Due to the COVID-19 pandemic, 42 states, Puerto Rico and the District of Columbia have adopted shelter-in-place or similar orders. As a result, more employees than ever before are working from home. This sudden increase in telework has created new challenges for employers, including balancing the need to protect their trade secrets and confidential information, with the need to ensure that employees can work effectively from home. This article discusses the unique risks to trade secret protection created by telework arrangements and suggests ways employers can mitigate those risks.
I. What is a trade secret?
The federal Defend Trade Secrets Act (DTSA) defines “trade secret” as “all forms and types of financial, business, technical, economic, or engineering information” that (1) derive independent economic value from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from it; and (2) the owner has taken “reasonable measures” to keep secret. In other words, under federal law, a “trade secret” has two components: economic value and secrecy. The majority of states have their own trade secret statutes with identical or similar definitions of “trade secret.”
II. What are “reasonable measures” to maintain secrecy?
Neither the DTSA nor various state trade secret statutes define “reasonable measures.” Nevertheless, courts have provided guidance on the efforts employers must take to preserve the “secrecy” of their trade secrets under normal circumstances. In general, “reasonable measures” include the following:
- Notifying employees, contractors, vendors and other business relations of the confidential nature of certain information
- Including confidentiality provisions in contracts, employee handbooks, bid offers and other business documents
- Using secure servers to store and to transmit company information
- Requiring security passwords for company computers, networks and databases
- Limiting access to confidential information on a need-to-know basis
- Prohibiting access to and storage of confidential information on personal electronic devices
- Physical security measures, such as ID cards for access to restricted areas and locked filing cabinets for storage of confidential documents
Whether a particular employer’s measures are “reasonable” requires a fact-specific analysis. Notably, the protective measures do not have to be perfect; they need only to be reasonable under the circumstances. Also, the fact that an employer has not used a specific measure does not render the employer’s other efforts unreasonable.
III. What are the unique risks to trade secret protection created by telework?
When employees report to a workplace, the employer has a high level of control over the employees’ access to and use of company information. The employer’s control over its information, however, decreases substantially when employees work remotely. For example, employees without a company computer necessarily will use their personal computers, electronic devices and Wi-Fi networks when working from home. These devices and networks may lack adequate security protections and may be more vulnerable to outside attacks. As recent news stories on video conference hacking and phishing emails related to COVID-19 reveal, telework already has made employees more vulnerable to hacking.
Additionally, once an employee stores company information on a personal electronic device or anywhere outside the employer’s database, the employer loses the ability to control and track that information. The employer also cannot determine whether and to whom its information may have been disclosed. The same is true for hard-copy files, as employees may print confidential documents at home, leave them in open view and fail to properly dispose of them.
The importance of maintaining “reasonable measures” to protect trade secrets cannot be overstated. An employer that fails to take “reasonable measures” to protect its trade secrets loses trade secret protection. Importantly, an employer may lose trade secret protection even though it limits access to only its own employees.
In a recent case, an Illinois federal court held that a company failed to take reasonable measures where it (1) granted employees access to its shared drive without any meaningful inquiry into whether the employee needed access; (2) assigned the same access password to many employees; (3) did not encrypt any files on the shared drive; and (4) did not place any restrictions on employees’ ability to access, save, copy, print or email the information for which it later claimed trade secret protection. In another case, the court expressed “serious doubts” that the employer would succeed on its trade secrets claim where its “information was readily accessible on a shared computer network that could be reviewed by anyone who had access to the computer system.” Finally, yet another court held that even an employer’s use of “layers of passwords and SSL encryptions” may not have been reasonable under the circumstances because “employee computers were generally left on and unprotected.”
Although cases discussing “reasonable measures” in the telework context are lacking, the same principles apply. Protections that may be “reasonable” and adequate in the office may not be sufficient when employees work from home. Indeed, the risk of losing trade secret protection only increases when employees work from home because employers have less control over their employees’ actions.
