Fear of the coronavirus is causing many employers to permit—or in some cases mandate—employees to work remotely. While this measure is designed to minimize the risk of virus transmission, it presents an altogether different risk when it comes to protecting trade secrets, as employees have ripe opportunities to remove trade secrets and other sensitive information from company systems and databases. While remote access is ostensibly provided so that employees can perform their job functions from home, and may even be a necessity in that regard, some employees may take the opportunity to exploit the situation to more nefarious ends, and others may just be careless, which can lead to equally bad outcomes. In addition, employees’ external home networks may not have robust security on par with in-office network security.
Although many employers anticipate these issues with robust remote work or work-from-home policies and procedures, others do not, and may need to implement something quickly. And, even those employers that have implemented policies and procedures will no doubt have employees not used to working under them who will need to be made aware or reminded of them. Below are a few tips to protect trade secrets and other sensitive information while permitting employees to work remotely. Some of these tips can (and should) be implemented immediately, while others are longer term projects that employers should consider implementing now so as to avoid being unprotected the next time an unexpected event occurs.
Set Clear Expectations
Employers should clearly define what information is considered confidential or a trade secret, and what is expected of employees who are provided access to such information. If employees are not informed of what is expected of them, an employer cannot reasonably expect that its information will be protected. One of the primary elements of any trade secret claim, whether under the Defend Trade Secrets Act, the Uniform Trade Secrets Act (as adopted by 49 states), or common law, is that the company takes reasonable measures to maintain the secrecy of its information. The best way to define expectations is through plainly-worded policies, including confidentiality, computer use, social media, cybersecurity, bring-your-own-device (BYOD), and other policies. If creating new formal policies requires a drawn-out process and/or high level approvals that cannot be obtained immediately, an email or memorandum to employees setting forth expectations and reminding them of existing policies and expectations is a good intermediary step. In addition, marking documents “confidential” and setting up reminders that pop up every time a remote employee logs into the company’s systems, or into a particular database or program, will act as constant reminders to employees about the need to safeguard such information.
An employer can have all of the policies in the world, but if its employees are not properly trained and reminded of these policies, they can be ineffective and not worth the paper they are written on. Training of this nature should be part of any employer’s culture and conducted at least annually, but in emergency events like the current coronavirus outbreak, where employees who do not typically work remotely are being permitted (or required) to do so, it is especially important to provide training on permissible uses of sensitive information. Such trainings need not be in person if there is a fear of gathering large groups of employees; they can be performed remotely by phone, Skype, WebEx, or the like.
In some instances, setting expectations and training employees will be insufficient, and monitoring will be required. As an initial matter, employers should be aware of who their employees are and whether they pose a threat. The FBI has identified several factors for employers to look for to determine if an employee may be an internal threat: greed or financial need, unhappiness at work, allegiance to another company or another country, vulnerability to blackmail, the promise of a better job, and/or drug or alcohol abuse. Even if no employees seemingly fit the bill, inadvertent disclosure of sensitive information can be just as big of a threat—once a secret is out, it is no longer a secret. There are myriad companies that offer monitoring software that can alert employers when an employee accesses or downloads sensitive information, sends information to a personal email account or outside of the employer’s infrastructure, and the like. Employers must make sure, however, that they are following all applicable laws and notice requirements before implementing any monitoring programs.
Creating a strong technical security infrastructure is imperative for employers seeking to maintain the confidentiality of their trade secret information. In this day and age, with myriad off-the-shelf options, there is no excuse for not having a technical security infrastructure in place, even for small companies. Employees should only be given access to sensitive information on an “as needed” basis; administrative safeguards, such as password protection, should be implemented to ensure access is only granted to those employees who truly need such access; and, as noted above, logs monitoring access to sensitive data should be maintained and checked regularly for unauthorized access. Another safeguard is to permit remote employees only to work on company-issued computers and devices, or at the very least computers and devices that meet certain security standards and protocols that permit the employer to lock and/or remotely wipe company data from personal devices and have built in protections against hacking or other cyberthreats. Far more complex security measures are available for bigger and more sophisticated companies, but a certain baseline is expected.
Employees who work remotely should be expected to take the same precautions to keep information secure as when working from the office. Among other things, any hard copy documents and physical property (including thumb drives and other remote storage devices), should be stored safely in an environment protected from inadvertent disclosure to third parties who may have access to an employee’s home. Further, employees should be required to use reasonable home security measures for their internet network, including a password protected wifi network and limiting access to that network.
One silver lining of the current climate is that international business travel has largely been curtailed for the time being, so there is less of a risk that travelers’ information will be compromised while in countries such as China that have a known history of attempting to misappropriate trade secrets and other sensitive information from business travelers through a variety of means, technical and otherwise. Business travel will inevitably pick up again soon, however, and this is a good time to look at and potentially revise policies for business travelers, such as requiring burner phones or computers and the use of VPNs when abroad. Likewise, it is a good time to update and provide trainings to employees who travel internationally on how to avoid being targeted by hostile foreign actors when they are permitted to travel again.