10 Questions Companies Should Address for a Remote Work Environment

1. Training Programs

What constitutes a “trade secret” is broader than most employees recognize.

Recommendations

Companies should deploy a learning-based, trade-secret training program, Policies and agreements should not use boilerplate language to describe “confidential” information.

2. Implementing “Need-to-Know” Policies

Under U.S. federal and state and E.U. law, a trade-secret owner must take reasonable measures to protect the information for it to qualify as a trade secret.

Recommendations

Companies should utilize written policies obligating employees to share information on a need-to-know basis and provide guidance on where to save information. When transitioning resources to cloud-based architecture, service providers offer features like role-based access control and detailed auditing.

3. Compliance Reminders for Compliance with Security, Trade Secret, and Confidentiality Policies

With remote work security, trade secret protection and confidentiality obligations need to be front of mind, and companies need reassurance that employees are meeting their obligations.

Recommendations

Employees should be reminded of their obligations, and companies should require a periodic re-affirmation of employee compliance.

4. Reassessing Employee Usage of Free Cloud-Based or Collaboration Application

If secure business solutions are not provided, employees will circumvent restrictions to make their jobs easier and efficient 

Recommendations

Companies should have policies and training on the use of free platforms and restrict unapproved programs.

5. Vetting for Non-Secure Communications

Video conferencing usage has skyrocketed with free solutions (e.g., Zoom, HouseParty).  Poor security habits expose IP to unauthorized participants.

Recommendation

Educating employees to regularly change meeting passwords and activating waiting rooms are healthy security practices.  Consider storing video conferencing applications on a private, secure cloud and limit the storage of instant messaging logs.

6. Protected Sharing of Data with Third Parties

Employees default to email or cloud-based platforms to share information with third parties. Such mechanisms can cause the company to lose control over its data and give a third-party access.

Recommendations

Companies should articulate protocols for third-party sharing, such as through a password-protected FTP, limited number of downloads, and setting expiration dates.

7. Security Policies Should Be Deployed to Protect Data from Outside and Internal Threats to Personal Devices

Employees’ personal devices can be more vulnerable to outside attacks than a company’s secure architecture.

Recommendation

Companies should have security policies to set limits on employee device usage and Wi-Fi settings; implement policy to restrict USB port access; re-assess VPN and remote-access protocols to limit ability to copy data to non-company devices.

8. Protection of Hard Copy or Tangible Trade Secrets

If an employee has tangible trade secrets at home, a third-party—such as a roommate—may view them.

Recommendations

Companies should review policies and bolster them to apply to remote-work scenarios, including secure ways to store tangible company material (e.g., locked drawer).

9. Collection and Disposition of Departing Employee Data

Prompt collection of devices and termination of access to company data when an employee resigns or is terminated is critical to minimizing theft and protecting legal options. Remote work injects logistical hurdles.

Recommendations

Companies should prepare a plan with input from internal stakeholders to ensure prompt data collection and termination of access, ideally prior to termination. Companies should consider having employees consent to a review of personal devices that contain company data.

10. Threat Detection and Risk Mitigation Protocols for Enterprise Systems and Environments

Flagging suspicious conduct and retaining logs of activity can help to detect, respond, and contain theft.

Recommendation

Companies should ensure their SaaS products provide appropriate monitoring capabilities and/or logging to enable effective and efficient investigations. Ensure capabilities are enabled to record key events.

Conclusion

The proliferation of remote work has created risks for trade-secret protection. While trade secrets may not be front of mind today, actions companies take now can significantly decrease the chance that secrets are stolen. Fortunately, there are practical, feasible, and scalable solutions that minimize these risks.

Mark Clews is a senior managing director with Ankura in Irvine, California. John F. Stark is a managing director with Ankura in San Francisco, California. Shannon Murphy is a partner with Winston & Strawn in Chicago, Illinois. Antonio Rega is a managing director with Ankura in New York City, New York, and contributed to editing this Practice Point. At the time of writing, Luke Tenery was a senior managing director with Ankura in Chicago, Illinois.

Excerpt of original published article reprinted with permission from Corporate Counsel (June 26, 2020) © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited (877-257-3382 or [email protected]).

_{Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).}