during and after employment.
Specify the employer’s social media expectations, including frequency of posting, content/legal review, and whether accounts are company or executive- owned. For employer-owned accounts, the executive should (obviously) be required to provide password and recovery information regularly and upon exiting the company. For the trickier cases of executive-owned accounts, consider specifying the language for the executive to send out from the account when s/he leaves employment, such as one recommending that followers migrate to a successor account (after all, an executive’s Twitter following may be a significant brand asset). Employers should also plan for the possibility that their executives may die while employed, leaving a string of difficult-to-recapture corporate digital assets. Finally, traditional non-solicitation, non-compete and confidentiality clauses should be updated to specifically address post-employment social media.
- Security training and policies for work and home.
Senior executives will likely be the direct target of specific, directed attacks seeking employer data held by the executive (for instance, spear phishing or targeted social engineering). In addition to requiring security training and compliance on company equipment, to the extent executives use private accounts and equipment for company business, agreements should set out data security measures expected. An executive agreement may also be the ideal place to set out an employer-data-only-on-employer-equipment clause, thereby ensuring
- Cooperation and data retention.
As company data stored on personal laptops and in private accounts will be subject to discovery, the executive must be required to adhere to data retention policies. The executive should be required to notify the company of third party inquiries during and after employment and, upon termination, should provide the company with a complete list of devices on which company data is or was held. Executives should also agree to post-employment cooperation with company data requests during all investigations, including administrative proceedings. This may include an obligation to turn over personal account passwords to the company if company data is intermingled with private data. Finally, costs associated with such company demands and compliance should be allocated in the agreement – and insurance policies should reflect this.
- Developing technologies.
Whatever the longevity of C-suite executives may be, the technology development cycle is even shorter. New devices – which bring new and often unexpected ways to capture, stream and store data — will inevitably lead to questions about who owns the data (rather than the device). For instance, an “always on” fitness device or app may capture very detailed business-sensitive information, such as a sales route or evidence of travels to negotiate a new acquisition. These devices and apps may transmit that data to third parties, many of whom are willing to sell data or who maintain lower than desired safeguards. Another area of concern is self-erasing communications (such as snapchat or wickr) – executives likely should be prohibited from using such apps to transact company business. Simply, executive agreements ought to be written with flexibility to adapt to changing technologies, perhaps best with a permission-before-use clause.