As a startup founder, you have to deal with confidential information from various sources, such as investors, partners, customers, or employees. Confidential information can include business plans, financial data, trade secrets, intellectual property, or personal data.
Thus, one of the biggest challenges for a startup with limited resources is to protect its confidential information and avoid legal risks or reputational damage. The first question to ask is —– Do we have specific legislation in Malaysia that governs the right to privacy or confidential information?
The short answer is no. Malaysia does not have specific legislation addressing the right to privacy or confidential information. However, there are several sources of law that can be relevant to this issue.
First, the Contract law. Parties who enter into a contract can agree on the terms and conditions for handling confidential information, such as defining what constitutes confidential information, how long it will be protected, what are the obligations and restrictions of the parties, and what are the remedies for breach of contract. For example, a non-disclosure agreement (NDA) is a common type of contract that is used to protect confidential information in various situations, such as employment, business transactions, or research collaborations.
Secondly, the common law doctrine of breach of confidence will also come into play. The doctrine of breach of confidence is based on the principle that a person who receives information in confidence should not disclose it without the consent of the person who gave it. This doctrine applies when there is a relationship of confidence between the parties, such as employer-employee, doctor-patient, lawyer-client, or fiduciary-beneficiary. The elements of breach of confidence are:
- the information must have the quality of confidence
- the information must have been imparted in circumstances importing an obligation of confidence
- there must be an unauthorized use or disclosure of the information.
Thirdly, there are some statutes that deal with specific aspects of confidential information or personal data, such as the Personal Data Protection Act 2010 (PDPA). PDPA regulates the processing of personal data in relation to commercial transactions. Besides, there is the Official Secrets Act of 1972, which prohibits the disclosure of official secrets by public servants or other persons. We also have the Computer Crimes Act 1997, which criminalizes unauthorized access, modification, or damage to computer data or systems.
Besides complying with the relevant laws and contracts, Startups can also adopt some best practices to protect their confidential information from unauthorized disclosure or misuse.
Here are some best practices to help startups handle their confidential information. The first rule is to identify what information is confidential and why. Founders should have a clear definition of what constitutes confidential information and what are the potential consequences of disclosing it. For example, startups may want to protect their product roadmap from competitors or their customer list from poachers. They should also classify their information according to its sensitivity and value and assign different levels of access and protection accordingly. For instance, founders may want to restrict access to the financial data to the CFO and accountant or use a secure cloud service to store their customer data.
Another common instrument is a non-disclosure agreement (NDA). NDA is usually called into play when sharing confidential information with third parties. Some may frequently hear about NDA but don’t know what an NDA is. In short, NDA is a legal contract that binds the recipient of confidential information to keep it secret and not use it for unauthorized purposes. Startups should use NDAs when pitching to investors, negotiating with partners, hiring employees, or outsourcing work. Founders should also make sure that the NDA covers the scope, duration, and exceptions of the confidentiality obligation and that it is signed by both parties before disclosing any information. For example, NDA usually has a clause that allows founders to disclose confidential information to regulators or courts if required by law or a clause that specifies the jurisdiction and arbitration method in case of a dispute.
Implementing security measures to safeguard confidential information is another method. Startups should use encryption, passwords, firewalls, antivirus software, and other tools to prevent unauthorized access, theft, or loss of their confidential information. In this regard, a simple but effective measure is to limit physical access to confidential information by locking files, devices, or offices. Additionally, founders should educate their employees on how to handle confidential information and enforce a clear policy on what they can and cannot do with it. For example, startups may want to prohibit them from using personal devices or email accounts for work purposes or sharing confidential information on social media or with unauthorized parties.
Monitoring and auditing confidential information regularly might seem obvious, but only a few founders actually practice it. It is only logical for startups to keep track of who has access to their confidential information and how they use it. Founders should also review their security measures and update them from time to time. Furthermore, startups should report and investigate any suspected breach or misuse of their confidential information and take appropriate actions to remedy the situation. For example, they may want to notify the affected parties, change the passwords or encryption keys, revoke the access rights, or seek legal advice.
In short, if managed correctly, confidential information is a valuable asset for a startup and can give the startup a competitive edge in the market. However, if mismanaged, the startup can be exposed to legal risks or reputational damage if leaked or misused.
Therefore, here is a short piece of advice to all startups out there —- you mismanage your confidential information at your own peril!