DesignBiz: Take Client Confidentiality Seriously
Client confidentiality and intellectual property rights must be respected. Even if you haven’t inked a formal agreement with a new or existing client, be very cautious what information you disclose, even over coffee with a close friend. There’s nothing worse than watching years of confidential effort evaporate in a single post on Gizmodo.
I’ve seen what can happen when a designer accidentally slips what seems like one tiny, inconsequential detail. Their whole world can come crashing down.
Roger* had been working at a printing firm, where he created packaging for software products sold in stores. As a course of creating the packaging, he was working with products that had not been announced to the public yet. The press releases for these new products would be accompanied by the luscious graphics he created.
One project he was working on had him very excited. While playing video games with a friend, Roger mentioned the name of the software product and when it would be coming out. He also said that it was confidential information, and shouldn’t be shared until it was publicly announced.
In such situations, we often feel like there is a strong social contract for friends and family members to keep within the agreed-upon “cone of silence.” Roger’s friend, however, betrayed his confidence and wrote about their conversation on his public blog. This quickly snowballed into worldwide knowledge of the software package’s release date, including postings on the leading technology sites. After a two-week period in which lawyers descended upon the firm from the client organization, my friend was let go from his position. The situation constituted a violation of his non-disclosure and confidentiality agreement, due to that single mention of his work to a single person. The end result was perceived as a loss of competitive advantage for the firm’s client.
You could argue that such leaks aren’t really that damaging, at least in the short term. Press releases can be fired off in a matter of hours, advertising campaigns spun up in a mere week to dispel a perception in the market.
But to change course on a multi-year project is often impossible without taking a major fiscal loss. When hundreds of thousands of people subscribe to the TechCrunches of the world, and a single tweet can snowball into an Oprah story, you’d want to be sure that what you say in the market is your best foot forward, not your foot lodged firmly in your mouth by someone you don’t even know. And now that everyone’s phone is an information capture and public broadcast device, anything you say in public could be shared to the world without your consent. (Even at that crowded, noisy bar, where you think no one else can hear it.)
For this reason, stick to the following rules when considering what can be shared outside of your immediate work team:
Decide in advance what you can and can’t talk about, then stick to those boundaries.
Review your confidentiality agreements with your clients and devise clear rules about who may have access to:
Names of companies you’ve worked with in the past
Names of companies you are currently completing projects for
Names of companies you are discussing working within the future, as part of your new business acquisition process
The names of people working on a client project (a.k.a “recruiter bait”)
The types of projects that you are fulfilling, and in which media
Discrete design examples, from raw process work to fully executed designs
When material can appear in the public-facing portfolio of work—you should write this into your contract with your clients
As a quick example: Joanne* works at a company where they can disclose what clients that they have and what kinds of projects they are working on, but they are not allowed to share any work-in-progress—concepts, detailed designs, prototypes—until they go live. Since many of their projects run two to three years, this allows them to openly discuss what they’re working on with prospective new clients.
Contrast this with another designer I know, Laurie*. She isn’t allowed to tell anyone outside her firm her clients, the specific types of projects, or even point at something that she’d designed in the past three years. None of her work can be displayed in her portfolio if she was to interview for a new job, unless the client has given the firm explicit approval.
Be crystal-clear about what those rules are, and don’t diverge from them. They may create a host of oblique, uncomfortable conversations at dinner parties, but you’ll be secure in protecting your client’s interests.
And remember: even if you didn’t sign an NDA/confidentiality agreement, be careful about what you do share. If a client asks you to keep something they tell you in strict confidence, treat it like confidential information until they say otherwise. Be a businessperson of your word.
Be prepared for your boundaries to be tested.
People from outside your company and/or client organization might be privy to the project details you’re working on. You should never let on that you have access to the same information. Transcend the societal imperative for open disclosure in that situation and keep quiet, unless your supervisor or client says otherwise.
The above advice may sound paranoid, but it is based on real-world experience. At more than one point in my career, I’ve been stunned to discover when having coffee with a friend of a friend that they know many details about my current project at work. They just don’t know that my company is involved in the project, or that I’m on the project team.
