May 26, 2020
This article was produced in partnership with Shannon Murphy, Winston & Strawn LLP.
Companies face an unprecedented new normal of remote working—whether that be for a few months or a long-term transition to having many, if not all, employees working remotely. For many companies, remote working at these levels is new and challenging; piecemeal before, but now widespread. A recent study and survey conducted in April (COVID-19 and Remote Work: An Early Look at U.S. Data) concluded that over one-third of the U.S. labor force switched from commuting to remote work.
This transition to remote work has forced—and will continue to force, at a rapid pace—new technology adoption (i.e., cloud-based storage and collaboration tools and videoconferencing). Rapid use of these new technologies has increased corporate risk, particularly when it comes to minimizing theft of corporate trade secrets. As companies move beyond merely making sure their employees can work remotely to considering the implications and risks of such work, they should ensure there are sufficient protections in place to protect their trade secrets, both in the short and long term. In fact, steps companies take (or fail to take) now can undermine their ability to seek legal protection for stolen information, including having that information cease to qualify as a “trade secret” under the law.
Below are ten key questions that companies should ask, and related practical guidance that they can follow, to safeguard and protect their trade secrets in a work-from-home environment.
1. DO EMPLOYEES UNDERSTAND WHAT CONSTITUTES A “TRADE SECRET”?
Issue: What constitutes a “trade secret” is a legal question, and what qualifies is much broader than most employees recognize. Many employees think only of quintessential trade secrets, like a secret formula or schematic, and do not realize the breadth of information the company has that constitutes valuable “trade secrets” and that needs to be protected. Among other things, many employees do not recognize “negative trade secrets,” which are the failed trials or earlier versions, or the fact that sometimes even a compilation of publicly available information can be a trade secret. This lack of understanding is particularly problematic given that it is the employees who are creating, saving, and disseminating trade secrets—thus, they are the front line of any company’s trade-secret protection program. And, when they are working outside the four walls of the corporate space, it becomes even more important that they understand what constitutes a trade secret and the importance of protecting that information.
Recommendations: Companies should deploy a robust, learning-based training program regarding trade secrets, and not just a cursory section in employee on-boarding. It is also important that policies and agreements do not use bland boilerplate language to describe “confidential” information generally, as an employee may contend in later litigation a lack of knowledge that something constituted a trade secret; or worse, may not actually understand what constitutes a trade secret and, therefore, not sufficiently protect it. If a company does not have a stand-alone trade-secret policy, this is a ripe time to produce one.
2. IS ACCESS TO INFORMATION BEING LIMITED ON A NEED- TO-KNOW BASIS?
Issue: Under the federal Defend Trade Secrets Act, state versions of the Uniform Trade Secrets Act, and the EU Trade Secrets Directive, a trade-secret owner must take reasonable measures to protect the information for the information to qualify as a trade secret. In fact, Winston & Strawn determined that more than 11% of contested federal trade-secret cases between 2008 and 2019 were dismissed because plaintiffs failed to take sufficient measures to protect the information. One of the key measures courts look at (which also minimizes the chance that theft occurs in the first place) is limiting access to the information on a need-to-know basis.
Recommendations: Companies should utilize both written security policies, and technical controls when implementing the policies, to limit access to information at the repository, file, or even document level to only employees who have a need to access it for their jobs, and audit those access rights periodically. As a first step, companies should identify the most-valuable categories of trade secrets and understand where and how those are stored, and ensure access to those sources is sufficiently limited. When transitioning resources to cloud-based architecture, many service providers offer features such as role- based access control and detailed auditing to ensure access to sensitive resources is appropriately restricted. Additionally, having clear protocols limiting where employees can save sensitive data (and conducting audits to ensure compliance) can prevent data from being overly accessible.
3. ARE EMPLOYEES RE-CERTIFYING UNDERSTANDING OF COMPLIANCE WITH SECURITY, TRADE SECRET, AND CONFIDENTIALITY POLICIES?
Issue: Many employees do not readily think about their obligations to protect trade secrets or comply with security policies, which decreases compliance. In fact, many companies only have employees sign agreements, policies, or handbook acknowledgments at the start of employment, along with numerous other documents, so such obligations can get lost in the shuffle. With the increased risks created by remote work, these obligations need to be front of mind, and companies need to have some reassurance that employees are meeting their obligations.
