Q: Do work-from-home arrangements create a heightened risk that company trade secrets may be exposed?
A: Without proper precautions, in many ways, “yes.”
Since the onset of the pandemic, we have observed an increased use of external storage devices by employees to save and access work-related documents. We have heard several reasons for this, but the primary one is that employees often complain that accessing large data files remotely takes considerably more time than when they access files via the network in the company’s physical offices. Thus, employees have resorted more often to using personally owned external storage devices, such as external hard drives and thumb drives to download and access company materials.
While it appears that in many — if not most — situations the employees are genuinely only trying to save time and effort, the practice creates problems for companies that want to protect their trade secrets. When employees save materials to external hard drives, they can potentially impact their companies’ trade secrets in two primary ways.
First, when an employee leaves the firm and moves to another company, our experience shows that employees very rarely return the downloaded documents. (As an aside, the author has never heard of an employee doing so.) This becomes especially problematic when the employee goes to work for a competitor, since the employee therefore has ongoing access to potentially important and highly confidential data and other files from their prior employer.
Second, for data or documents to be considered trade secrets under state and/or federal law, companies must be able to show that they have taken “reasonable measures” to protect their purported trade secrets. If a company cannot satisfy this requirement, the materials will not be protected by the applicable state and federal statutes, which subject those who misappropriate trade secrets to damages and other penalties.
What steps can companies take to address these issues? Here are four:
- Implement additional IT security measures. Of the many options available, some common and relatively effective ones include limiting systems access via a virtual private network (VPN); implementing multifactor authentication; and blocking or limiting USB port access.
- Limit employee access to only documents and data needed for their role. Companies sometimes do not place appropriate user restrictions on databases, giving employees the ability to access and download materials unnecessary for their jobs. Problematic examples include not restricting operations employees from accessing sales data or sales employees from accessing financial data unrelated to their business development work.
- Ensure company data confidentiality policies and agreements are in place. Drafting robust data confidentiality policies that employees receive and sign, along with confidentiality agreements at the appropriate organizational levels, are key tools to drive home the importance of keeping company secrets confidential and set employee expectations.
- Perform basic data forensics on employee data on departure. Early detection that an employee may have taken company data is critical, especially when an employee goes to work for a competitor. In order to enjoin data misappropriation by a former employee, courts require companies to act diligently and quickly when there is evidence or circumstances suggesting an employee may have absconded with company data. A basic digital forensics investigation by a qualified professional is a cost-effective way of determining whether an employee has taken company data.
Note: Informal investigations by in-house IT staff are not recommended and may do more harm than good because such an investigation may alter or destroy key metadata and other forensic evidence. As such, we do not recommend a forensic investigation by anyone other than a qualified professional.
Even in a work-from-home world, following these recommendations will allow companies to better ensure that their most confidential and valuable information does not wind up in the hands of its competitors or others. If you have questions or what to learn more, please contact us or register for our upcoming webinar – Trade Secret Theft and Protecting Sensitive Information in the Age of COVID-19.