When the COVID-19 crisis hit the United States (indeed, before it was even considered a “crisis” here), we provided tips for protecting a company’s trade secrets in the event employees were permitted to work from home. In the ensuing three weeks, not only have employees been permitted to work from home, but many companies have required it. Indeed, an ever-growing list of states, including California, Connecticut, Illinois, Maryland, Massachusetts, New Jersey, New York, Ohio, and Pennsylvania have issued stay-at-home orders and shut down all non-essential businesses for the time being. As a result, there are now millions of employees working remotely who are accustomed to working in an office setting. Indeed, according to a March 12, 2020, flash survey of more than 550 employers conducted by Seyfarth, nearly 85% of responding companies were actively encouraging employees to work from home in some or all parts of the country, and more than 65% were taking steps to provide capability for employees to be able to work from home who do not normally do so. Those numbers are likely even higher now.
In this rush to “flatten the curve” and keep employees and entire communities as safe as possible, many companies have enacted new remote working policies, plans, and procedures, often without much thought given to the protection of trade secrets and proprietary information. Indeed, in their haste to provide work-from-home resources and accessibility, some companies are apparently loosening their security standards to allow faster and more convenient access for employees. For example, some companies turned off two-factor authentication when their systems were initially overloaded, some have permitted (or even encouraged employees) to use personal e-mail accounts rather than secure (and, in some instances, encrypted) company accounts when Citrix or other remote work applications were slow, and others have allowed employees to download information from company servers onto USB devices, either to upload onto personal devices or to print. And these are just what we have heard about; there are no doubt other security measures being abandoned or scaled back for the sake of short term efficiency and convenience.
And, of course, there are bad actors taking advantage of the current situation. Relaxed security make systems and information far more susceptible to hacking and other data breaches, which often carry mandatory reporting obligations and hefty penalties, and invariably lead to class action lawsuits, not to mention privacy concerns. Accordingly, companies should think twice before loosening these security standards. By all accounts, the current COVID-19 crisis will be relatively short-lived (whether that means weeks or months is, of course, unknown), but as the saying goes, once a secret is known, it cannot be unknown. And when this is all said and done, while courts will likely give some leeway as a result of the emergency situation, if basic safeguards were disregarded, courts may have a hard time concluding that a company undertook reasonable efforts to safeguard its information, as is required in all jurisdictions to merit trade secret protection.
While each business’ needs are different, we recommend that companies consider a work-from-home policy to remind employees of their obligations to keep company information secret, maintaining rigorous authentication processes in place to prohibit unauthorized access to company data, prohibiting and restricting the use of unauthorized third party cloud storage sites, and utilizing appropriate software to protect company data.
The COVID-19 crisis will end. But will your company’s information remain protected in the meantime? That is a question that all companies should be asking themselves—and making the effort to answer correctly—during this unique moment in history.