Practical Guidance on Protecting Trade Secrets While Working Remotely
Grow Your Business, Not Your Inbox
This piece was co-written by Boston area intellectual property lawyer Thomas McNulty.
It is widely reported that the rate of remote work has been steadily increasing across many sectors of the economy. Recent events have made many of these arrangements a necessity, and several tech companies have even announced that most employees can work from home permanently. Some employers, however, are beginning to challenge this trend. The Wall Street Journal has noted that a number of executives feel remote work results in delayed projects, difficulties with training, hiring and onboarding new employees.
Another important consideration regarding remote working — frequently overlooked by businesses in general, and even more so in the present context — is protecting confidential and proprietary information. As technology has improved to the point that people can access their company’s data from virtually anywhere in the world, businesses should be taking steps to ensure that their confidential and proprietary information and trade secrets are not stolen or inadvertently made public through a remote connection.
Trade secret law mandates that trade secret holders take reasonable measures to protect their confidential and proprietary information. The “reasonableness” of the steps taken is determined on a case-by-case basis and depends on the circumstances — for example, a large corporation with in-house legal and IT departments would generally need to have taken more stringent measures to sufficiently protect confidential and proprietary information than smaller entities and startups. While companies may have implemented policies and procedures to protect confidential and proprietary information in the workplace, many have not given full consideration to the steps necessary to extend this protection to the remote workspace.
Protecting trade secrets where employees work remotely implicates at least three distinct issues: security and integrity of data networks and communications systems; security of employees’ remote workplaces; and retrieving sensitive data and preventing its misappropriation when employment ends.
Data network and communication system security
Companies should consider the employees’ homes to be an extension of their data networks and communications systems when designing security procedures. If an employee can access a company’s confidential and proprietary information, the security of that information is only as good as the security of the employee’s computer and wireless network. Accordingly, companies should institute policies to secure the ways that employees handle information from their homes.
A first step is to provide company-owned computers to employees and require that they work exclusively on these computers. This allows for the installation of all virus protection software, firewalls, and the like deemed necessary by the company. Employees should be connecting through a secure, encrypted network, such as a VPN, to connect to the company’s networks. This permits secure, encrypted connections and avoids connection from devices that are not under the company’s direct control. All computers and any other devices permitted to be used (smart phones, external hard drives and the like) should be password-protected, and two-factor authentication should be considered, at least for access to particularly sensitive information. Access to information should be limited only to those who legitimately have need to use it during the period that they will be working remotely, and access logs should be established to document which employees have accessed which particular documents.
Security of remote workplaces
As employees’ homes are effectively now an extension of many workplaces, companies should endeavor to ensure the secrecy of its information there as well as in the office. All devices that access a company network should be password protected, whether they are company devices or devices owned by the employee, and minimum antivirus and firewall protections should be required. Companies should require that employees password-protect their wireless connections, setting specific password requirements in terms of length and different character types. Additionally, restrictions should be placed on passwords. No use of family names, phone numbers, birthdays or other readily-obtainable information should be used — a surprising amount of this type of information can be easily obtained through Facebook accounts or the like. Wireless routers should be set to the most secure type of encryption, currently WPA2; routers capable of such encryption might be provided where employees do not have them. A regular schedule for changing passwords should be established, both for the router and for the computers or other devices that will access the company networks. Encourage password managers to allow for complex password usage.
The remote office should also be physically protected. Employees should be required to log out of the system and close out any open documents when not working, and computers should be set up to lock out users after a relatively short period of inactivity. All forms of sensitive information, paper or electronic, should be kept under lock and key to the fullest extent possible, to prevent access from family, roommates, visitors, cleaning people or others who may be on the property.
Meetings are now taking place via videoconference with greater frequency. Steps should be taken to ensure the security of these meetings. Access should be limited to invitees and restricted to those entering an access code and a password if possible. The particular platform for virtual meetings should be vetted to ensure that it meets minimal security standards, and the platform software should be upgraded regularly to ensure that the latest security features are installed. Virtual waiting rooms should be employed whereby people cannot access a meeting until the host specifically authorizes them. When participants are on a videoconference, they should ensure that no confidential material is visible to the camera. Screen sharing should be limited, and those doing so should close out all applications other than the one in use, to avoid displaying incoming e-mails, unshared but visible tab headings and the like. Employees should find a private location from which to participate, where the conversation cannot be overheard, and should consider using headphones and personal microphones to avoid excessive volume. All electronic devices which might overhear or record the conversation, such as Siri or Alexa devices, baby monitors, and television remotes that include microphones, should be turned off. The ability to record these conferences should be disabled or limited to the discretion of the host (although if the host chooses to record, make sure that all participants are aware at the outset of the call).
Companies should educate employees on all such policies enacted, preferably with an acknowledgement in writing that the employee has been informed and understand their obligations. Reminders should be issued on a regular basis.
End of employment
Trade secret misappropriation often occurs when current employees leave employment — whether terminated, laid-off, furloughed or those who leave for new opportunities. In each of these situations, there is risk that the ex-employee will seek to copy sensitive information for use in his or her future employment, whether with a different company or in forming a new entity that will be competitive with the previous employer. Further, should a remote employee become ill or incapacitated, or should they pass away, you will want the ability to ensure that whatever data that employee had cannot be accessed by others.
Ideally, you will already have employment agreements that include confidentiality and non-disclosure provisions and (where appropriate) non-compete clauses, at least with key employees. As more employees work remotely, employment agreements with these provisions should be considered for all employees who have access to any sensitive, confidential, proprietary, or trade secret information from outside of the office, regardless of their particular role or seniority — ensure that agreements are in place from executives to assistants. To the extent that these clauses are not in place, employees can be presented with new agreements to impose these requirements. The legal requirements for new agreements of this type to be upheld are numerous and vary from state-to-state, particularly with respect to noncompetition clauses.
As mentioned above, remote employees will preferably be working exclusively on company computers and not on their personal computers. To protect against misappropriation, these company computers can be equipped with software that the company can use to remotely lock out users or delete information, without need for input or permission from the employee. At a minimum, computers should be set up to prevent off-loading of data, such as the disablement of USB ports. You should also be able to track the particular data that employees have accessed, and know whether any such information has been moved to a non-network location, such as memory sticks, external hard drives, or even the local drive of the employee’s computer. While this may not prevent misappropriation, the evidence of access should serve as a deterrent to trade secret theft, as well as assist in dealing with misappropriation if and when it should occur.
Employees who leave employment should be notified promptly, in writing and in a fashion that confirms the receipt thereof, of their continued obligations of confidentiality and their need to return all company equipment and information. While in-person exit interviews may not be an option, a videoconference can be used in its place. It may be desirable to record these exit interviews, to serve as further evidence that the company took all reasonable steps to protect its confidential and proprietary information. If you choose to do so, however, note that many jurisdictions have laws that prevent recordings of electronic communications unless both parties to the conversation consent to the same. Further, where the employee is located in a different state than the company, questions of which jurisdiction’s law will apply will arise.
As businesses begin to recognize and make efforts to address the many downsides of a remote workforce, they should also understand that there is much to consider with regard to protecting trade secret information. Dispersed employees create multiple offices to manage and provide multiple contacts for third parties to access and potentially misappropriate confidential and proprietary information of the company. In this challenging environment, a renewed understanding of and focus on “reasonable steps” is necessary to protect and potentially enforce trade secrets against misappropriation.