Coffee-Shop Talk…Making Confidential Information Public

You overheard a teammate divulging confidential information about a client to a friend at the coffee shop. This information is potentially damaging to the client. What would you do in this situation, and what is your obligation to the client?  -e-Factor!® scenario

I was delivering a continuing professional education workshop on ethics recently and this scenario came up for discussion.  It generated a heated debate between those who felt they had absolutely zero responsibility in this case and those who believed the client had a right to know that confidential information had possibly been made public.

Protecting confidential and proprietary information is a big deal for most companies. Many people are unaware this common situation creates ethical dilemmas and potential conflicts. People fail to connect coffee shop talk with confidentiality requirements. So let’s explore this scenario in more detail to determine the potential ethical issues, solutions and consequences.

First, what makes this situation an ethical dilemma?  Is it that confidential information is being revealed?  Or is it because this is happening in a public place?  Maybe, however, the true dilemma is that we’ve overheard something and now we have knowledge of something we feel is not right. We may think it’s not our place, we don’t have authority or it’s not our business because the teammate doesn’t work for us directly.  At a very high level, though, could we say each of us has an obligation to protect the organization and clients we work for?  Our immediate answer to this may depend on our experience level and position with the company.  We don’t all think the same, and we don’t have the same interpretation of what is confidential. We may need to start our analysis by clearly defining what we consider to be confidential and making sure everyone in our organization understands this definition.

Let’s peel away another layer of the dilemma and look at stakeholders.  The biggest stakeholder is the client whose information is being made public.  Yes, I said “being made public.”  In the accounting world, the American Institute Code of Professional Conduct specifically identifies actions like this, posting on social media and even answering questions from trade association surveys as actions that could be construed as being made public.  Especially if the information provided has enough detail that we could reasonably tie it back to a specific organization. Once information is made public, it is no longer protected by the rules of confidentiality. Have you ever tried recalling a post on social media?

The other stakeholders here are the talking teammate and us. The teammate who is talking clearly is violating obligations to protect client confidentiality. But why are we stakeholders in this? We’re just overhearing something being said! We’re not directly involved, are we?  Well, our organization is also a stakeholder, one that may be held responsible for damage to the client if it is significant and can be reasonably proven. Ah, so now we see why our role as “witness” may have some responsibility attached to it…

It’s true that people talk.  It’s also true we may have policies and procedures that prohibit this sort of situation from occurring – on paper.  However, if we don’t enforce this policy consistently it may also be true that we’re at risk. So what choices do we have in terms of taking action in this specific situation? How can we prove we’re enforcing our confidentiality policies?  And what are the consequences of each option?

For starters, we can ignore it, pretending we heard nothing. This is the safest and easiest way for us.  However, if a problem occurs as a result of this coffee shop talk, doing nothing is just as bad as doing the talking!  We had a chance to prevent further damage, and we didn’t take it because we didn’t want to be involved…!

We can talk to the teammate privately right in the moment and suggest they stop talking about clients in public places.  There’s a way to do this politely and professionally and yes, nicely. They truly may not know their conversation could cause trouble, and we’re giving them an opportunity to choose their actions and be accountable. For me, how a person responds here shows whether or not they are trustworthy, but it’s also a matter of how we communicate – accusatory wording will bring out a defensive attitude no matter how noble our intentions are, right?

We can always report this to the organization’s compliance officer or the teammate’s direct supervisor.  This is a more serious step requiring proof and details, not just gossip. It documents the incident and is protection for us and for the company.  It shows that we are enforcing our policy, so if this is our biggest concern, we’ve answered it. It could also damage our relationship with the teammate and affect our perceived credibility.

And finally, we can talk to the client directly and let them know what happened. This is an extreme option, possibly destroying trust between client and our organization and leading up to a loss of the client, lawsuits or other consequences. Does the client have a right to know? This is the question needing an answer to justify this action.

These are just a few choices we have coming off the top of my head.  I’m sure you can think of more.  So what action should we take now?  We all have to choose… What’s your decision?