Practice Resource

Protecting Trade Secrets During Shelter-in-Place

03 avril 2020

Given the number of employees and independent contractors working remotely, it is a good time for companies to reassess their trade secret policies and remind all personnel of their obligations to maintain and protect the confidentiality of company information.

For some people, this may be their first time working remotely and they may not be accustomed to the extra steps required at home to maintain appropriate levels of protection for all types of confidential information, particularly if their home environment may not seem conducive to the level of secrecy required for trade secret protection. For all people, regardless of their remote work history, working remotely in this environment of heightened stress is new and warrants a refresh on good trade-secret protection habits. This is true for people at all levels in an organization, regardless of seniority or position, including C-suite executives.

Under both state and federal laws, trade secret protection requires that a company take reasonable measures to maintain the secrecy of the information. Reasonable measures are not the same for every company or for every type of information, but include measures like having a trade secret protection policy; requiring execution of proprietary information agreements; stamping or marking documents confidential; maintaining secure computer networks; requiring strong passwords; ensuring safe handling of hard-copy documents; protecting computers, tablets, and smartphones from unauthorized access; and regularly educating personnel on their obligations to maintain confidentiality. Companies typically also have confidentiality obligations under agreements with third parties, or due to the private/personal nature of the information. With this in mind, companies are encouraged to give their employees, independent contractors, vendors, officers, owners, and directors appropriate reminders of their obligations during this expanded, unprecedented remote work period. This can be done through email notices, or whatever means the company is using to keep in regular communication with persons in these various categories.

Companies should consider tailoring the messages to different groups, depending on the sensitivity of the information to which each has access and the nature of the documents or physical items that the individual is now using at home. It also is important to ensure that the messages are consistent with the company’s existing policies and contractual obligations, including policies regarding use of company computers and networks, and policies and agreements addressing protection of company and third-party information. Bring Your Own Device (BYOD) policies should also be reviewed and adjustments considered if, for example, the policy conditions an employee’s use of a personal device for work on the employer having access-on-demand to the device. Companies may also consider having personnel take brief online refresher courses.

The following are topics companies may consider addressing in reminders to protect company trade secret information, as well as any other information it is obligated to maintain as confidential, such as employee private information and sensitive customer or other third-party data:

  • Reminder regarding obligations under company confidentiality agreements, if the individuals were required to sign such agreements in connection with their work for the company. If confidentiality agreements were not required, then a reminder regarding the obligation under state and federal laws to maintain the secrecy of company trade secrets. Emphasize that obligations apply, notwithstanding others who may be in the home (roommates, family, and visitors).
  • Reminder regarding the types of information that the company deems to be confidential, proprietary, or trade secret and that the company is obliged to keep confidential.
  • Requirements to follow company policies regarding access to computer networks, such as access through secure VPN connections, and prohibition against use of unsecured WiFi or other internet connections.
  • Obligations to ensure confidentiality and security of phone and virtual conferencing conversations (including being aware of who may be able to overhear a conversation in your home), restricting confidential communications through approved conference call services, use of encryption to transmit documents electronically, and restrictions on the use of online or cloud storage services. Reminder that home assistant devices should be turned off at least during all work conversations to avoid inadvertent recording of confidential information.
  • Requirements to use only company email addresses for company business, and restrictions against sending messages to personal email addresses.
  • Requirements regarding use of password-protected company and personal computers, tablets, smartphones, or other devices, including compliance with any BYOD policy; restrictions against allowing access to these devices by family members or roommates; password requirements; and obligations to ensure against theft, damage, or misuse.
  • Discourage home printing of documents with confidential, proprietary, or trade secret information, unless the individual has a means to ensure the security of the printed documents, such as secure storage and/or three-way shredders.
  • Encourage use of a designated workspace in the home and mandate that confidential, proprietary, and trade secret documents of all types be stored out of plain view when not in use to prevent unauthorized access to documents by family members or others in the home, and also address appropriate storage and disposal of documents and physical items.
  • Address access restrictions for individuals who may have physical items that are confidential, proprietary, or trade secret, such as product prototypes or proprietary devices.
  • Address requirements for use of delivery services, if necessary, to ensure use of services sufficient for the sensitive nature of the information.

For all of the above, links to any relevant company policies will serve to reinforce the message.

For individuals who have access to and work with private information of employees and others, such as employment records, health and insurance records, financial account numbers, social security and passport numbers, and contact information, it is prudent to include reminders regarding obligations to protect such information.

For executives, officers, directors, in-house lawyers and others who deal with attorney-client privileged information, it is also prudent to include reminders regarding protection of privileged communications.

Once the shelter-in-place” restrictions are lifted and people return to the office, it will be important to revisit trade secret protection and other confidentiality compliance issues, including providing explicit instructions for appropriate handling and possible disposition of protected information and physical items used in the home.

There is an obvious balance that companies will want to achieve between strict confidentiality and secrecy rules and what can practically be expected of their employees and others entrusted with trade secrets and other types of confidential information. Rules that cannot reasonably be followed are of no value and can backfire. To the extent the company learns that individuals are taking shortcuts or crafting their own workaround solutions, it is appropriate to come up with solutions rather than ignore the issue. For example, if people have used personal email accounts to work around technical barriers, then they should be diligent about deleting all copies in their sent folder and trash and work with the company’s IT team to come up with a secure solution. Likewise, individuals should be encouraged to report any lapses so that the company can take appropriate corrective measures. It also is wise to tailor rules to the sensitivity of the information, having in mind that not every person will need or have access to the same level of sensitive information.

The types of reminders discussed in this article are in addition to steps companies should be taking with respect to computer network and data security, such as monitoring computer networks and email traffic to identify unauthorized access and intrusions, as well as unusual downloading, deleting, copying, or printing activities.

Our lawyers have broad experience working with clients to develop and implement trade secret protection policies and training programs, and are available to assist in development of appropriate reminders for protection of company trade secrets and other confidential information.

Coronavirus COVID-19 Task Force

For our clients, we have formed a multidisciplinary Coronavirus COVID-19 Task Force to help guide you through the broad scope of legal issues brought on by this public health challenge. We also have launched a resource page to help keep you on top of developments as they unfold. If you would like to receive a daily digest of all new updates to the page, please subscribe now to receive our COVID-19 alerts. One of our many resources includes a list of current known IP office closures and extensions around the world.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the authors, Carla B. Oakley (San Francisco) and Seth M. Gerber (Century City), or any of the members of our trade secret practice:

Boston
Joshua M. Dalton

Century City
Debra L. Fischer
Seth M. Gerber

Chicago
Jonathan D. Lotsoff

Miami
David W. Marston Jr.

New York
Kimberley E. Lunetta

Orange County
Carrie A. Gonell

Philadelphia
Eric Kraeutler

San Francisco
Christopher J. Banks
Carla B. Oakley

Silicon Valley
Andrew J. Gray IV
Michael J. Lyons
Michael D. Schlemmer

Washington
Natalie A. Bennett

Wilmington
John V. Gorman