Evidence of improper use of Electronic Data Processing equipment at TI could lead to a review of the use of EDP systems such as MSG, TIOLR and telephones. TIers who use Electronic Data Processing resources and applications must take adequate precautions to protect TI's best interests. In most EDP applications, individual passwords are required to gain access. It is the responsibility of each TI employee to be aware of proper password controls including non-disclosure of password information and periodic password changes to guard against unauthorized access.
It is important that all TIers understand that use of EDP resources is restricted to TI business needs and that personal use or unauthorized access is prohibited.
If TI has reason to believe that EDP resources are being used improperly, for example, for non-TI business, by unauthorized individuals, or in a manner that violates security requirements, we may review both access to and use of systems such as MSG, TIOLR, and telephones (particularly long distance use).
We have no intention of reviewing the use of these system without reason. But if evidence of misuse exists, these systems will be checked and disciplinary action may be taken. This procedure is vital for controlling both information security and EDP costs.
Fax machines are becoming common additions to the TI workplace. This availability, coupled with the ease and convenience of the latest versions of these devices, encourages even the novice to use the fax. We must realize that the fax presents traps for the TI employee.
Powerful and convenient communications tools such as fax machines are gaining instant popularity and extensive usage in all facets of business today. These tools can be found throughout TI, worldwide. Because of their rapid acceptance and broad usage, the legal and ethical issues surrounding them are not totally understood.
Security and confidentiality issues surround fax usage, because the fax machine uses the same transmission carriers as the telephone, including wires, microwave, mobile phone frequencies, and fiber optics. If you wouldn't say it on the phone, don't send it on the fax. Except when using special information. Likewise, we highly discourage fax usage for transmitting proprietary data (TI strictly Private and TI Internal Data). If proprietary data must be sent, then to reduce the chance of its being compromised someone must be standing by at the receiving end to retrieve it immediately. Common sense dictates that messages containing personal information, obscenities, or bringing discredit to TI or to TIers are out of place in fax transmissions.
Another potential problem of fax machine usage is that sometimes they are too easy to use. It may become too convenient to forward information to suppliers and customers. Good common sense and professional judgment must be applied in every business transaction, and this is especially true in fax transmissions. Faxed documents can unintentionally create legal and binding commitments.
Additionally, information sent via fax to another country constitutes an export and, as such, the transmission may be prohibited by government export control laws or require an export license prior to transmission. Stickers intended to alert users have been placed on most fax machines accompanied by instructions to assist the user to avoid non-compliance with government regulations. If your fax machine does not have such a sticker, you should contact your business group's "export control manager" for assistance.
Sensitive, competitive, or proprietary information might be exchanged when we talk with our customers and suppliers. How we handle that information is a serious ethical issue with possible legal implications.
During the course of business meetings or discussions with our customers and suppliers, it is sometimes necessary for us to receive proprietary information from them. To protect this information we will often sign a non-disclosure agreement, which states that we will not disclose information marked proprietary from the other company except for legitimate purposes that are spelled out in agreement.
At other times, we will have discussions that are not covered by a nondisclosure agreement, and we ask the other company to sign an agreement stating that we do not want them to assume any confidential relationship or obligation. In both of these situations we define our expectations up front in writing.
But many of our discussions with customers and suppliers occur informally without a written agreement covering the transfer of proprietary or confidential information. And occasionally we will be given information that is obviously sensitive and might be useful to TI for competitive purposes. If this happens, what are our ethical obligations?
A TIer recently raised the following question. "If a customer or supplier decides to give us valuable information and we have not signed a written confidentiality agreement, should we feel free to use that information?"
The answer to this question goes right into the heart of our total quality process and raises both ethical and legal concerns. It will be covered in the next article.
The exchange of written information with customers and suppliers may raise ethical and legal issues. Unless there has been an up-front agreement with the creator, TIers will neither solicit nor accept information marked confidential, proprietary, or the equivalent.
In the last article we raised the following question:
"If a customer or supplier decides to give us valuable information and we have not signed a written confidentiality agreement, should we feel free to use that information?"
To answer this question, we need to ask another question:
"What does the customer or supplier expect us to do with the information?"
