In response to the COVID-19 pandemic, some parts of the country are now in the third month of a lockdown. As a result of the lockdown, a large portion of U.S. businesses quickly transitioned their workforces to telework in the opening weeks of the pandemic. This abrupt shift to work-from-home disrupted many employers' well-established protocols and practices for protecting confidential information and trade secrets, exposing this sensitive information to a heightened risk of theft.
Even as the country begins to reopen, it is unlikely that these new risks will disappear. Employers are still finalizing return-to-work plans for restarting their on-site operations. Moreover, many employers have realized that productivity has not decreased with a switch to telework operations and, in light of the cost benefits associated with teleworking, those employers may plan to maintain the arrangement, for at least portions of their workforces, well after the public health emergency subsides. Given that the increased risk of information theft is not going away, it is important to review several practices that can limit exposure.
Virtual Private Networks
The move from secure offices to the home has put company information at heightened risk of theft from cyberattacks. Home wireless networks are much easier to breach than an employer's secure network because personal wireless networks usually have fewer security protocols in place. Employees accessing company servers remotely are generally granted access to a virtual private network (VPN). A VPN is a private, encrypted channel that will allow employees to directly access a company's network, while greatly minimizing the risk to the company's confidential information and trade secrets. VPNs are also beneficial as they allow employers to create and monitor remote workers' access logs that track files as they are opened, used, and transmitted by each employee.
Issuing company-owned laptops to remote workers keeps sensitive information on company property and behind secure firewalls, making hacking and other types of corporate espionage much more difficult. Further, the majority of misappropriation and unauthorized disclosures occur when workers take secrets and other confidential information with them to new jobs. Doing so becomes exponentially easier if the information is already stored on an employee's personal laptop that he or she is not required to return to the employer. Finally, keeping all work data on company-owned devices allows an employer to remotely "wipe" its information from the device immediately upon notification that an employee is leaving the company.
If an employer issues computers or other electronic devices to employees, it may want to have a system in place for tracking such assets. The employer will want to prioritize collecting every device issued to employees upon their departures from the company. In addition, employers will want to remind employees to apply physical measures to secure any devices that contain sensitive data. Such measures may include:
- locking home office doors when the devices are not in use;
- keeping devices in a safe or with them when traveling; and
- locking screens before stepping away from their computers.
Many information security incidents occur when a device is stolen or misplaced, and protecting the physical security of devices that may store information is essential.
External Device Attachments or Use of Cloud Storage
Flash drives, cloud storage, and other external devices or platforms provide avenues for data exfiltration. Employers may want to consider banning the use of flash drives and personal cloud storage altogether. Limiting the diversity and number of storage repositories of sensitive data greatly helps to decrease the potential options by which an employee can misappropriate information.
Hard Copies of Confidential Information
Where possible, employers may want to prohibit the printing of any confidential or trade secret information. If there is a concern that employees with access may do so, employers can consider making such information "read only." If employees must print sensitive information to accomplish their job duties, employers may want to develop policies that make it clear that any hard copies of such sensitive information must be shredded immediately following the conclusion of use.
Remote Working Policies
Employers may want to consider issuing stand-alone policies that explain the employer's expectations about working from home and handling the company's confidential information. At a minimum, such policies should remind employees of any obligations they have under nondisclosure or other restrictive covenant agreements and clarify to employees that they are expected to take the proper precautions to safeguard the company's secrets.
These suggested measures will not completely protect employers from the threat of misappropriation, but they greatly increase the chances. In addition, implementing the suggested practices and policies may aid employers in the event of any future litigation stemming from information theft. The federal Defend Trade Secrets Act, and similar trade secret statutes in most states, allow employers to seek injunctive and monetary relief if certain criteria are satisfied. One such criteria is that the business has taken "reasonable measures" to safeguard its sensitive information. In the eyes of the law, trade secrets derive their worth because they have "independent economic value" by being kept secret from others who could profit from them. Trade secret cases often turn on what a company did to keep its information secret. The more stringent measures a company puts in place to prevent misappropriation by members of its remote workforce, the more likely they are to prevail in seeking an injunction and other damages.
Ogletree Deakins will continue to monitor and report on developments with respect to the COVID-19 pandemic and will post updates in the firm's Coronavirus (COVID-19) Resource Center as additional information becomes available. Critical information for employers is also available via the firm's webinar programs.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.