Recommendations: Companies should consider using the transition to work from home as an opportune time to send reminders about employees’ obligations, and have them re-affirm their understanding and compliance. Even better, employers would have annual re-certification of continued compliance. Sending out periodic reminders about these obligations—and their importance—can also increase awareness and compliance. These steps build a powerful record for any legal case if the company needed to file a theft-of-trade-secret suit down the road.
4. ARE EMPLOYEES USING FREE CLOUD-BASED STORAGE OR CLOUD-BASED COLLABORATION TOOLS?
Issue: If secure business solutions are not provided, employees will often find ways to circumvent restrictions to make their jobs easier and more efficient. For example, if a solution, such as Slack, is blacklisted by policies on their corporate laptops, employees can and have used their home computers to set up a free account to collaborate with their colleagues using that device. Often, free versions of software mine data within their environment to provide focused advertisements to their users. This could lead to intellectual property being leaked to third parties through their algorithms. Furthermore, free versions of software do not typically have discovery and legal hold utilities available, putting the enterprise at risk for spoliation in the event of a litigation.
Recommendations: Employers should ensure that employees are educated about the dangers of signing up for these free tools for corporate purposes. In addition, corporations should invest in providing enterprise solutions that employees require to conduct their business efficiently, while retaining control of their intellectual property.
5. ARE EMPLOYEES USING NON-SECURE, NON- SANCTIONED COMMUNICATIONS AND COLLABORATION PLATFORMS?
Issue: With the new work-from-home model, the use of video conferencing for meetings has skyrocketed. Employees have been signing up for free solutions, such as Zoom and HouseParty, for group chats. If not implemented securely, unauthorized access is possible and may result in IP leakage. Even if the corporation has provided a secure solution for video conferencing, poor security habits may risk exposing intellectual property to unauthorized participants. For example, a weekly departmental call that does not change the meeting ID and password regularly is exposed to departed employees who may have left the company for a competitor but can still access the call. This issue is further compounded by the large number of employees who may have been furloughed or made redundant due to the COVID-19 pandemic. These employees may be disgruntled, and if they still have access to weekly calls, they may be motivated to conduct corporate sabotage. Finally, many of the collaboration tools permit chat functions that can be saved, either locally or in the cloud. If your company has policies in place to not retain instant messaging, these stored chats may present additional risk.
Recommendation: Educating your employees to regularly change meeting IDs and passwords, and activating waiting rooms to permit the host to grant access to the call, are healthy security practices to mandate. In addition, providing a video conferencing solution that is stored on a private cloud and having default security protocols implemented, such as not storing instant messaging logs, should be considered.
6. ARE EMPLOYEES SHARING DATA WITH THIRD PARTIES IN A RESPONSIBLE AND PROTECTED WAY?
Issue: Many employees default to email or cloud-based sharing platforms to share information with third parties (especially when people are working remotely), particularly when operating under the misconception that a non-disclosure agreement operates as a sufficient legal safeguard. Such mechanisms, especially if done over personal accounts, can cause the company to lose control over its data and give a third party the ability to keep or disseminate the information.
Recommendations: Companies need to have clearly articulated protocols for third-party sharing and provide tools on which employees are educated. Such mechanisms should, when practicable, include secure transfer (such as through a password-protected FTP), limit the number of downloads, and have an expiration date. Companies should also “blacklist” or block disallowed transfer mechanisms so employees cannot download those applications.
7. ARE SECURITY POLICIES BEING DEPLOYED TO PROTECT DATA FROM OUTSIDE THREATS AND PREVENT EMPLOYEE THEFT BY EMPLOYEES USING PERSONAL COMPUTERS?
Issue: Employees are potentially using their own devices to work from home, which can be more vulnerable to outside attack than the company’s secure architecture. Also, copying and pasting sensitive and confidential data to external media is a common tactic used by trade-secret theft offenders.
Recommendation: A company should have security policies requiring certain basic requirements for remote employee’s devices and Wi-Fi settings, and have employees certify compliance. Implementing a domain-wide group policy to restrict writing to media connected via USB port can prevent copying and pasting to the external media. Companies should also evaluate their VPN and remote-access protocols to determine what limitations a remote employee has in terms of being able to copy data outside that system to a local device.