The key is to understand and to meet those expectations and this often requires us to actively seek them out. Unfortunately, customer or supplier expectations sometimes become evident only after we have used their information in a manner that they consider to be inappropriate. So it's important that we ask questions before we use the information. But in some instances we have very clear requirements regardless of the other companies' expectations. Let's first cover a specific type of document.
If you receive from any source a document that belongs to another company and is marked confidential, proprietary, or a similar designation, then you should never accept it unless you are sure we have signed a confidentiality agreement with that company. This also applies to confidential documents that you may just accidentally find. In these situations, there are no ethical "gray area" decisions. We simply will not solicit or accept information marked confidential, proprietary, or the equivalent unless there has been an up-front agreement. Period.
If you receive such information, contact your business services people or TI Legal. They in turn can talk to the creator of the document to determine how they want the information to be handed. I have had such documents forwarded to me by concerned TIers and in one instance we found that the originator had reclassified the document without removing the confidential marking and there was no problem.
But we should never assume that to be the case. The issue should be reviewed and documented by TI before we use the material. And do not wait to do the review and documentation. If we wait until a problem arises, then our documentation may appear less credible and more self-serving.
This article concludes our three-part series describing how we should handle sensitive or proprietary information we receive from others, how to handle documents and verbal information that may be sensitive.
We frequently have conversations with customers and suppliers on a variety of subjects ranging from general issues to very specific and potentially sensitive ones, with no written confidentiality agreement. We obviously cannot document every piece of paper or conversation that we have or contact TI Legal on every issue. So where do we draw the line in our discussions? How do we recognize when we are treading on risky ground? And what should we do if we believe we have crossed over the line? Gray areas especially require sound personal judgment.
During discussions with external people, you need to keep the following questions in mind
If the answers to these questions are yes, then you are probably on safe ground.
But if you believe you are receiving information that is "closely held" by the presenter, be careful. Also ask yourself if the information you are receiving could be very valuable to TI, because if it is, it may also be considered valuable and possibly sensitive to the other party. Be particularly careful about non-published technical, financial, customer, and cost/pricing information.
If you become concerned during a discussion that you are being presented sensitive information, then stop. Ask the presenters to explain to you which items, if any, they consider to be proprietary, how they expect you to handle them, and for what purpose they expect you to use them. It is vital that you have agreed to protect and follow up with a written non-disclosure agreement. If you discover that some of the items they consider proprietary are unpublished that you use in the course of your TI work, then stop the discussion and get in touch with your Business Services people at TI Legal. We do not want to leave the false impression that we will restrict the use of information we already know or perhaps have already developed ourselves. Clearing up that issue could prevent future legal problems.
These situations can often be avoided prior to discussion by telling the representatives from the other company that we do not want them to discuss or present to us anything that they consider proprietary.
Sensitive information belonging to another company must never be solicited or accepted by a TIer unless we have an appropriate signed document, such as a non-disclosure agreement. But what if we receive that information accidentally through no intent or effort of our own?
A few weeks ago we published a series of T NEWS articles explaining how to deal with sensitive information. A key point we made was that we should never solicit or knowingly accept information belonging to another company that it believes is proprietary or confidential unless we have an appropriate signed agreement, such as a non-disclosure agreement. This standard also applies to documents that we may receive in an unsolicited manner or even find accidentally.
A TIer asked me the following question
Suppose I'm in a restaurant and I happen to overhear a conversation from behind me. It's two TI competitors discussing sensitive, competitive information that would be very valuable to TI. What do I do? Continue to listen? Put my fingers in my ears? Tell them to stop? And what should I do with the information I've already heard? Forget it and pretend it never happened? Mark it TI STRICTLY PRIVATE and distribute it?
I didn't go out looking for the information and I couldn't change my table location to get away from the conversation. It seems a little ridiculous to just throw away an opportunity to use valuable information that I've acquired but didn't solicit in any way. What's the right course of action?
How would you answer that question? This is one of those gray-area issues that is tough to answer. Next week I will tell you my answer and will pose an even tougher question.
