10 Practical Tips for Employers to Safeguard Their Trade Secrets During COVID-19
As a result of both mandatory government restrictions and voluntary safety measures to combat the spread of coronavirus (COVID-19), many companies have transitioned all or part of their workforce to a remote working environment. Others have been forced to reduce staff or institute employee furlough policies, all within a short timeframe. These unprecedented and challenging circumstances pose a unique risk for any company with trade secrets. In some cases, companies had to act quickly to provide remote access to their systems, such that trade secrets now can be accessed by employees who are working remotely and may be accessible to employees who recently departed from the organization.
The protection of trade secrets is often vital to a company's business strategy, good will and the ability to maintain competitive advantages that have been developed through substantial investment in research and personnel over time. By definition, a trade secret's economic value depends on maintaining its secrecy.
Even prior to the pandemic, courts saw an uptick in trade secrets litigation as a result of a strong labor market that incentivized the voluntary mobility of employees, as well as the passage of the federal Defend Trade Secrets Act (DTSA) of 2016, 18 U.S.C. § 1836, et seq. Under the DTSA and state analogs, an essential element for stating a claim for trade secret misappropriation is proving that the company has taken "reasonable measures" to keep secret the information it wishes to protect and deems a "trade secret." The reasonableness of measures taken to protect trade secrets is often viewed on a sliding scale. It remains to be seen whether that scale will be changed in light of the unprecedented nature of the pandemic. Employers who actively manage and scrutinize their policies and practices may mitigate the risk of waiving trade secret protections by considering the following list of practical tips.
- Remind employees of confidentiality policies and any security protocols generally associated with the access and use of sensitive business information and documents. If existing policies do not address or are unclear about protocols for accessing business information remotely or from personal devices, update them and provide appropriate training to employees. Emphasize that safeguarding information is more critical now than ever.
- Retrain employees remotely on the importance of nondisclosure and confidentiality policies. Have employees acknowledge receipt and certify their understanding of the policies.
- Remind and expressly advise remote workers that discussions or viewing of sensitive business information should occur in an isolated part of the home, outside the purview of others – even family.
- Minimize to the extent possible the use of personal devices, email accounts, communication services, social media or other cloud-based services that may lack critical information security features. Remind employees that all work-related communication should be conducted via company-authorized software and systems, and ensure that appropriate training is available for all who need it.
- Remind and train employees who use video conferencing services such as Zoom to discuss sensitive topics to use the services' security features, such as enabling passwords for meetings, auto-muting of participants, the use of randomly generated meeting IDs and the disabling of any auto-recording.
- Institute two-factor authentication and encryption measures, if they have not already, for information technology personnel before remote workers can access sensitive documents and information remotely. Such access should be limited to employees with a need to know the particular information.
- Train and refresh employees on the importance of recognizing and avoiding phishing scams.
- For departing employees who had access to sensitive business information, ensure that exit interviews are conducted (even if done remotely) that expressly demand the return of any tangible sensitive business information and any company-issued computers, storage media or other equipment. For intangible items that may have been retained through memory, remind employees that disclosure remains prohibited under company policies.
- For departing and furloughed employees, remove access to the company's network immediately and ensure that audits are conducted of returned company-issued devices to confirm that sensitive information has not been transferred, misused or retained.
- For furloughed employees, remind them that their directive to "not work" during the furlough period includes not attempting to seek access to the company's network or information, following applicable confidentiality and nondisclosure policies, and a reminder that the company remains the owner of any intellectual property created during or as a result of the employment.
For questions, comments or additional information on considerations for protecting trade secrets in the age of COVID-19, please contact the professionals who contributed to this article: Nipun Patel (restrictive covenant, trade secret and employment litigation); Paul Bond and Mark Melodia (data security, strategy and litigation); or Steven Jedlinski and Tracy Quinn (intellectual property protection and litigation).
DISCLAIMER: Please note that the situation surrounding COVID-19 is evolving and that the subject matter discussed in these publications may change on a daily basis. Please contact your responsible Holland & Knight lawyer or the author of this alert for timely advice.