As COVID-19 spreads, many businesses, Henderson Franklin among them, have instituted remote work programs voluntarily or in response to state or local “shelter in place” orders. With the idea of continuing business as usual, companies have provided employees with hardware and software to gain remote access to networks or have allowed employees to use their own computers and devices to access the company network so they can seamlessly continue working. While these policies certainly help limit employee exposure to COVID-19, they can inadvertently increase a business’ exposure to theft of intellectual property, specifically trade secrets.
Trade secrets are those bits of information a company has that give it a competitive advantage over others because the information is unknown to others. Famous examples include the formula for Coca-Cola, KFC’s blend of herbs and spices and Google’s search algorithms. These things differentiate Coca-Cola, KFC and Google from others and give them an edge in the market. They are held internally as secrets in order to preserve that advantage. Every business has some form of trade secret, including:
- Customer lists
- Prospect lists
- Manufacturing techniques
- Supplier lists
- Recipes and formulas
- Proprietary custom designed software
The key common element is that these things a) give a competitive advantage, b) are unknown to others, and c) are guarded as confidential.
The requirement that trade secrets must be guarded as confidential is essential. A business cannot claim secrecy in something that it did not protect—or stopped protecting—as secret.
With this recent significant push to remote work, businesses must ensure they continue to protect all trade secrets. What follows are a few ways a business can do to help protect its information with a remote work force.
- Make employees aware. Remote work policies should clearly articulate that all data and information a remote employee accesses is property of the business and remote employees play an important part in the overall protection of company information and data. Not only must employees be made aware they play this crucial role, but that their full participation in protection of company information is an expectation of their employment.
- Limit access to sensitive data. Certain data, for instance company financial data, should be restricted and access given only to those employees that have specific needs to use that information. For example, a CFO has greater need to access books, records and accounts than a sales agent. By requiring secondary passwords to access certain programs or databases or by limiting user rights, a company can define which individuals have access to what information and ensure that the information is not widely disseminated.
- Monitor access and watch for red flags. Companies should keep track of which employees have remote access to company systems and should monitor use to catch things like potential unauthorized access or large downloads of data. These could be signals that trade secret information is being compromised or stolen.
- Remote security. A business must require its remote employees to participate in protection of company data by taking an active part in security. Wherever possible, a business should only allow remote access on company owned devices, since the company can ensure those devices are secure and require return of the device (and any resident data) if an employee leaves. If a business allows employees to access company systems on their own devices, the company must require employees to make those devices secure and ensure they are used only in secure environments (i.e. no public wifi, etc.). Taking measures like these, and others, will allow a business to ensure its data is secure because the devices accessing that data are secure themselves.
- Be prepared. Remote access and remote work do increase the risk of security breaches and disclosure or loss of confidential information, including trade secrets. Therefore, as part of a remote work policy, a business must also have policies in place to address issues such as reporting data or security breaches as well as plans for mitigation of same.
Because of the exigency caused by COVID-19, many businesses have not had the luxury of developing full, formal remote work policies. At the very least, a business can issue guidelines by email or memo outlining what the company expects from its remote workers in terms of access to systems and protection of information that can be supplemented with more formal policies later. If your business is implementing a remote work program and you need assistance developing safeguards to protect sensitive information, please contact me at firstname.lastname@example.org or by phone at 239-344-1153.