Protecting Trade Secrets During (and After) a Global Pandemic: Practical Tips for Employers
by Russell Beck and Hannah Joseph
Practice Tips
The evolution toward a cloud economy has made it easy and often profitable for employees to misappropriate valuable data from their employers. Indeed, pre-pandemic estimates suggested that over 50 percent of employees take – and most of them are willing to use – their employer’s information when leaving a company.[1]
Against this backdrop, COVID-19 unexpectedly caused the world to shut down in early 2020, resulting in mass layoffs, the highest unemployment rates since the Great Depression, and a fundamental and perhaps permanent shift toward a predominately remote workforce.
Together, these factors have created a precarious environment for trade secrets, as well as customer relationships and other legitimate business interests. Employees working from home have more opportunity to convert company information and customers, and some, particularly those facing involuntary unemployment, may feel driven to do so. Moreover, the ongoing crisis has made preliminary injunctive relief (the judicial remedy most often used to protect trade secrets and other legitimate business interests) more elusive, as courts are typically less willing to restrain employees from competitive employment during economic downturns. See, e.g., All Stainless, Inc. v. Colby, 364 Mass. 773, 781 n.2 (1974).
Whether during or after the pandemic, it is vital for companies to have strong measures in place for protecting their trade secrets and other legitimate business interests, rather than to solely rely on after-the-fact litigation. Below are some practical tips for how to do so.
Tips for protecting trade secrets and other legitimate business interests during and after a global pandemic
Know your trade secrets. A remote workforce means that employees are developing, accessing, and using their employer’s trade secrets from home (and elsewhere). Accordingly, understanding the categories, sources, and life cycles of the company’s trade secrets, and the risks of exposure to which such information is most susceptible, is necessary for establishing and implementing policies and practices that are best suited to protect that information during and after the pandemic. Depending on the organization, the analysis will likely need to involve management, human resources, legal, corporate governance, sales, information technology, information management, research and development, manufacturing, and other relevant stakeholders.
Firm up policies and procedures. Once a company has categorized its trade secrets, both existing and under development, it must ensure that its policies and procedures are appropriately designed to protect the information against likely sources of risk. Such policies and procedures, which should be reviewed on a regular basis, are also critical to protecting other legitimate business interests, such as customer goodwill.
Among other things, employers should have policies that establish clear criteria, protocols, and expectations for the access, use, and disclosure of confidential information, including third-party information; working from home; the use of the employer’s devices, systems, and accounts (and, if applicable, the employer’s policies concerning monitoring such devices, systems, and accounts); the use of personal devices; the use of social media accounts, including as they relate to client communications; the use and protection of passwords; and the post-employment return of information and property. In addition, employers should have a policy that instructs employees to report incidents of unauthorized access, use, or disclosure of confidential information, and provides clear instructions for how to make such a report. This list is not comprehensive, and policies are not one-size-fits-all; they must be tailored to meet the unique needs of the employer and be reasonable in the context of the company’s needs, capabilities, and culture.[2]
Employers should also work closely with their remote employees to ensure that the employees’ at-home work environments are secured against both external threats and inadvertent disclosure. For example: home Wi-Fi routers should be secured with strong passwords; passwords, non-guessable meeting IDs, and other security settings should be used for video conference solutions like Zoom; confidential information should not be reviewed where others in the household may see or overhear it; and confidential information should not be left out in the open when the workspace is unattended. Employers should be prepared to run through a comprehensive checklist with their employees to make sure that employees are taking necessary precautions to protect their workspaces.
Finally, the unfortunate reality of increased furloughs and layoffs during the pandemic dictates that employers have a system in place for off-boarding employees remotely. The system should include, at the least, a mechanism for terminating exiting employees’ access to the employer’s information and information systems (including the remote wiping of company data from devices in the employee’s possession), for securing the full return of all equipment and confidential information, and for the employee to acknowledge their obligation to return (and not retain, use, or disclose) the employer’s confidential information (as well as to comply with their other post-employment contractual obligations).