While TIers must never accept or solicit sensitive information belonging to another company without an appropriate signed document, such as a nondisclosure agreement, what if we receive that information accidentally through no intent or effort of our own?
In response to the question I posed to you last week, there is nothing illegal or unethical about accidentally being in the right place at the right time and overhearing a competitor's conversation. They must accept the responsibility for irresponsibly discussing sensitive information in a public place. If you have overheard the conversation, your best course of action is to document to your best ability what you heard and notify TI Legal, telling them how you acquired it. The TIer who raised this question is correct. It would be ridiculous to pretend that you never heard the information. Under these circumstances you can share the information with TI. The competitor must accept responsibility for his carelessness. Our ethical principles do not exclude common sense.
But let me carry this issue one additional step by restating the question as
I'm entering a restaurant that has open seating. I happen to see two of my strongest competitors sitting at a table. They do not see me and I intentionally sit at an adjacent table and listen carefully in an effort to overhear something confidential. Is this ethical?
Frankly, there is disagreement among TIers whether this is a proper course of action. It clearly is not illegal but is it ethical? And if you hear some valuable competitive information as a result of your action, have you crossed the ethical line if you use it?
Before I respond, I would like to hear from the readers of this T NEWS column. What do you think? Is this a clever move, or an unethical act? Feel free to answer anonymously if you wish.
The study of actual cases and their ethical issues strengthen our ability to make good ethical decisions. Consider the case of the acquisition and selling of corporate telephone directories.
A TIer recently sent me a copy of a news article that demonstrates, in my opinion, how out of touch individuals can become when their own self interests are their only concerns. This example also serves as a reminder to all of us that we have an obligation to protect TI's assets.
The news article describes a small company that is in the business of acquiring corporate telephone directories and then selling them to others so that they can call employees at work to solicit their business or put their names on mailing lists for marketing and research purposes. As it is at TI, most companies consider their directories to be confidential internal information, not for outside disclosure except on a need-to-know basis. Nevertheless, the company in question has its methods for acquiring these directories.
The most remarkable aspect of the article was the attitude of the company owner when he was questioned about how legal and ethical his line of work was. His response was, "There's a difference between what a company doesn't like and what is illegal. All I can say is that no one has sued us yet. As for ethics, what I do is in the realm of corporate espionage. Is that unethical? Let's just say it's kind of a gray area."
I recommend that if you are contacted at your work phone by an unknown outside business concern, ask yourself this question -- "Is this the sort of person or business that I trust doing business with?" -- and for a real ethics test, ask the caller how he got your phone number. And remember, our TI phone book is TI INTERNAL DATA, and not to be released to unauthorized person.
What should you do if you received a competitor's sensitive information . . . even if it were obtained accidentally?
In May and June of last year we published three articles explaining how we should handle sensitive information. The last two of these articles dealt with sensitive or proprietary information that we might receive accidentally, through no intentional effort on our part.
A TIer raised the following question recently on a subject that could affect TIers involved in joint ventures
If I am working at the facility of another company that is a joint venture partner with TI, but also a TI competitor, what are my obligations if I hear confidential information? Specifically, I am referring to information that I might hear accidentally, for example in a cafeteria. Another consideration is that I would be there unescorted with a special access badge.
Your first step is to determine if there are confidentiality obligations imposed by the contract. Has TI signed a non-disclosure agreement (NDA) that requires you to protect the information you overheard? If so, obey the contract.
Even if the information is not covered by an NDA, the circumstances of your special access could raise an implied obligation to maintain certain data as confidential. Your second step, then, would be to ask yourself whether it is reasonable for the host company to expect you to hold such overheard conversation in confidence. If so, you should not convey overheard competitively-sensitive data to anyone, including a competing TI entity. If the issue appears 'gray' to you (for instance, there is no NDA and the data is not really sensitive, but it may be useful to some operations at TI), then you should probably seek the counsel of TI Legal or the TI Ethics Office.
A final step: If previous analysis does not clearly resolve the issue, then ask the host for permission to disclose.
There is an exception. If you happen to overhear a conversation that indicates someone is planning to defraud TI (for example by violating a contractual commitment) or to engage in an illegal activity that would affect TI, then no implied responsibility exists to maintain confidentiality. To the contrary, you would have an obligation to disclose such a matter to our legal department (but no one).
