Remote Work Presents Risks to Proprietary Information

Legal protection of trade secrets under both the Uniform Trade Secrets Act (UTSA) and the federal Defense of Trade Secrets Act (DTSA) depends on whether a company has taken “reasonable measures” to safeguard the secrecy of the information. Many companies satisfy this obligation by implementing policies that control access to the systems where sensitive information is used and stored, and by initiating IT security measures.

With millions of American workers hastily shifting to a remote-work arrangement during the Covid-19 pandemic, employers must be mindful of the risks to proprietary information presented by this changed work environment. They can take several steps to safeguard their data:

Revisit policies.  Policies and protocols that were drafted premised on restricted use of trade secret information on the employer’s premises will need to be reviewed and revised. Without revisions, an employer could be perceived to be negligent or selective in its enforcement of safeguards.

If employees are being permitted to perform work from personal computers, or if firewalls have been disabled to permit remote work, employers should consider prohibiting the sending or storing of confidential company information on personal email accounts, portable storage devices, or personal cloud accounts.

Guard the home office.  Remind the workforce that their contractual obligation to ensure that confidential information remains confidential applies equally at their remote worksite. Employers may want to provide employees with guidance or directives about where work involving trade-secret information can be performed. Depending on the sensitivity of the information, employers could require all work to be done in a room to which only the employee has access or that all information be locked away.

With the new popularity of videoconference meetings, employees should be mindful of trade-secret information in the background that may be visible to outsiders. This risk is amplified if a spouse or partner also shares the workspace and is not aware of what is or is not considered to be confidential. Employers might also recommend that hard copies of documents that employees take home or print while at home be shredded or disposed of properly when the employee returns to office.

Be mindful of departing employees.  Traditionally, a large proportion of trade secret misappropriation involves departing employees taking proprietary information with them. The exit interview for a departing employee is the best opportunity to recover all company property, to remind the employee of their ongoing confidentiality and other contractual obligations, and to ensure that the employee has taken adequate steps to search for and return all company information in their possession.

With the large increase in the number of employees being furloughed or laid off in the weeks following the enactment of the stay-at-home orders, exit interviews were excused in some cases, or became cursory. The challenges of terminating an employee who is remote, including the return of company property, must be fully considered. While laptops can be shipped back, it is critical to take steps to ensure that the employee has returned or destroyed hard copies of materials and has searched for deleted confidential information on personal devices or in cloud-storage accounts.

In this chaotic environment, employers may forget to disable the workers’ access to company systems, shared drives, or outside account access to databases such as Salesforce.

Work with IT to strengthen safeguards.  It has been reported widely that phishing and related cyberattacks increased when the remote-work arrangements commenced. With the assistance of IT professionals, companies may wish to implement additional protocols to ensure that trade secret information is not unwittingly compromised:

• Changing settings of company-issued or personal computers to lock the screen after a short period of non-use.
• Requiring all work to be done on the company’s secured network, such as via VPN.
• Requiring employees to password-protect their home Wi-Fi system.
• Prohibiting transmission of confidential or trade-secret information, and instead using shared drives or cloud accounts that the employer sets up, with access rights limited to a need-to-access basis.
• Increasing training and reminders to employees about malicious emails and other security-compromising tactics.
• Implementing remote lockout and wipe capabilities to company devices, should they be misplaced or stolen.

Each company must assess what practices suggested above are “reasonable under the circumstances” to maintain the integrity of its trade secrets, taking into account how work is performed. There are some suggestions that might be stifling to productivity, while others may be cost-prohibitive. What may be reasonable to one business may not be reasonable for another. Instead, the recommendation is to think about many of the safeguards that are in place at the office and how the remote work environment has rendered those safeguards less effective.

Even in jurisdictions that are reopening, employers should consider the issues presented above and formulate a plan to ensure that confidential information and materials follow the employees from home back into the office.

See also:

• Impostor Fraud: A Cyber Risk Management Challenge
• Managing Risk in the Cloud: A Guide for Corporate Treasurers
• Arming Corporate Treasurers for Cybercrime Combat
• Who’s Legally Liable for a Risk Management Failure?

Koray Bulut is a partner in the employment group at Goodwin who focuses his practice on employment law, with an emphasis on litigation matters.

From: BenefitsPro