- As shuttered offices reopen, companies must seek to understand how employees, business partners, and vendors stored, transmitted, and otherwise used or misused trade secret information while working remotely.
- Companies should follow a five-step process to properly assess and address the impact of any relaxed protective measures, inadvertent disclosures, and misappropriation.
As workforces shifted to remote work during the pandemic, trade secret information may have been subject to relaxed protective measures, inadvertent disclosures, or misappropriation. Employees, business partners, and vendors may have accessed information using unsecure personal devices, uploaded information to less secure cloud storage systems (intentionally or unintentionally), or printed sensitive documents on home printers, among other possibilities. As shuttered offices reopen, companies should develop a process to understand how employees, business partners, and vendors stored, transmitted, and otherwise used (or misused) trade secret information while working remotely and act to identify issues and resolve any problems identified.
Below is a five-step process companies can follow as employees, business partners, and vendors return to their workspaces. By taking these steps, a company can assess and address the impact of any relaxed protective measures, inadvertent disclosures, and misappropriation. This applies both to trade secrets owned by the company and those owned by a third party, entrusted to the company pursuant to an NDA or other protective measures. Moreover, should a misappropriation occur in the future, evidence that the company took these precautions will aid the company in proving it took “reasonable efforts” to maintain the information’s secrecy. For that reason, the company should document all efforts taken to preserve trade secret information as employees return to the office.
Step 1: Understand How Employees Used Information While Working Remotely
Companies should first take stock of how employees protected, used, or accessed trade secret information while working remotely. In secured office environments, employers enjoy a wealth of tools to safeguard proprietary information: access to rooms or entire floors can be restricted with keycards or biometrics; employees can be monitored to enforce personal device policies and ensure only secure devices are used; company devices can include multiple layers of protection and virus defense, and paper documents can be easily collected for secure destruction. That is not necessarily true or consistent of remote work, where employees may be tempted or required by necessity to access or store data on unsecure personal devices, transmit data through less secure systems (unable to use secure systems), and create and/or keep sensitive paper documents. Simply put, risks abound when employees work from home. The first step in protecting trade secrets is to identify those risks.
- Survey employees to identify all company property used offsite. In addition to big-ticket items like computers, confirm whether employees took home tablets, printers, peripheral devices, USB flash drives, hard drives, or any other digital storage device, as well as paper documents.
- Confirm whether employees accessed or stored business information on personal devices. Employees may have accessed company databases or downloaded and stored company information onto a personal computer, tablet, cell phone, external hard drive, or cloud-based system. Employees also may have printed information using a home printer. The risk with printers is threefold: in addition to creating a paper record of sensitive information, modern printers often feature memory storage (where the information may remain in digital form) as well as network or internet connectivity (potentially exposing that information to hackers or other third parties).
- Determine whether information was exposed to unapproved software or systems. If an employee sent or received information using a personal e-mail account or unapproved chat or collaboration tools, that information could remain stored on the software provider’s servers unless and until it is deleted. Even if the company has a confidentiality agreement in place with the service provider, that agreement may not apply if the employee uploaded information to a personal or consumer account not associated with the company. Pay special attention to employees’ use of cloud storage services and SaaS systems. Many such solutions automatically sync with personal devices. For example, a file downloaded to an employee’s smartphone may automatically upload to the employee’s personal cloud account, perhaps without the employee’s knowledge. Employers should ask whether employees have made use of cloud storage accounts or SaaS systems and, if so, confirm whether those accounts sync automatically with employees’ devices.
Step 2: Ensure Information Is Returned, Deleted, or Destroyed
After determining how employees used or accessed sensitive information, companies should take steps to ensure that information is returned to the company’s custody, deleted, or destroyed. The goal is to ensure that no proprietary information exists beyond the company’s control. In pursuing that goal, employers should take a nonaccusatory and collaborative approach with employees, keeping in mind that (1) the shelter-in-place/stay-at-home regimes were largely imposed with little notice or preparation time; (2) employee access to hardware, software, and related support may vary greatly within an organization; and (3) employee technical sophistication should be expected to vary.
- Confirm company property was returned. Consider preparing a checklist for each employee listing all company property used offsite, including paper documents. Employers may obtain written confirmation from each employee that the list is complete, and all listed items have been returned to the company’s custody.
- Inspect company devices—and potentially personal devices—to identify security risks. While working from home, employees may have downloaded unapproved programs or software applications onto company devices (e.g., software to connect to home printers, music streaming software, and the like). Unapproved programs can be potential security risks in that they may expose the device or company systems to intrusion, such as spy-ware, or may send sensitive data to third-party servers for any number or reasons or purposes. Companies should accordingly consider inspecting each company device used in a home setting to ensure that no such software is present, or if it is, address it. Under some circumstances, employers may also consider performing a more comprehensive forensic analysis to verify whether an employee downloaded business information onto personal devices, such as a USB drive. A forensic analysis may be appropriate if the employee is known to have worked with trade secret information from home (such as a software engineer on a development team), gave evasive answers in response to the company’s property use survey, could not remember whether he or she transferred information to a personal device, or allowed others to use company devices for noncompany purposes, including children engaging in remote learning on a company device.