How can we justify a TI practice or policy that prohibits a TIer from doing something, but makes it a requirement for a non-TIer? A very interesting question was raised regarding our position on signing non-disclosure agreements.
A non-disclosure agreement (NDA) is a document that individuals are required to sign, typically when they are visiting another company for business discussions. It alerts those individuals that they may be exposed to information that the host company considers to be confidential or proprietary, and requires them to agree that they will not divulge that information in a manner that the host company considers to be inappropriate. The agreement is designed to prevent that information from falling into the hands of people organizations that do not have a valid need to know.
This agreement places a very important obligation on the person signing it, and also on that person's company. And those obligations are often not clearly understood by both parties. It is sometimes rather easy to unintentionally violate the other company's understanding of that agreement. For that reason TI severely restricts the conditions under which TIers can sign such agreements.
We received the following question:
"TI prohibits TIers from signing non-disclosure agreements. But TI requires visitors from other companies to sign our visitor logs, which include NDAs. Isn't this a double standard, a one-way street?"
First or all, TI does not "prohibit" TIers from signing NDAs. We do, however, require TIers to have appropriate signature authority for NDAs. TI does not provide or receive proprietary information without an approved NDA to maintain its protection. To ensure we don't violate this policy on the "providing" side we don't allow visitors access without their agreement to maintain TI proprietary information as confidential.
The principle considerations are these:
There is nothing unethical or inconsistent about our requirements that both restrict TIer from signing, yet require visitors to do so. It is our way of protecting TI from unauthorized or accidental disclosure of information.
Some companies do not restrict their employees from signing the non-disclosure agreements of other companies.
But we must always respect similar prohibitions that other companies may place on their employees who visit us. We must never expect or require persons to violate the rules of their employers by signing an NDA for which they are not authorized. If the situation reaches an impasse, then TIers and the visitor should seek the assistance of their legal department and management to get the situation worked out. Someone will have the authority to either sign the agreement, to work out an arrangement that is satisfactory to both sides, or even to cancel the meeting or discussion.
The key lesson to be learned here is that we should always communicate our expectations and understand them well in advance of any discussion requiring a non-disclosure agreement, so that this problem doesn't arise.
Information is one of our most important assets. And each of us has a personal responsibility to protect it. Loose lips sink ships -- a popular saying back during the Second World War, but just as true today when it comes to certain bits of proprietary information. Each of us in our daily duties encounters bits of information that when taken one at a time may not appear to carry too much importance. However, they might be of importance to another when combined with other data. Consider these two issues recently brought by TIers to the Ethics Office:
Why do TIers have to hold their meetings in the hallway? It seems that those in my area always get into some big discussion right out in the open. They are always loud...and sometimes the language gets a little vulgar. And I hear things that I know must be classified. There are customers and some suppliers that use this area, and I think they are hearing information that they shouldn't. What should I do?
I was eating dinner at a local restaurant last night, and I could not help but hear a loud conversation going on several tables down from me. Apparently, they were drinking, and judging from their loud conversation, they were drinking a lot. I could tell from their conversation they were TIers. One still had on his badge. I knew enough about the subject to determine they were compromising some pretty sensitive information. When I went over and asked them to hold it down, they just laughed at me and continued. What else could I do?
Alcohol has been called the truth serum and can cause problems like this. But the real problem is a lack of respect for information. I doubt that any of us would intentionally put TI at a competitive disadvantage, risking the loss of business and of jobs. But too often we simply carry on those discussions in inappropriate places, like in the hallways or in restaurants. And the important information is compromised, is allowed to fall into the hands of those who do not share our business interests. Perhaps they are our competitors. Or they could be our customers or suppliers who do not have a need to know that information.
But what should you do? The TIer took appropriate action in the second case above. It is important that we be proactive to prevent further damage. Each of us has a personal responsibility to protect our assets...and information is one of our most important assets. Get involved. Stop the leak. Get help from your manager or supervisor, or from Security, or from the Ethics Office. Quick action is often necessary to limit the damage. Loose lips sink ships.