Confirm with vendors that they also comply with your set boundaries in advance of sharing any confidential information.
When working with vendors or subcontractors that have to handle confidential information, make sure they’re bound by the same agreements that you are. The same rules apply for any freelance or contract talent that may help you on a client project.
There are plenty of stories of printed material, fresh off a printing press and sitting in pallets for shipment, being shot with a camera phone and posted to the Internet. Such behavior should not be tolerated. The same rules apply for an interactive project you are beta testing. All public-facing servers should be password-protected until the project is approved to go live by your client.
Don’t blow off steam about a project in public. (This means social media, too.)
When out with co-workers decompressing after a long day, don’t mention client names or characteristics. After a few cold ones, it may not seem like a big deal, but you never know who’s sitting in the booth next to you. I’m terribly wary of people being able to easily connect a rough timeline of project events to the actual narrative playing out (inter)nationally for my clients.
The same rules apply for anything that you say or do on the Internet, especially social media. It doesn’t matter if your Twitter feed is locked, you’ve got your privacy settings for Facebook at Defcon 1, you’re blogging to a closed circle on LiveJournal, you’re showing only a few tantalizing slices of your current project on Dribble. Inevitably, your client will see what you say and do—even if there’s no way you think they can access it. Remember the example about Roger? Information can be copied and reposted in a matter of seconds, and if it’s tantalizing, it will be shared.
Try not to leave open threads dangling, as there will always be someone out there who pulls on the loose ends and starts to unravel the larger story. “There’s something cool coming next week,” says the oblique tweet about the top-secret project that just may see the light of day. Really, do we need to know that there’s something you know that we don’t? I know you’re trying to build suspense for the big reveal, but what happens if your client decides to kill the project? Or goes bankrupt? What are you going to say to your Twitter followers then?
Ask permission for promoting projects post-launch.
Always ask permission to show work or send out a press release if you don’t have an NDA/confidentiality agreement in place. This is not only a good business practice, it also keeps you from embarrassing conversations where a client asks you to yank a project from your website. Try to work these points into your contracts, so these negotiations don’t have to happen after the fact.
Compartmentalize your work on your computer.
Don’t leave client work up on your screen at work, on a computer desktop in public, or in client meetings. This sounds obvious, but if you don’t have work filed away in folders and hidden from view, people can see what other projects you’re working on. This may color their perception of how you handle client privacy. Volumes can be told from your work email inbox being projected in front of a whole roomful of clients. I have seen this happen at least a dozen times. It is never pretty.
Know when to use the strongest protection for IP that you pass back and forth.
When working with highly confidential information, be very aware of what is passed via email and by what types of email accounts. Try not to use third-party email services for critical client information—instead, lean on your own servers and password-protected, encrypted FTP services. An email can be forwarded without any way to easily track it, while a download can.
For any email or login, use strong passwords with numbers, special characters, and caps/lowercase digits. If you’re using password-protection on documents, don’t send them in the same emails—instead, communicate them verbally / in-person to ensure that if an email account is hacked, the files can’t be utilized. And if you’re posting your work on cloud services, be vigilant regarding whom has access to that shared information over time and make sure it is wiped after it has been used on the project.
Also, don’t leave around USB keys or offboard hard drives that may contain client-sensitive material; lock them away in a secure location. Depending on the security policy of your company, they may not even allow you to use such storage devices. Most corporations today will require you to use secure servers that are accessible when at the office or through a VPN.
Use a password-protected screen saver and phone.
Always lock down your phone and/or tablet with a password if you’re receiving client calls, texts, or email. Set up your phone to “self-destruct” after a set number of failed password attempts and/or a remote wipe capability if it’s stolen. It happens more often than you think. And while you’re at it, password-protect your screen saver, and leave it up when you’re away from your desk.
What’s your perspective on this topic? How do you protect your client’s intellectual property, and what security measures do your clients expect from you on client projects?
*Names and identifying characteristics have been altered in this post to protect the confidentiality of the individuals and companies mentioned.