8. ARE HARD COPY OR TANGIBLE TRADE SECRETS PROTECTED FROM EMPLOYEES’ ROOMMATES?
Issue: If an employee prints a document or has tangible trade secrets, like a prototype, at home, that creates risk that someone outside the company may view those trade secrets. This risk is particularly high when the employee has roommates, who could even be working for rival companies.
Recommendations: Companies should review any “clean desk” policies, if they exist, and bolster them (or draft them) to apply to work-from-home scenarios, including discouraging remote employees from printing confidential or trade-secret documents unless absolutely necessary, providing instructions for destruction, and directing employees regarding secure ways to store tangible company material, such as in a locked drawer. Companies should also consider equipping employees who have to print documents with tools, like shredders, to facilitate destruction.
9. ARE DEVICES BEING COLLECTED OR WIPED PROMPTLY (IDEALLY BEFORE TERMINATION) IN ALL CASES?
Issue: Prompt collection of devices and termination of access to company data when an employee resigns or is terminated is critical to minimizing the chance of theft, and to showing a court—if it proves necessary—that the company acted expeditiously, which a court would need to see before entering emergency relief. Remote work injects logistical hurdles into this process.
Recommendations: Companies should prepare a plan, with input from HR, IT, and business managers, to ensure prompt collection. When an employee is terminated, the company may have more control as, in many circumstances, it can determine when to alert the employee of the termination and can wait to do so until the device has been collected. For example, IT could request the employee return the device for a routine maintenance or upgrade prior to termination to ensure it is in the company’s control. In all cases, however, the company should require return immediately and continue to follow up until the device is returned, documenting such efforts.
10. DO THE PRODUCTS USED FOR EMAIL, DOCUMENTATION COLLABORATION, AND RELATED APPLICATIONS PROVIDE AN APPROPRIATE LEVEL OF VISIBILITY TO DETECT CYBER
THREATS AND POTENTIAL THEFT BY REMOTE EMPLOYEES?
Issue: Most commercial SaaS (software as a service) products such as Microsoft 365 and G-Suite will offer logging capabilities for key events such as authentication and access; however, these features may not be enabled by default. Further, reading and understanding such log records often requires specific expertise in the SaaS product, the log records it produces, and the underlying architecture. When a cyber-security incident occurs, visibility into the infrastructure housing an organization’s trade secrets is vital to holistically investigate the event and assess the organizational risk.
Recommendation: Companies should ensure their SaaS products provide appropriate logging to enable effective and efficient cyber investigations as well as ensure that such capabilities have been enabled to record key events. In some cases, SaaS products will provide alert mechanisms to warn administrators of suspicious activity, such as logons from an unusual location (based on previous patterns of the user). However, some activity may not trigger alerts from the SaaS product but may well be associated with a suspicious event. As an example, consider the scenario of a user downloading dozens of sensitive documents from G-Suite just prior to submitting their resignation. Without comparing this event to the previous pattern of download activity for the user, this activity may go unnoticed as it wasn’t sufficiently anomalous to send an alert to the G-Suite administrator. Investigators with expertise in analyzing cloud-based platforms such as G-Suite and Microsoft 365 can help organizations ferret out anomalous activity that may otherwise go undetected.
Furthermore, monitoring technologies can be implemented to flag potential theft. Monitoring tools operate and run in real-time, correlate user behavior to pre-defined rules, and focus on suspicious activities that would be consistent with behaviors associated with data exfiltration. Typical areas of scrutiny are large downloads, attempts to access certain files, sending email to personal accounts, attempts to access blacklisted websites, or use of unapproved cloud-storage platforms. These diagnostic tools can run on an endpoint corporate laptop or desktop as a process like an anti-virus agent, or on a company’s hardware. Also, utilizing robust HR protocols, such as exit interviews, gives the company the ability to identify red flags and allows the company to initiate an investigation.
In short, the proliferation of remote work has created, and will continue to create, risks for trade-secret protection that can have long-term consequences. While trade secrets may not be front of mind under the current circumstances, actions companies take now can significantly impact the chance that secrets are stolen. This can lead to disruption and severe loss of competitive advantage and can determine whether valuable corporate information will legally constitute a “trade secret” in the future—a designation that, once lost, cannot be regained. Fortunately, as discussed in this article, there are practical, feasible, and scalable solutions that minimize these risks.