How should you respond to a request for non-public company information from an unauthorized person?

When handling any request for non-public information, the priority is protecting confidentiality by not disclosing anything to unauthorized individuals and by escalating to the right authority. Declining the request and guiding the person to the proper channel—such as a supervisor, data owner, or security/privacy team—ensures the information stays within approved boundaries and that the request is handled consistently with policy. This approach also creates a clear trail of how the request was managed. In practice, avoid sharing any data, even if you think the requester seems legitimate, and don’t try to “help” by providing partial information. Signing an NDA after the fact doesn’t grant access or validate the requester, so it’s not a remedy for an unauthorized inquiry. HR typically isn’t the correct channel for unrelated external information requests; escalation to the appropriate security or governance role is the proper path.