As the COVID-19 pandemic stretched across the globe, companies shifted to remote working environments and many reduced staff, all without much of an opportunity to prepare. The past two months have presented a serious threat to data security, including the most vulnerable financial data, personal data of employees and customers, and trade secrets. These risks cut across all sectors — financial services, industrial manufacturers, health care, and professional services. Recent experience confirms that an effective information security strategy should target these most-common threats: phishing, data sprawl, and employee mobility/redundancies.
How to Protect Your Company
Take a holistic approach to threat mitigation and data loss prevention in the face of increased risks. Such an approach must account for data protection, intellectual property (including trade secrets), and employment law. Here are the action items in these uncertain times to help address and mitigate the legal and regulatory risks:
Cybersecurity and Privacy
- Implement appropriate telework policies to address data privacy (e.g., remote monitoring and “bring your own device” policies) and cyber security hygiene (e.g., no using personal accounts for company information and no using shared accounts on computers).
- Restart and revamp your cybersecurity training and messaging and review and update your data breach response plan to address pandemic-related risks and scenarios, especially related to phishing attacks and cyber-hygiene.
- Document the updated policies, procedures, security controls, trainings, and mitigation measures put in place. This is essential for litigation readiness.
- Remind employees that they have specific obligations in terms of data privacy and security, as part of their work duties.
- Perform an impact assessment in order to find a reasonable balance between the need to protect data and information and the rights of employees.
Trade Secret Protection
- Make access to confidential information on a need-to-know basis for employees who require the data to further company business objectives.
- Provide updated notice to employees regarding the precise nature of any confidential information that they are accessing, including reiteration of the employee’s obligation to safeguard all confidential information and trade secrets from disclosure. Not only is this an effective reminder, but this notice can be used in the event of misappropriation to document your reasonable steps to secure information.
- Refresh confidentiality obligations for current employees. Departing employees should be considered an external third party, thus treated with the same confidentiality measures as any third party.
- Prepare to act quickly if you believe your trade secrets have been compromised, including immediate consideration of whether to pursue a seizure or alternative interim measures under applicable laws.
- Require departing employees to sign an acknowledgement of their ongoing obligations to maintain firm trade secrets; certifying their compliance; and confirming that they understand that any future violations will be subject to action under applicable laws.
- Require departing employees to return all of the company’s property, specifically materials containing confidential or trade secret information. To the extent permitted by applicable law, examine, through the company’s HR representative, whether any confidential or trade secret materials are on the employee’s personal email, cloud storage, personal USB or hard drives, or in hard copy at home, and require the return or deletion of any such materials and to confirm they did so.
- Immediately deactivate the departing employee’s email accounts, passwords, building key cards, or other access to company confidential information and trade secrets.
COVID-19 related phishing
A particular concern in the current environment is the significant increase in data sharing that is understandably occurring in the remote working environment. Think: file-sharing services, video conferencing, network connection for multiple personal devices, newly-deployed software, IT-generated exceptions to security protocols, and so on. Many of these well-intentioned vehicles for adapting out-of-the-office (and out of the secure network environment) create myriad opportunities for inadvertent data sharing.
While accidental data loss is a key concern, there are numerous other actors who stand ready and willing to take advantage of these IT weaknesses, including potential attackers and rogue employees.
COVID-19 related employee mobility
Another reality of the current environment is that employers are considering or implementing layoffs of key personnel who have accessed company confidential information or trade secrets. In the normal course, access to company data could essentially be shut off following an exit interview. Effective off-boarding of engineers, heads of R&D, sales managers, financial services, and others requires particular consideration in a remote environment. Companies must decide how to recover corporate devices, ensure hard and soft copy files are deleted, confirm whether the departing employee has downloaded or stored documents/data to personal devices and make an action plan where such activity is detected, and investigate what the employee has accessed during this remote working time period preceding termination. Complicated issues may arise for particularly high-risk employees, such as whether/how to verify that company data has been fully recovered and whether/how to confirm that an employee’s personal devices do not contain confidential or trade secret files.
The massive business disruptions in this sectors have been accompanied by attempts to phish, breach, or otherwise access data by an outside actor and concerns about controlling access to confidential information and trade secrets for departing employees. The remote work environment has also put employers in a tenuous position as they attempt to ensure that documents, data and devices are used in the proper way even if outside of work premises, where protective measures were duly addressed. In addition, documents, data and devices should be returned upon departure and continue to adjust and adapt to this shift of an entire workforce operating remotely.
Special thanks to the co-authors, Michael Egan, Christine Streatfeild and Francesca Gaudino.