Educate your employees. Policies and procedures are worthless, and can hurt more than help, if they are not disseminated, understood, and followed. This means that employers must, on an ongoing basis, educate their employees about company policies and practices. While in-person trainings are ill-advised in the era of social distancing, they may be easily replaced by online trainings, whether live or pre-recorded. Processes should be in place that require employees to not only read the policies and procedures, but also to acknowledge that they understand and agree to abide by them. Policies and procedures should provide an avenue for employees to ask questions and obtain answers that will be consistent throughout the company, either through legal or other channels. Employers are well-served by maintaining accurate records of policies and procedures and any amendments thereto, training dates, and employee acknowledgments. While training and acknowledgments will not necessarily prevent all willful misconduct, they may serve as a deterrent, help to limit incidents of inadvertent disclosure (or unauthorized solicitation) and, if litigation becomes necessary, help to establish the company’s reasonable efforts to protect its trade secrets and other legitimate business interests.
Monitor your workforce. Trade secret misappropriation and other forms of employee misconduct do not usually happen in a vacuum. Oftentimes, there will be warning signs that an employee is unhappy (e.g., a lack of engagement, an attitude shift or sudden change in behavior, increased activity on LinkedIn[3]). Moreover, employees who take their employer’s information with the intention of using it at their next place of employment frequently commit multiple acts of taking in the days and weeks leading up to their termination. Similarly, employees who plan to solicit customers may begin well before termination. For those reasons, employers should consider monitoring their employees’ email activity as well as their activity on other information systems to determine whether the employees are accessing information that they do not have a business need to know or are accessing appropriate information, but with unusual frequency. Periodic monitoring may enable an employer to detect and address internal threats earlier, thereby obviating the need for judicial intervention. Before engaging in any kind of monitoring, employers should disseminate policies that put employees on notice that the employers’ devices, systems, and accounts belong solely to the employer and may be monitored on a periodic or ongoing basis.
Conclusion
While these steps are intended to help employers protect their legitimate business interests, they are not comprehensive and are not guaranteed to protect against every threat of disclosure and other forms of misconduct. When implemented correctly, however, they should substantially reduce overall risk. In addition, where litigation is necessary, an employer that has implemented the above steps will have ample evidence to show that it both identified its legitimate business interests to its employees and notified them of their legal obligations to protect such interests. This can dramatically improve an employer’s chances of prevailing in court.
[1] See “What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk,” White Paper by the Ponemon Institute and Symantec Corporation (2013), available at https://www.ciosummits.com/media/solution_spotlight/OnlineAssett_Symantec_WhatsYoursIsMine.pdf.
[2] For a comprehensive checklist of steps employers can take, see “A primer and checklist for protecting trade secrets and other legitimate business interests before, during, and after lockdown and stay-at-home orders,” available at https://www.faircompetitionlaw.com/2020/05/17/a-primer-and-checklist-for-protecting-trade-secrets-and-other-legitimate-business-interests-before-during-and-after-lockdown-and-stay-at-home-orders/.
[3] See, e.g., “13 Signs That Someone Is About to Quit, According to Research,” by Timothy M. Gardner and Peter W. Hom, Harvard Business Review (Oct. 20, 2016), available at https://hbr.org/2016/10/13-signs-that-someone-is-about-to-quit-according-to-research.
Russell Beck is a founding partner of Beck Reed Riden LLP. He has authored books on trade secrets and restrictive covenants, assisted the Obama Administration on a Call to Action on noncompetes and trade secrets, drafted much of the Massachusetts Noncompetition Agreement Act, and revised the Massachusetts Uniform Trade Secrets Act. Russell teaches Trade Secrets and Restrictive Covenants at the Boston University School of Law and is President Elect of the Boston Bar Foundation.
Hannah Joseph is senior counsel at Beck Reed Riden LLP and focuses her practice on trade secrets and restrictive covenants law. Hannah regularly publishes and speaks on the topics of intellectual property law and restrictive covenants, including at the American Intellectual Property Law Association, Boston Bar Association, and Practising Law Institute. In addition, Hannah co-teaches the course Trade Secrets and Restrictive Covenants at Boston University School of Law.