Person illustrated working from home during coronavirus quarantine outbreak. Person illustrated working from home during coronavirus quarantine outbreak.

Companies face an unprecedented new normal—which may last for months or prove permanent—of a fully or partially remote workforce.  This transition to remote work has forced rapid technology adoption (e.g., cloud-based technologies) and increased long- and short-term risk for trade-secret protection.  Below are ten key questions that companies should ask, with practical guidance that they can follow, to safeguard and protect their trade secrets in a remote-work environment.

1. Do employees understand what constitutes a "trade secret"? 

What constitutes a "trade secret" is broader than most employees recognize.  This is problematic given that the employee creates, saves, and disseminates trade secrets. 

Recommendations: Companies should deploy a learning-based, trade-secret training program, and not just a cursory section in employee on-boarding.  Policies and agreements should not use boilerplate language to describe "confidential" information as it may not practically or legally put employees on notice.  If a company does not have a stand-alone trade-secret policy, this is a ripe time to produce one.

2. Is access to information limited on a need-to-know basis? 

Under U.S. federal, state, and EU law, a trade-secret owner must take reasonable measures to protect the information for it to qualify as a trade secret.  Winston determined that more than 11% of contested federal trade-secret cases (2008–2019) were dismissed because the plaintiffs failed to take sufficient measures to protect the information.  A key measure courts look at is whether access to information was limited.   

Recommendations: Companies should utilize written policies obligating employees to share information only on a need-to-know basis and provide guidance on where to save information.  Technical controls should be used to limit access to information on a need-to-know basis and should be audited periodically.  When transitioning resources to cloud-based architecture, service providers do offer features like role-based access control and detailed auditing to ensure access to sensitive resources is restricted.  

3. Are employees re-certifying understanding of compliance with security, trade secret, and confidentiality policies?

With remote-work security, trade-secret protection and confidentiality obligations need to be front of mind, and companies need to have reassurance that employees are meeting their obligations.

Recommendations: Employees should be reminded of their obligations and companies should require a re-affirmation of employee compliance; ideally, this would be updated annually.  Periodic reminders of the importance of these obligations can both increase compliance and build a record for a future trade-secret theft case. 

4. Are employees using free cloud-based storage or collaboration tools?

If secure business solutions are not provided, employees will circumvent restrictions to make their jobs easier and more efficient (e.g., if Slack is blacklisted on corporate laptops, employees might set up a free account to collaborate with their colleagues on a personal computer).  Free versions of software may be outside of the company's view/control and create risk of IP leakage due to data being mined by the platform. 

Recommendations: Companies should have policies and training on the use of free platforms, restrict unapproved programs on corporate devices, and provide enterprise solutions that employees need to work efficiently.

5. Are employees using non-secure communications platforms?

Video conferencing usage has skyrocketed with free solutions (Zoom, HouseParty) for group chats.  Poor security habits expose IP to unauthorized participants.  

Recommendation: Educating employees to regularly change meeting passwords and activating waiting rooms to permit the host to grant access are healthy security practices to mandate. Video conferencing solutions stored on a private cloud with default security protocols, such as not storing instant messaging logs, should be considered.  Organizations should monitor use of platforms for appropriate use and access.

6. Are employees sharing data with third parties in a protected way?

Employees default to email or cloud-based platforms to share information with third parties.  Such mechanisms, especially if done over personal accounts, can cause the company to lose control over its data and give a third party the ability to keep or disseminate the information.

Recommendations: Companies need to clearly articulate protocols for third-party sharing, educate employees on those tools, and explain that the existence of an NDA is not sufficient protection.  Such mechanisms could include: secure transfer (such as through a password-protected FTP), limited number of downloads, and expiration dates. 

7. Are security policies being deployed to protect data from outside and internal threats to personal devices?

Employees' personal devices can be more vulnerable to outside attacks than a company's secure architecture.  Copying and pasting sensitive and confidential data to external media is a common tactic used by trade-secret theft offenders. 

Recommendation: Companies should have security policies with minimum requirements for employees' devices and Wi-Fi settings.  Employees should certify compliance.  Implementing a domain-wide group policy to restrict writing to media connected via USB port can prevent copying and pasting to external media.  Companies should evaluate VPN and remote-access protocols to determine what limitations a remote employee has to copy data outside that system to a local device.

8. Are hard copy or tangible trade secrets protected?

If an employee prints a document or has tangible trade secrets at home, someone outside the company may view them.  This risk is high when the employee has roommates who could even be working for rival companies. 

Recommendations: Companies should review "clean desk" policies and bolster them to apply to remote-work scenarios, including discouraging printing trade-secret documents.  Companies should provide instructions for destruction, and educate employees on secure ways to store tangible company material, such as in a locked drawer and, where appropriate, provide tools, like shredders. 

9. Are devices being collected or wiped promptly?

Prompt collection of devices and termination of access to company data when an employee resigns or is terminated is critical to minimizing theft and protecting legal options.  Remote work injects logistical hurdles into this process.

Recommendations: Companies should prepare a plan, with input from HR, IT, and business managers, to ensure prompt collection and termination of access, ideally before any termination occurs.  Remote covert collection, such as requesting an employee return a device for maintenance/upgrade, can be used.  Companies should consider having employees consent to a review of personal devices with company data through agreements/handbook provisions.

10. Do the enterprise applications provide visibility to detect cyber threats and potential theft by remote employees? 

Flagging suspicious conduct and retaining logs of activity can help quickly detect, respond to, and contain theft. 

Recommendation: Companies should ensure their SaaS products provide appropriate logging to enable effective and efficient cyber investigations, and ensure that such capabilities are enabled to record key events.  Companies can also use monitoring technologies to flag, in real time, behavior that violates established rules (e.g., large downloads, emails to personal accounts, impossible travel). 

The proliferation of remote work has created, and will continue to create, risks for trade-secret protection with long-term consequences.  While trade secrets may not be front-of-mind under current circumstances, actions companies take now can significantly impact the chance that secrets are stolen.  Fortunately, there are practical, feasible, and scalable solutions that minimize these risks.

Shannon Murphy is a partner at Winston & Strawn, part of the firm's Global Privacy and Data Security Task Force, and handles trade secret audits, investigations, and litigation. Mark Clews, a senior managing director at Ankura, is an expert in digital forensics, electronic discovery, structured data and cybersecurity issues that arise in litigation and corporate investigations. Luke Tenery, a senior managing director at Ankura, is an expert in cybersecurity incident response and investigations, cybersecurity operations, security policy development and IT project management and implementation. John Stark, a managing director at Ankura, advises on accounting, economic, financial and data solutions to address issues in complex commercial litigation, corporate investigations and compliance risk management.