Companies are permitting (or requiring) employees to work remotely right now in response to COVID-19 concerns. This decision, calculated to minimize certain risks, presents new and wide-ranging concerns for the protection of trade secrets. In this “temporary” working remotely environment, employees will have considerable opportunity to access, download, or store sensitive information from company systems and databases. Have you vetted these circumstances or otherwise addressed their use? Think – home printers? Cell phones? Tablets? Personal email accounts? Working in public places such as libraries and coffee shops? Companies may also be inclined to relax otherwise well thought out document management rules or allow for workarounds from the usual security measures in the interest of business continuity. In such an environment, employees may make assumptions that they have wider latitude to email, copy, send, print, or download information, given the circumstances. Compounding these insider risks are a series of unknowns, such as whether your employees’ home networks have security anywhere near on par with in-office network security that could allow outsiders to intrude or access data.
Trade secret litigation has grown exponentially in the United States, in part due to the passage of the Defend Trade Secrets Act (18 U.S.C. § 1836, et seq.) in 2016, and in response to the incredible value embodied in companies’ customer lists, knowhow, processes, formulas, business strategies, salary structures, and numerous other forms of intellectual property. If information is valuable, kept secret, and derives value from its secrecy, then it can be a protectable trade secret — as long as the company puts in place reasonable measures to maintain the secrecy.
Whether your company has a sophisticated trade secret protection plan in place or not, the current work environment will stress policies and procedures. Employees pose the biggest threat to securing a company’s valuable IP, and several remote-working concerns raise long-term policy questions to be addressed over time. But, the action items can’t all wait until a calmer moment. Consider the following immediate steps as your company reacts to recent events.
1. Communicate current obligations and requirements in the remote working environment
If you have a robust work-from-home policy, review it now with a specific focus on maintaining your company’s most valuable secrets. If you do not have such a policy, implement something immediately, even if it is temporary. Set clear expectations on what information the business considers to be confidential or trade secrets and what particular steps employees are required to follow when using or accessing that information. Not only does it make business sense to keep employees on notice of company policies and procedures, but federal case law under the DTSA has made clear that employees can only be held to trade secret obligations where they are specific and clear, such that employees are “on notice” of the trade secrets.
2. Do you have access to third party trade secrets? Be particularly vigilant
Whether you are a supplier who manufactures to a confidential specification or you are a franchisee with a license to trade secreted knowhow, pay special attention to your obligations and duty of care as you deploy remote workers. Review your agreements or licenses with third parties to ensure that you have rights to operate the business differently with respect to their confidential data. Seek written confirmation up front where there is ambiguity about your employees’ ability to work off-site or access data remotely. A growing number of US disputes relate to information leakage from suppliers, vendors, and third parties, where the damages can be significant. Before you authorize your employees to carry on, give careful thought to what information you own and control and what you do not. Such steps could be critical in avoiding misuse claims down the road.
3. Remind your contracting parties who have access to your own trade secrets of their confidentiality and operational obligations
For many industries, the unauthorized disclosure of trade secrets, and the damage it causes to a business, may not be adequately recompensed by a damages award (not to mention the disruption and cost of any such proceedings). If you have valuable trade secrets that are licensed or accessible to third parties, this may be the time to remind those parties of their obligations in relation to the treatment of this information and inquire as to their security procedures during this period of time where remote working is being commonly put in place.
4. Enact more stringent access policies wherever possible
Establish a protocol for approvals of new or heightened levels of access to information. Ensure that the protocol takes into account whether such access is necessary, particularly when the information is highly valuable. (If you haven’t already, now is the time for an initial assessment of your trade secrets to catalog them and allow you to confirm the data that should be “need-to-know”.) Make clear that any exceptions to general access rules are time limited and actively enforce these limitations. Consider use of technology that allows for review without the ability to download or print documents. Similarly, consider options for monitoring access and evaluating technical infrastructure.
5. Establish a cross-department team to lead confidential data management
Set up a team tasked with data management, including with trade secret expertise. Hold targeted trainings for employees and put out specific communications that are practical, instructive, and clear on employees’ responsibilities, taking into account differences in roles and access to information. Use the team to audit responses and elevate issues, which will be necessary if this situation persists.
6. Document your steps
Trade secret claims often turn on whether a company took reasonable steps to protect the highly valuable information. Documenting your detailed and effective steps in real time will provide another piece of evidence that the company has a legally protectable trade secret.
These are unprecedented times, but the trade secret case law from the federal circuit courts provides a roadmap on sufficient “reasonable measures” in your industry. Take the time now to review your employee agreements, policies, and procedures to ensure that you are aligned with recent case law. Further consider whether your company has fully contemplated the risks of a remote working environment with respect to trade secrets.
Special thanks to the co-author, Christine Streatfeild.