March 24, 2020
Critically important assets for any company are information, experience and know-how that give it an advantage over competitors. Such information that (1) is not generally known or ascertainable to the public or competitors and (2) has value because it is a secret is a trade secret, as long as it is subject to reasonable efforts under the circumstances to maintain its secrecy.
Most companies have learned what efforts need to be taken to keep trade secrets “secret” under ordinary circumstances, but in this new and abrupt age of COVID-19 isolation, quarantine and working from home, our present circumstances are anything but ordinary.
Maintaining Trade Secret Confidentiality as COVID-19 Moves Workers Off Site
As of this writing, six states (and counting) have issued “stay-at-home” orders, mandating restrictions on workers leaving home, while the rest of the nation continues to make similar emphatic recommendations. As a result, many companies unexpectedly find themselves in a surprising position where all or most of their employees are working remotely. This means a company’s valuable trade secrets suddenly may no longer be under the strict control of an office environment and secure network and are instead being transmitted electronically to employee homes and work systems, and traveling over potentially thousands of separate networks.
While every company wants to trust its workers, the sad and unfortunate fact is that employees who have access to a company’s valuable confidential information are among the most common sources of trade secret theft or misappropriation. This is especially so if the employee is leaving the company, and an increase in employee departures is another regrettable reality of our new COVID-19 strained economy. It is thus imperative that every company have reasonable measures in place to protect its trade secrets, even if it means novel actions to account for these new circumstances.
This note is meant to give the reader a rough guide of some measures a company may take to maintain or increase the security of its trade secrets with teleworking employees. Which of these measures is reasonable for any given company will vary, but some or all of them should be considered by any company with valuable secrets being shared with and among remote workers.
The foundation of any plan to protect confidential information is to identify what information the company considers to be confidential and proprietary, and to communicate that designation to its employees. Every employee should understand that he or she has a duty to keep such information confidential and a responsibility to ensure that information is not mishandled. If formal agreements and written policies are already in place, a companywide reminder email is a good step to take as employees move off site. If not, such an email can at least serve as an initial placeholder until policies and agreements are formalized.
Employers should be aware, however, that many jurisdictions require some consideration to make a formal nondisclosure agreement binding. The ability to work remotely may arguably be consideration for such an agreement under ordinary circumstances, but where remote work is required—whether by government mandate or the necessities of a public health emergency—it becomes less likely that permitting remote work would qualify as adequate consideration.
Employers Should Limit and Monitor Access to Confidential Information
As always, only employees with a specific business need for confidential information should have access to that information (whether working in-office or remotely). Particularly with remote employees though, restricted access such as via password protection is extremely important. The sophistication of authentication procedures differs depending on the industry and value of information (among other factors), but some type of electronic authorization is a good way to limit access to only those who need to know. Within the constraints of applicable privacy laws, remote access systems of all sorts—e.g., VPN and cloud-based systems—may track which employees access confidential trade secret information and when. Activity records and alerts can identify unusual activity, unauthorized access, attempts to access, attempts to save, downloads and printing, deletion and transmission to a private email address.
Specific Instructions to Employees Moving to Remote Workspaces
As employees begin working remotely, the company should provide specific written guidance on how to handle confidential information off site, and how to securely access the company’s network, documents and information. For example, it would be prudent to instruct employees not to use public Wi-Fi networks for work-related business, and advise how to set up adequate security for home Wi-Fi networks. To keep trade secret information safe, employees should conduct business with an employer-issued email address and using employer-issued hardware, or a personal device approved by the company as having adequate cybersecurity software. Likewise, a best practice is to conduct business using the company’s document management system, rather than private personal document programs, and to not save documents or other data to personal devices.
As another example, the company ought to ensure that personnel understand that hard copies of confidential information should be handled with at least the same degree of care off site as on site. If confidential information should be shredded on site, then it should be shredded at home. Employees should also take precautions to ensure confidential information is not left out in the view of family members or visitors.
Reminding Employees of Their Duty to Protect Confidential Information
It is important to mark confidential information in a manner that identifies it as such. This is often easy to do with hard copies of documents containing trade secret information, by simply stamping a document “confidential” or otherwise physically identifying it as such.
But as more and more of the access to such information moves to remote electronic access, companies must consider alternatives. An example of this would be to have an electronic alert such as a “pop-up” window that reminds an employee accessing trade secret information that it is confidential and that the employee has a duty not to disclose it.
Adjusting to new circumstances is never easy and ensuring that reasonable protections for confidential information are in place as employees are forced to work off site is no exception.
While it is a stressful time for both employers and employees, COVID-19 offers companies an opportunity to (re)assess their procedures for maintaining the confidentiality of their trade secrets, remind each worker of his or her duty to maintain that confidentiality and make sure that the proper procedures and infrastructure are in place to protect trade secrets and avoid mishandling, theft and misappropriation.