In response to the COVID-19 outbreak, many businesses (particularly those in states or cities under "stay home" orders) have implemented a work-from-home ("WFH") directive for employees. It is important for businesses to address the security of their trade secrets in this new environment in order to reduce the risk of misappropriation. It is also important to reduce the risk that the trade secret status of information will be lost based on a failure to take reasonable steps to protect its secrecy. This article addresses some steps your business can consider taking to protect trade secrets accessible by employees who are now working at home. Even if your business had a WFH policy before the COVID-19 outbreak, it should be re-visited in light of the current circumstances flowing from a pandemic during which all or most of your workforce may be operating on a WFH basis. For example, what was once a "no trade secrets may be taken home" policy may be impossible in the current climate.
The following are a few potential steps for consideration to protect trade secrets in the hands of employees working at home:
- Repeatedly remind your workers that it is their responsibility to ensure that confidential information remains confidential while in their home worksites and that they should be constantly watching for potential vulnerabilities.
- Reiterate to employees that they are prohibited from transmitting or maintaining company confidential information except as authorized by the company and that includes personal email accounts, cloud accounts, social media, etc.
- Require your WFH workers to keep their homes locked to the extent that your confidential information is maintained there. Also tell them that, ideally, they should do their work in a room to which only they have access. If that is not possible, they need to be vigilant in not inadvertently giving others access to your confidential information (e.g., keep a "clean desk" to prevent others in their homes from viewing company trade secrets; be mindful not to have conference calls or video-chats about confidential information in the presence of others in their homes). This is true even if they think those others do not present a realistic risk of misappropriation (e.g., a friend or family member). Make your employees understand that, in addition to avoiding misappropriation, taking reasonable steps to protect secrecy is also critical since the company will not be able to protect information as a trade secret if it loses its trade secret status.
- If you anticipate your workers will verbally discuss confidential matters at their home office, request that home assistant devices (such as Google Home and Alexa) be turned off and out of earshot from the worker's home office or workspace. These devices are constantly listening to their environment.
- Prohibit workers from printing documents as much as reasonably practical while they work from home. To the extent that hard copy confidential materials are needed, tell your WFH workforce not to discard them in their ordinary trash and require them to retain all confidential documents in secure (locked) locations at their homes so they may be securely disposed of once your workforce returns to the office.
- If reasonably possible, direct your workforce to connect to your business's network as securely as possible, such as through a VPN. Consider requiring two-factor authentication for access to your business's VPN or remote network.
- Remind your WFH workers to password-protect their home WiFi system and to work with your IT personnel so that communications including confidential information are encrypted. Consider software that requires an email recipient to possess a designated digital signature to review messages and open attachments. This prevents the forwarding of trade secret information to email accounts beyond your business.
- If possible, consider prohibiting your workers from transmitting trade secret information via email altogether. Instead, permit access to trade secret information via secured shared drives with access rights limited to a need-to-access basis.
- Mandate that, with the assistance of your IT personnel, your WFH employees set their home computer screens to lock up after a set time period (e.g., 5 minutes) of non-use and require passwords to unlock the screens.
- Educate your workers about malicious emails, SMS messages, and other communications designed to infiltrate your business's network. Bad actors are taking advantage of the Coronavirus pandemic by sending emails and SMS messages regarding purported Coronavirus tips, maps, and other scare tactics to entice users to open malware. Remind your workers to only open messages from trusted sources and require your workers to report suspicious messages to your IT team. Admonish employees that if they open malware or a virus or have been hacked, they should contact your IT team immediately so that your business can attempt to do damage control as soon as is possible.
- If reasonably practical, limit trade secret materials to be used at home to those needed for current projects.
- Develop a system to account for all confidential information maintained at your workers' homes and, if appropriate for your business, create a check-out/check-in process for your workers to return such documents.
- If possible, implement a system that notifies your IT department whenever an employee downloads, copies, prints, or deletes a significant amount of data from your business's network. The activity may turn out to be legitimate, but it should be investigated.
- If reasonably practical, implement remote lock-out and wipe capabilities. These procedures permit your IT department to immediately lock an employee out of your network if the employee compromises your confidential information and to wipe all company data from a device if an employee misplaces a company device. These procedures could also be used if an employee become incapacitated.
- If possible, issue laptops to employees that have anti-virus/malware applications installed and that do not have USB ports to prevent unauthorized thumb drive downloads.
- Give your employees a specific "go to" person at the company, should they have any questions or concerns about working at home with company confidential information.
Also, remember that the protection of your trade secrets goes beyond the regulation of your immediate workforce. Consider asking outside vendors, suppliers, and outside professionals with access to your business's trade secrets what they are doing to protect your trade secrets during the COVID-19 pandemic if their personnel with access to your trade secrets are now working from home. If you receive an unsatisfactory response, take appropriate action.
There is no one-size-fits-all approach to protecting trade secrets. Instead, each business must assess what is "reasonable under the circumstances" to maintain the secrecy of its trade secrets. What may be reasonable to one business may not be reasonable for another (e.g., given the difference in size, sophistication, and resources). Thus, a business facing the current COVID-19 WFH environment should consult with its legal counsel to assess reasonable steps it should take to maintain the secrecy of its trade secrets during this unprecedented WFH period.
As you are aware, things are changing quickly and there is no clear-cut authority or bright line rules about what are reasonable steps to protect trade secrets in response to WFH during COVID-19. This article is not an unequivocal statement of the law, but instead offers some potential reasonable steps for consideration. This article does not address the potential impacts of the numerous other local, state and federal orders that have been issued in response to the COVID-19 pandemic, including, without limitation, potential liability should an employee become ill, requirements regarding family leave, sick pay and other issues.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.