10 Questions Companies Should Address for a Remote-Work Environment
The proliferation of remote work has created, and will continue to create, risks for trade-secret protection with long-term consequences
June 26, 2020 at 03:17 PM
7 minute read
Companies face an unprecedented new normal—which may last for months or prove permanent—of a fully or partially remote workforce. This transition to remote work has forced rapid technology adoption (e.g., cloud-based technologies) and increased long- and short-term risk for trade-secret protection. Below are ten key questions that companies should ask, with practical guidance that they can follow, to safeguard and protect their trade secrets in a remote-work environment.
1. Do employees understand what constitutes a "trade secret"?
What constitutes a "trade secret" is broader than most employees recognize. This is problematic given that the employee creates, saves, and disseminates trade secrets.
Recommendations: Companies should deploy a learning-based, trade-secret training program, and not just a cursory section in employee on-boarding. Policies and agreements should not use boilerplate language to describe "confidential" information as it may not practically or legally put employees on notice. If a company does not have a stand-alone trade-secret policy, this is a ripe time to produce one.
2. Is access to information limited on a need-to-know basis?
Under U.S. federal, state, and EU law, a trade-secret owner must take reasonable measures to protect the information for it to qualify as a trade secret. Winston determined that more than 11% of contested federal trade-secret cases (2008–2019) were dismissed because the plaintiffs failed to take sufficient measures to protect the information. A key measure courts look at is whether access to information was limited.
Recommendations: Companies should utilize written policies obligating employees to share information only on a need-to-know basis and provide guidance on where to save information. Technical controls should be used to limit access to information on a need-to-know basis and should be audited periodically. When transitioning resources to cloud-based architecture, service providers do offer features like role-based access control and detailed auditing to ensure access to sensitive resources is restricted.
3. Are employees re-certifying understanding of compliance with security, trade secret, and confidentiality policies?
With remote-work security, trade-secret protection and confidentiality obligations need to be front of mind, and companies need to have reassurance that employees are meeting their obligations.
Recommendations: Employees should be reminded of their obligations and companies should require a re-affirmation of employee compliance; ideally, this would be updated annually. Periodic reminders of the importance of these obligations can both increase compliance and build a record for a future trade-secret theft case.
4. Are employees using free cloud-based storage or collaboration tools?
If secure business solutions are not provided, employees will circumvent restrictions to make their jobs easier and more efficient (e.g., if Slack is blacklisted on corporate laptops, employees might set up a free account to collaborate with their colleagues on a personal computer). Free versions of software may be outside of the company's view/control and create risk of IP leakage due to data being mined by the platform.
Recommendations: Companies should have policies and training on the use of free platforms, restrict unapproved programs on corporate devices, and provide enterprise solutions that employees need to work efficiently.
5. Are employees using non-secure communications platforms?
Video conferencing usage has skyrocketed with free solutions (Zoom, HouseParty) for group chats. Poor security habits expose IP to unauthorized participants.
Recommendation: Educating employees to regularly change meeting passwords and activating waiting rooms to permit the host to grant access are healthy security practices to mandate. Video conferencing solutions stored on a private cloud with default security protocols, such as not storing instant messaging logs, should be considered. Organizations should monitor use of platforms for appropriate use and access.
6. Are employees sharing data with third parties in a protected way?
Employees default to email or cloud-based platforms to share information with third parties. Such mechanisms, especially if done over personal accounts, can cause the company to lose control over its data and give a third party the ability to keep or disseminate the information.
Recommendations: Companies need to clearly articulate protocols for third-party sharing, educate employees on those tools, and explain that the existence of an NDA is not sufficient protection. Such mechanisms could include: secure transfer (such as through a password-protected FTP), limited number of downloads, and expiration dates.
7. Are security policies being deployed to protect data from outside and internal threats to personal devices?
Employees' personal devices can be more vulnerable to outside attacks than a company's secure architecture. Copying and pasting sensitive and confidential data to external media is a common tactic used by trade-secret theft offenders.
Recommendation: Companies should have security policies with minimum requirements for employees' devices and Wi-Fi settings. Employees should certify compliance. Implementing a domain-wide group policy to restrict writing to media connected via USB port can prevent copying and pasting to external media. Companies should evaluate VPN and remote-access protocols to determine what limitations a remote employee has to copy data outside that system to a local device.
8. Are hard copy or tangible trade secrets protected?
If an employee prints a document or has tangible trade secrets at home, someone outside the company may view them. This risk is high when the employee has roommates who could even be working for rival companies.
Recommendations: Companies should review "clean desk" policies and bolster them to apply to remote-work scenarios, including discouraging printing trade-secret documents. Companies should provide instructions for destruction, and educate employees on secure ways to store tangible company material, such as in a locked drawer and, where appropriate, provide tools, like shredders.
9. Are devices being collected or wiped promptly?
Prompt collection of devices and termination of access to company data when an employee resigns or is terminated is critical to minimizing theft and protecting legal options. Remote work injects logistical hurdles into this process.
Recommendations: Companies should prepare a plan, with input from HR, IT, and business managers, to ensure prompt collection and termination of access, ideally before any termination occurs. Remote covert collection, such as requesting an employee return a device for maintenance/upgrade, can be used. Companies should consider having employees consent to a review of personal devices with company data through agreements/handbook provisions.
10. Do the enterprise applications provide visibility to detect cyber threats and potential theft by remote employees?
Flagging suspicious conduct and retaining logs of activity can help quickly detect, respond to, and contain theft.
Recommendation: Companies should ensure their SaaS products provide appropriate logging to enable effective and efficient cyber investigations, and ensure that such capabilities are enabled to record key events. Companies can also use monitoring technologies to flag, in real time, behavior that violates established rules (e.g., large downloads, emails to personal accounts, impossible travel).
The proliferation of remote work has created, and will continue to create, risks for trade-secret protection with long-term consequences. While trade secrets may not be front-of-mind under current circumstances, actions companies take now can significantly impact the chance that secrets are stolen. Fortunately, there are practical, feasible, and scalable solutions that minimize these risks.
Shannon Murphy is a partner at Winston & Strawn, part of the firm's Global Privacy and Data Security Task Force, and handles trade secret audits, investigations, and litigation. Mark Clews, a senior managing director at Ankura, is an expert in digital forensics, electronic discovery, structured data and cybersecurity issues that arise in litigation and corporate investigations. Luke Tenery, a senior managing director at Ankura, is an expert in cybersecurity incident response and investigations, cybersecurity operations, security policy development and IT project management and implementation. John Stark, a managing director at Ankura, advises on accounting, economic, financial and data solutions to address issues in complex commercial litigation, corporate investigations and compliance risk management.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllNew Federal Pregnancy Regulations: Five Key Takeaways and Five Key Action Steps for Employers
7 minute readLegal Profession's Mental Health Woes Start to Take Root in Law School, Many Attorneys Say
6 minute readLaw Firms Mentioned
Trending Stories
- 1Decision of the Day: Judge Reduces $287M Jury Verdict Against Harley-Davidson in Wrongful Death Suit
- 2Kirkland to Covington: 2024's International Chart Toppers and Award Winners
- 3Decision of the Day: Judge Denies Summary Judgment Motions in Suit by Runner Injured in Brooklyn Bridge Park
- 4KISS, Profit Motive and Foreign Currency Contracts
- 512 Days of … Web Analytics
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250