Rossander’s Security Reader

Who owns your contact list? Is your rolodex yours or is it intellectual property of your employer? And how does that rule change when your rolodex is really your LinkedIn account?

Two recent court cases out of the UK concluded that your contact list may well belong to your employer. The first involves the UK arm of a US publishing group, PennWell Publishing (UK). In this case, a departing employee burned 18 files containing contact details for industry members and conference attendees onto a CD. While at the company, the employee had stored both personal and work contacts in his email account address book. As the database contained his own “journalistic contacts”, he believed he was entitled to a copy when he left to set up a competing business. Despite a strong argument by the former employee about “the highly personal nature of the files”, the judge found that an address list in the email system and backed up by the employer is exclusively the employer’s. He went further and said that not only is the employee not entitled to exclusive use of his former address book, he is not even entitled to shared use and was permanently enjoined from using the address list. This was true even though the list was started from a list that the employee brought from his previous employment and updated himself and despite the fact that it contained a proportion of purely personal contacts.

In the second case, a former Hays Specialist Recruitment employee was forced to disclose business contacts added to his LinkedIn account before leaving the company. Again, the company’s motivation was the employee’s use of the contacts to set up a competing business.

Some forms of intellectual property are clear. Stealing the recipe for Coca-Cola, employee lists showing SSNs, the company’s strategic plans or patented machine designs is bad. Whether a customer roster belongs on that list depends a lot on the company’s business model. And whether your own address book counts as a customer roster may depend on your position within the company – there’s a stronger argument if you’re in Sales than if your rolodex consists mostly of IT vendors.

The line between personal and business life is increasingly blurry – and that blurriness helps companies more often than not in my opinion. Often, you want the personal connection of a human name in the contact list. I am not in favor of a blanket rule that you can never mix personal and business contacts. We need to be careful about putting too many barriers in the way of our employees.

In some cases, you can get around the problem by setting up role-based accounts for the company. For example, when I was working the company’s domain registrations, I set up an account called “dom-admin”. All the contacts, registration credentials, alert messages, etc were made in that dummy account’s name. For convenience, the account forwarded to my internal email but everything stayed with the dummy account. When I moved out of that role, we simply switched the forwarding to the new person. It really helped our continuity. That doesn’t work for every situation, though.

Whatever the policy is, your company needs to make the policy clear especially in this age of expanding social media and networking. If your rolodex is yours, fine. If it’s the company’s, make sure your employees know the rule ahead of time. The company’s Social Medial policy is a good place to make clear who owns your contact list. If the policy isn’t clear, push the issue. Ambiguity is good for nobody but the lawyers.