Keeping Your Trade Secrets Secret – Reasonable Measures for Unreasonable Times
As businesses adjust to the new reality of shelter-in-place orders compelling non-essential employees to conduct a growing amount of work at home, the exposure risk to businesses’ trade secret and other confidential information has increased exponentially.
The presence of smart speakers in home workspaces; employees’ use of unsecure file-transfer services, personal e-mail accounts, social media, and instant and text message accounts to interact with clients, customers, and vendors; and shared workspaces with roommates or family members all, at best, weaken businesses’ efforts to protect the secrecy of their confidential information. At worst, these factors represent potential breaches of confidentiality or secrecy that put businesses’ trade secret information at risk. This alert examines the primary risk areas for companies forced to operate remotely in the midst of the COVID-19 crisis and provides recommendations through which they can shore up their existing trade secret protections.
Protecting Trade Secrets and Other Confidential or Proprietary Information
1. Trade Secret Information Defined
A trade secret, as defined by the federal Defend Trade Secrets Act and the Uniform Trade Secrets Act (the latter of which has been adopted in some form by all states except New York and North Carolina) is information that: (1) derives independent economic value, actual or potential, from not being generally known to, or readily ascertainable by, other people who can obtain economic value from its disclosure or use; and (2) is subject to reasonable efforts to maintain its secrecy.
A trade secret is distinct from other confidential or proprietary information because it is information not generally known or ascertainable within a given industry and provides commercial value to the business that owns it. Thus, trade secrets encompass proprietary techniques or methods, common examples of which include the recipes for Coca Cola or Kentucky Fried Chicken, Google’s search algorithm, and secret client lists. While the economic value derived from the trade secret’s secrecy is essential for satisfying the statutory definition of a trade secret, equally important is the owner’s efforts main that secrecy.
2. Satisfying the “Reasonable Under the Circumstances” Standard
When it comes to protecting trade secret information, the owner must use “reasonable efforts” to keep it secret. This loose standard offers flexibility by design, such that what is “reasonable” hinges on the nature and quantity of the trade secrets and further depends on the composition of the business; specifically, its size and overall sophistication, the number of locations, and the resources available to it. Thus, what is “reasonable” for a Fortune 500 corporation will not match what is “reasonable” for a startup with a handful of employees. In the same vein, a business’s “reasonable efforts” when confronted by the COVID-19 pandemic and the mandatory shelter-in-place orders issued by states and localities may be judged differently than they would have been two months ago (or than they will be when those orders are lifted).
Steps Businesses Can Take to Protect Their Trade Secrets During the COVID-19 Crisis
The first step for many businesses will be to establish a work-from-home policy that emphasizes trade secret protection, or to reevaluate existing policies that meet this goal. Even though many companies were already operating across cities, countries, and the globe, the challenges presented by the abrupt transition of entire workforces to working remotely are acute and unprecedented. Preexisting work-from-home policies, designed for normal circumstances, likely do not account for the unique risks and challenges created by the COVID-19 crisis. While these policies must balance a number of competing interests, businesses should employ the following protocols to protect their trade secrets and other confidential information.
1. Distribute, Remind, Repeat
Regularly distribute confidentiality reminders and bulletins encouraging recipients’ vigilance while working from home. Include in those reminders and bulletins the contact information of a designated person (or persons) who will consistently answer questions from, and field the threat concerns of, individuals working with your business’s trade secret and other confidential information at home.
2. Limit or Ban the Use of Personal Devices or Accounts for Company Business
Emphasize prohibitions and/or limitations on employees’ use of personal devices to conduct company business, especially with regard to communications discussing or referencing trade secret information. Even if employees, contractors, or vendors temporarily access or store such information on personal devices and delete it after returning to the office, backups of that information could linger indefinitely in personal data archives or external backup drives, including iCloud, Time Machine, and other automatic local and cloud-based backup systems.
3. Maintain Secure Workspaces
Require employees to keep their homes secure and locked at all times, particularly the room or areas in which they are working. In situations where the latter is not possible, implement or remind employees of existing clean-desk policies. Further, have your business’s IT department enable automatic screen locking on all company devices or log-out functions for remote servers after short periods of inactivity, requiring the entry of a username and password (and, if possible, multi-factor authentication) to regain access. Finally, instruct employees to remove or unplug smart speakers located within earshot of confidential calls; and require that employees take calls in areas separate from others staying in their home, including family members.
4. Restrict Transportation and Printing of Hard-Copy Documents Outside the Office
Restrict employees’ ability to print documents or disable printing altogether, particularly for documents containing or describing trade secrets. Instruct employees to maintain hard copies of confidential documents in a secure location until they can be returned to the office. Similarly, require that discarded copies of documents be retained in a locked cabinet or drawer for secure disposal (i.e., confidential shredding) once your office reopens.