- Collect paper documents for proper destruction. If an employee took home paper documents or printed business information at home, require the employee to return the documents to the company (or the company’s vendor) for proper destruction unless the employee can confirm proper shredding at home. Make it easy for the employee to comply because some employees possessing voluminous paper records may be tempted to simply toss them in the trash. Consider sending a courier to pick up the documents, using a remote shredding company that will perform house calls, or supplying prepaid boxes to return paper documents by mail to the company.
- Consider inspecting personal devices to ensure no information remains. If the company has a device inspection policy granting it the right to examine personal devices, consider exercising that right and verifying that no business information remains on such devices. Consult legal counsel before inspecting personal devices to ensure the company does not violate privacy rights.
- Confirm information has been deleted from personal devices and software. Obtain each employee’s written confirmation that no company information remains stored on any personal device or in any personal software account, including personal e-mail or cloud storage accounts. Provide detailed information as to where data may reside and offer technical assistance to employees who may be unfamiliar with how to properly locate and/or delete data. Remind employees of any confidentiality obligations set out in their employment agreement or proprietary rights agreement with the company.
Step 3: Reinstate Relaxed or Suspended Policies and Security Protocols
In the rush to transition to remote work or based on technical necessity, companies may have relaxed or even suspended policies or protocols designed to preserve trade secret information. Now is the time to reinstate those policies and protocols and to determine whether any inadvertent disclosures occurred. For example, if the company temporarily lifted restrictions on the use of personal devices for company tasks, the restriction should be reinstated once employees have returned to their workspaces. Similarly, if the company loosened access to systems housing sensitive information (such as allowing remote access to certain records outside of a VPN), prior restrictions should be restored. To avoid confusion, the company should clearly communicate to employees which policies have been reinstated and provide training as needed.
Step 4: Confirm Business Partners and Vendors Are Protecting the Company’s Trade Secrets Following a Similar Process
Depending upon the scope of a company’s contract rights and its respective bargaining power with its business partners and vendors, especially technology vendors (e.g., contract manufacturers and designers), companies should take steps similar to those detailed above for returning employees to assess and address the impact of any relaxed protective measures, inadvertent disclosures, or misappropriation by their business partners and vendors stemming from remote working. Some contracts require that a party receiving a company’s trade secret or confidential information must invoke protective measures at least as strong as the receiving party applies to protecting its own trade secret or confidential materials. Some contracts require the receiving party to enact and follow specific, defined protective measures (such as government, regulatory, or industry standards) or measures at least as strong as the disclosing party follows. Moreover, as a verification or confirmation mechanism, many of these contracts provide the disclosing party audit rights or rights to request a certification that the required policies and protocols are in place and followed. Companies should carefully review their contracts on these points with legal counsel.
It is especially important for companies that derive great value from their trade secrets (including competitive advantages and differentiation), and that disclose those materials to business partners and/or vendors subject to NDAs or other protective measures, to follow these steps or similar steps and not limit the investigation to their own internal employees. This is because under state and federal law, trade secret information may lose its trade secret status if inadvertently disclosed or otherwise not reasonably protected, regardless of who is to blame for the inadvertent disclosure or for the failure to follow reasonable protective measures. In other words, a failure by a company’s business partner or vendor to maintain the secrecy of the company’s information could invalidate the trade secret. As a result, trade secret owners must remain vigilant and not blindly relinquish stewardship of their trade secret information to their business partners and vendors. Companies should consult with legal counsel and review applicable agreements before reaching out to business partners and vendors.
Step 5: Be Particularly Vigilant With Employees, Business Partners, and Vendors With Whom the Company Separated During the Pandemic
The pandemic and associated stay-at-home orders forced many companies to furlough and lay off employees, including senior engineers and executives with access to important trade secret information. Similarly, the resulting changes to the economy have forced companies to curtail supply relationships, suspend new product lines, exit or shut down joint ventures, and cancel contracts. Whether justified or not, these actions can result in hurt feelings and worse. Under these circumstances, former employees, business partners, and vendors may be inclined to take or retain a company’s critical business information on the way out the door, including passwords, source code, customer lists, personal and technical data, business plans, financial information, and more. In some cases, the departing employee, business partner, or vendor intends to use the information to establish operations elsewhere. In other cases, the intent is more nefarious and meant to harm the company.
In any event, as return to work occurs, it is critical to use whatever tools may be at hand to review what may have been kept or taken by departed colleagues and partners, and to use legal tools to get the information back. Companies should carefully review the termination clauses in their employment agreements, joint venture agreements, and other contracts with legal counsel and affirmatively exercise their legal rights to obtain or destroy information that might otherwise leave the company inadvertently. If information is missing that includes personal identifiers, it may be necessary to evaluate the company’s obligations under U.S. and international privacy laws as well.