Even as local economies reopen around the country, working from home remains as a fixture of the post-Covid economy. Recent polling suggests that work-from-home policies will continue for the foreseeable future. Some companies, like Twitter, have even told employees they can work from home permanently. For companies with valuable trade secrets, this new remote workplace presents novel challenges.
We have all heard the funny (if cringe-worthy) stories of videoconferences gone wrong, Zoom-bombing, errant pets, and forgotten mute buttons. But in some circumstances remote employees could—intentionally or not—do serious harm to a business that has not taken steps to protect its trade secrets. The risks include increased use of personal devices and unsecured networks, not to mention overloaded company systems and unknowns in the home environment.
The good news is the law provides some guidance as to what companies can and should do. The law requires businesses to take “reasonable measures” to protect their trade secrets.
Courts do not require perfect secrecy and do not require trade secret owners to undertake every conceivable measure. Instead, they determine what is reasonable “under the circumstances” based on the nature of the secret, the ease of theft, the industry, and the size and resources of the business.
‘Reasonable Measures’ Businesses May Take
Given the potential for increased risks posed by working-from-home, prudent businesses should identify their key secrets and assess whether they are using “reasonable means” to protect them. There are certain steps courts have cited as “reasonable measures” a business should consider depending on its individual circumstances:
1. Identify Trade Secrets
Employers should consider defining in clear and simple terms for employees what information is a trade secret and how employees with access are expected to handle it.
2. Limit Trade Secret Access on ‘Need to Know’ Basis
Employers should consider limiting access to trade secrets to only those employees or groups with a “need to know.” Businesses may restrict access to specific trade secret systems, databases, programs, or even documents.
If possible, the goal is that each employee has access only to the information they need in order to do their job.
3. Use Passwords and Secure Logins
Requiring password protection and secure logins to access corporate networks and the specific trade secrets an employee “needs to know” is typically an important component of taking “reasonable measures” to protect electronic trade secrets.
4. Use Firewalls
Employers should consider using firewalls or other security software to protect their trade secrets and create a barrier between their trusted internal network and untrusted external networks, such as the Internet and its employees’ various home networks. Courts will likely view this as akin to having a lock on your front door.
5. Consider Encryption
Any business with trade secrets which, if they got out, would destroy its business, may want to consider encryption.
6. Require Secure Technologies for Working-From-Home
Clear corporate policies and procedures mandating the confidentiality of trade secrets and addressing working-from-home may yield significant benefits. Employers should consider requiring minimum security measures for employees’ home internet networks, such as use of a virtual private network (VPN), anti-virus and anti-malware software, and regular password changes.
They may also prohibit downloads of certain material and the use of USB and other portable devices.
7. Carefully Consider Personal Email and Personal Devices for Work
Balancing cost savings and risk, some employers may need to decide whether to allow employees to use their personal email and personal devices for work. If an employer permits use of personal email or devices, consider requiring that the devices be equipped with baseline security and virus-protection software and have remote wipe capability, if lost or stolen.
8. Consider Monitoring Your Networks
Employers may consider routine monitoring of their networks for unauthorized access or other cyberattacks and for unauthorized activity by employees. Such monitoring may help detect and deter trade secret theft.
9. Provide Comprehensive and Ongoing Training
Employers should consider training employees regarding information security, including identification of the company’s trade secrets, their importance, and how they should be handled, on a regular basis.
In the current crisis, it may be prudent to remind employees of the new security risks that might arise working-from-home and of the measures designed to protect the company’s trade secrets.
10. Consider Marking Trade Secrets
Employers should consider whether it is practicable to mark or otherwise label their trade secrets, such as with a legend, footer or other electronic tag. For example, employers may set up reminders that pop up every time a remote employee logs into the company’s systems or into a particular database.
11. Require Confidentiality Agreements
An employer should obtain an executed confidentiality or non-disclosure agreement from an employee before disclosing any trade secrets to that employee.
12. Require the Return of Trade Secrets at Termination
To the extent an employer allows employees to work from home, they should consider requiring employees to return all trade secret information upon termination—and follow through on that requirement. Not only is this a matter of common sense, courts have cited this practice as a “reasonable measure.”
13. Take Prompt Action If You Suspect Any Unauthorized Disclosure
If an employer learns of, or even suspects, any unauthorized disclosure of its trade secrets or breach of its security protocols, it should take prompt action in order to protect the secrets and demonstrate “reasonable measures.” If an employer delays too long in taking action, a court may find that it did not take “reasonable measures.”
Ultimately, if forced to go to court to protect its trade secrets, a business should be confident it took steps consistent with the financial value of the secrets—and that those measures went above and beyond the general measures it used to protect other, run-of-the-mill information.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Amy Candido is a partner at Quinn Emanuel Urquhart & Sullivan LLP. She represents both plaintiffs and defendants in high-stakes trade secret and patent disputes nationwide.