Accordingly, employers may need to take additional precautions when permitting employees to work from home. Other laws provide guidance on possible additional precautions. For example, the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires encryption when transmitting protected health information when encryption is “reasonable and appropriate.” Thus, employers subject to HIPAA routinely require employees to encrypt emails containing protected health information when using either company-provided or personal electronic devices. Similarly, the American Bar Association recently issued an opinion letter noting “it is not always reasonable [for lawyers] to rely on the use of unencrypted e-mail” to communicate client information. The opinion letter recommends using “strong protection measures, like encryption,” in circumstances warranting increased security.
IV. What can employers do to protect their trade secrets when employees telework?
With telework arrangements more prevalent as a result of the COVID-19 pandemic, employers should evaluate the need for additional steps to protect their trade secrets. This is especially true because many employers will need to downsize with many terminated employees potentially moving to competing businesses during or after the crisis. Future trade secret litigation likely will involve challenges to an employer’s measures to protect its trade secrets during the COVID-19 pandemic. There is no one-size-fits-all approach, however, and employers should tailor efforts to be consistent with their business needs. Below are some suggested protections for employers operating with a significant remote workforce:
- Establish and distribute a clear telework policy. The telework policy should address the types of information the employer considers confidential, the proper handling of confidential information by employees working from home and the steps such employees need to take to protect the employer’s confidential information. Employers should consider requiring teleworking employees to sign (or e-sign) the policy before granting them remote access to confidential information.
- Remind teleworking employees of their confidentiality obligations. Courts routinely view such reminders as a “reasonable measure.” Therefore, employers should install automatic or “pop-up” confidentiality statements that appear each time a teleworking employee logs in remotely to a company network, system or database. As an alternative, employers should periodically send teleworking employees emails reminding them to protect company information when working from home.
- Train employees to recognize internet scams. Employers should train employees to recognize and report malware, phishing emails and other internet scams that target computers and other electronic devices on which company information may be stored.
- Require employees to use only company-provided devices or company systems. If feasible, employers should require teleworking employees to use only company-provided devices or company systems to review, store and disseminate company information. For example, employees who need to transmit substantial amounts of company information should be allowed to do so only through secured servers, such as an FTP site. Conversely, employers should prohibit employees from sharing company information through personal email accounts, text messaging or other non-company communication applications.
- Develop protocols for remote access to company databases. Employers must ensure that only authorized users have access to their systems, networks and databases. To do so, employers could require two-step authentication or instate similar protective measures for remote access. Additionally, employees should require employees working from home to use secured connections, such as VPN, when accessing company information.
- Restrict and monitor access and use of confidential company information. Employers should limit remote access to company databases to a need-to-know basis only. All databases containing company information should be password-protected, with each employee using a unique password that he or she cannot share with others. This will also enable employers to monitor their employees’ access to company information and to flag any suspicious activity, such as mass downloading or sharing.
- Establish protocols for handling hard-copy documents. Employers should develop rules for teleworking employees’ use of hard-copy documents. For example, the employer could prohibit the printing or copying of significant amounts of company materials without express authorization and require teleworking employees to keep all hard-copy materials in a locked cabinet when not using them. Employers also should require employees to return or properly destroy all hard-copy documents after the crisis passes and the employees return to the workplace.
- Establish protocols for immediate termination of remote access. Employers need to be prepared to immediately terminate teleworking employees’ access to company databases and information in cases of suspected theft or if the employee is furloughed or laid off. Stated simply, employees who no longer need to have remote access to company information should not have remote access.
- Establish a plan for recovering information from employees. Employers should develop a plan for recovering company information and equipment from teleworking employees if the employee leaves employment before returning to the workplace. This plan should include procedures to remotely lock access to company-provided devices such as computers and cellular telephones and to promptly recover such devices from a terminated employee.
Trade secrets are among an employer’s most valuable assets, and employers should evaluate the need for additional protection during the COVID-19 crisis. For more information or guidance on protecting trade secrets and confidential information during the COVID-19 pandemic, please contact the authors, any of the McGuireWoods COVID-19 Response Team, or your McGuireWoods labor and employment contact.