The transition to an increasingly remote workforce has forced rapid technology adoption (e,g., cloud-based technologies) with a commensurate increase in long- and short-term risk for data protection. Below are 10 key points for companies to consider, along with practical guidance to protect sensitive documents in a remote-work environment.
1. Training Programs
What constitutes a “trade secret” is broader than most employees recognize.
Companies should deploy a learning-based, trade-secret training program, Policies and agreements should not use boilerplate language to describe “confidential” information.
2. Implementing “Need-to-Know” Policies
Under U.S. federal and state and E.U. law, a trade-secret owner must take reasonable measures to protect the information for it to qualify as a trade secret.
Companies should utilize written policies obligating employees to share information on a need-to-know basis and provide guidance on where to save information. When transitioning resources to cloud-based architecture, service providers offer features like role-based access control and detailed auditing.
3. Compliance Reminders for Compliance with Security, Trade Secret, and Confidentiality Policies
With remote work security, trade secret protection and confidentiality obligations need to be front of mind, and companies need reassurance that employees are meeting their obligations.
Employees should be reminded of their obligations, and companies should require a periodic re-affirmation of employee compliance.
4. Reassessing Employee Usage of Free Cloud-Based or Collaboration Application
If secure business solutions are not provided, employees will circumvent restrictions to make their jobs easier and efficient
Companies should have policies and training on the use of free platforms and restrict unapproved programs.
5. Vetting for Non-Secure Communications
Video conferencing usage has skyrocketed with free solutions (e.g., Zoom, HouseParty). Poor security habits expose IP to unauthorized participants.
Educating employees to regularly change meeting passwords and activating waiting rooms are healthy security practices. Consider storing video conferencing applications on a private, secure cloud and limit the storage of instant messaging logs.
6. Protected Sharing of Data with Third Parties
Employees default to email or cloud-based platforms to share information with third parties. Such mechanisms can cause the company to lose control over its data and give a third-party access.
Companies should articulate protocols for third-party sharing, such as through a password-protected FTP, limited number of downloads, and setting expiration dates.
7. Security Policies Should Be Deployed to Protect Data from Outside and Internal Threats to Personal Devices
Employees’ personal devices can be more vulnerable to outside attacks than a company’s secure architecture.
Companies should have security policies to set limits on employee device usage and Wi-Fi settings; implement policy to restrict USB port access; re-assess VPN and remote-access protocols to limit ability to copy data to non-company devices.
8. Protection of Hard Copy or Tangible Trade Secrets
If an employee has tangible trade secrets at home, a third-party—such as a roommate—may view them.
Companies should review policies and bolster them to apply to remote-work scenarios, including secure ways to store tangible company material (e.g., locked drawer).
9. Collection and Disposition of Departing Employee Data
Prompt collection of devices and termination of access to company data when an employee resigns or is terminated is critical to minimizing theft and protecting legal options. Remote work injects logistical hurdles.
Companies should prepare a plan with input from internal stakeholders to ensure prompt data collection and termination of access, ideally prior to termination. Companies should consider having employees consent to a review of personal devices that contain company data.
10. Threat Detection and Risk Mitigation Protocols for Enterprise Systems and Environments
Flagging suspicious conduct and retaining logs of activity can help to detect, respond, and contain theft.
Companies should ensure their SaaS products provide appropriate monitoring capabilities and/or logging to enable effective and efficient investigations. Ensure capabilities are enabled to record key events.
The proliferation of remote work has created risks for trade-secret protection. While trade secrets may not be front of mind today, actions companies take now can significantly decrease the chance that secrets are stolen. Fortunately, there are practical, feasible, and scalable solutions that minimize these risks.
Mark Clews is a senior managing director with Ankura in Irvine, California. John F. Stark is a managing director with Ankura in San Francisco, California. Shannon Murphy is a partner with Winston & Strawn in Chicago, Illinois. Antonio Rega is a managing director with Ankura in New York City, New York, and contributed to editing this Practice Point. At the time of writing, Luke Tenery was a senior managing director with Ankura in Chicago, Illinois.
Excerpt of original published article reprinted with permission from Corporate Counsel (June 26, 2020) © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited (877-257-3382 or firstname.lastname@example.org).
|Ankura is the Litigation Advisory Services Sponsor of the ABA Litigation Section. This article should not be construed as an endorsement by the ABA or ABA Entities.|
Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).