For documents taken from the office, implement a check-in/check-out log to maintain an inventory of documents to be returned and to ensure they are in fact returned when your office reopens. Similarly, implement a notification system that alerts your business’s IT department or designated contact whenever anyone downloads, copies, prints, transfers, or deletes sensitive data or key trade secret documents. Monitor and investigate all such actions, even when they appear to be accidental or innocent.
5. Secure Business Networks and Devices
Instruct employees to add password protection to their home Wi-Fi networks. For an added layer of protection, require that company devices be connected to your business’s virtual private network (VPN) at all times and implement two-factor authentication to log in to the business’s VPN or remote networks. Further, request that IT push anti-virus and malware software to company laptops and other devices and disable USB and other external ports on company laptops to prevent the unauthorized exporting of trade secret and other confidential/proprietary information to thumb drives or external hard drives.
6. Limit the Transmission of Documents and Include Secondary Protections that Prevent Unintended Recipients from Accessing Them
While businesses could ideally prohibit the transmission of trade secret or other confidential information or documents via e-mail or other file-transfer mediums outside the office, this prohibition may be unrealistic under the current circumstances. However, implementing additional protections requiring an e-mail recipient to have a specific IP address or a unique digital signature to review messages and open attachments will prevent e-mails and attachments sent to the wrong recipient, intentionally or accidentally, from being opened and the trade secrets contained therein from being compromised.
Further, businesses should limit access to confidential information to individuals on a need-to-know or need-to-access basis, such as granting access only to the relevant trade secrets needed for a specific project and the individuals on that team. If possible, make the trade secret or other confidential information accessible only in collaborative documents stored on secured internal network drives, which will reduce the risk of inadvertent transmission of trade secret or other confidential information to third parties.
7. Restrict the Installation of Non-Essential and Third-Party Software
As employees and teams utilize different mediums through which to communicate and connect while working remotely, individuals may install seemingly safe software that could open up trade secret and other confidential information to threat actors. With malicious activity on the rise due to the current crisis and employees likely more distracted than usual, while balancing in-home schooling, child care, and working full time, it is crucial for businesses to constantly monitor for new threats and regularly circulate known threats.
To further remind individuals to remain vigilant, consider implementing or increasing existing spam exercises and requiring all employees to complete or renew information security training. Instruct employees, contractors, and vendors to report any questionable e-mails to IT, and require them to immediately report the exposure of any company laptop or device to malware or a virus to your business’s IT department or designated contact(s) so they can implement preventative and remedial measures to limit the damage.
For added protection, consider implementing fail-safe procedures, including remote lock-outs of individuals who compromise trade secret or other confidential information or remote device erasure for misplaced computers or phones, or in the event that an employee, contractor, or vendor is incapacitated due to illness while working remotely.
8. Assess and Adapt Employee Separation Protocols
While many businesses likely already have off-boarding procedures in place, those procedures may prove challenging to complete remotely, especially for businesses facing the off-boarding of multiple employees in a short period of time. To that end, businesses should be as prepared as possible to conduct their procedures remotely, including: (i) disabling access to company devices and accounts; (ii) arranging for the secure return of company devices, documents, and other property taken outside the office; (iii) holding exit interviews via phone call or on video chat; and (iv) creating digital versions of agreements detailing ongoing confidentiality obligations for separated employees to sign electronically.
9. Have a Plan to Return to the Office
Just as businesses must adapt to the current environment, they must also be prepared for the return to whatever the new “normal” will be after state and local governments rescind their shelter-in-place orders. While many of the foregoing recommended measures facilitate the transition back to the office (i.e., logging documents taken from the office and printed at home, retaining hard copies for secure disposal at the office, etcetera), it will be important to have procedures in place to ensure that any trade secret information accessed outside the office is properly returned and/or disposed of.
Conclusion
Even before the COVID-19 pandemic upended businesses’ normal operation, determining what constituted reasonable measures to protect a business’s trade secrets depended on a variety of factors. The pandemic, and the shelter-in-place orders forcing entire workforces to transition to remote work for the foreseeable future, will be additional factors to consider in determining the reasonableness of your business’s protective efforts. Working with counsel to determine what is appropriate for your business to protect its trade secret information and ensure that current measures and protocols meet this standard is more important today than ever before. The Arent Fox Trade Secrets, Non-Competes & Employee Mobility team stands ready to assist with determining what constitutes “reasonable efforts” for your business and developing a fulsome work-from-home policy to ensure that your trade secret information is protected.
While this alert does not delve into specific COVID-19-related federal, state, or local requirements or limitations with respect to employee illness, sick pay and family leave requirements, Arent Fox’s COVID-19 Task Force offers significant insight into these and other issues. For further information and relevant counsel contacts, please visit the Arent Fox Coronavirus (COVID-19) Task Force page.