Hope for the best, plan for the worst.
– John Jay
The ability to protect trade secrets (and other legitimate business interests, including customer goodwill) has been hit by a perfect storm caused by the current coronavirus pandemic:
- Loss of Control. So much of the workforce is now working from home; consequently, it can be difficult to ensure that trade secrets (as well as customer relationships and other legitimate business interests) are properly protected – a reality that is expected to drag on for some time and ultimately forever change the way people work.
- Risk of Theft. In the best of times, “half of [employees] say they have taken information, and 40 percent say they will use it in their new jobs.” But these are not the best of times. Employees are being laid off or furloughed in record numbers, increasing the risk that information will be taken or destroyed. See, for example, “Oil Co. Says HR Staffer Killed Files Minutes After Getting Fired.”
- Loss of Protections. In many states, employees who have been laid off without cause are relieved of their noncompete obligations, even though subsequent employment may place their former employer’s trade secrets, customer relationships, and other legitimate business interests at risk. (See which states here.)
- Limited Judicial Assistance. Many courts are operating with skeleton crews and hearing only limited matters. (See the status of each court here.)
- Increased Skepticism. Even as the courts reopen and catch up from the backlog of cases, hearings on motions for temporary restraining orders, preliminary injunctions, or similar emergency orders (the keys to protecting trade secrets and other legitimate business interests) are typically even harder to obtain in times of significant unemployment and economic upheaval (the Great Recession being the last example) than in “normal” times. (For a recent discussion of cases considering the current pandemic, see here.)
- Threats to Use of Safeguards. And, as we look forward to emerging from the first wave of the coronavirus impacts, the Department of Justice and the Federal Trade Commission, which already had been considering imposing federal limitations on the use of noncompete agreements, issued a joint statement on April 13 warning about anticompetitive conduct during the current pandemic, specifically referencing “anticompetitive non-compete agreements” and noting that “[t]he agencies may also use their civil enforcement authority to challenge unilateral anticompetitive conduct by employers that harms competition in a labor market.”
While we can hope everyone will comply with their legal obligations – particularly during a time of crisis – we need to plan for the opposite.
Accordingly, this post provides practical guidance for companies on how to manage their trade secrets (and other legitimate business interests) – both generally and particularly while employing a remote workforce – thereby avoiding preventable problems by having a plan in place to address problems when they arise, which they inevitably will. Specifically, it explains general aspects of trade secret protection programs, provides a detailed guide to the creation of a trade secret protection program, and identifies where to focus efforts now to address the current circumstances and the expected new “abnormal,” as restrictions begin to be lifted.
An Ounce of Prevention, Especially Now
I have always been a believer that when it comes to the protection of trade secrets, an ounce of prevention is worth a pound of cure. That is even more true now. The current circumstances mandate increased vigilance – but, increased vigilance tempered by reality.
As Jim Pooley wisely cautioned:
During this unusual time, employers need to be flexible and understanding. Getting compliance with the full suite of security protocols is harder at a distance. Trade secret management is about balancing value against risk, and then measuring that risk against the cost (including inconvenience) of various measures to reduce it. One of the practical risks is that people won’t follow rules that get in the way of getting the job done, and so you need to be sensitive to their struggle and try to collaborate about finding acceptable solutions.
The evolving dynamics of life under quarantine, shelter-in-place orders, and lockdowns have provided ample insight for how to achieve that balance – both for now and for our return to the new “normal” (which will be anything but).
The important thing to remember is that the rules have not changed. Only the circumstances and how the rules will be applied have. Accordingly, it is critical to have a working trade secret protection program that reflects the current realities.
A Proper Trade Secret Protection Program Explained
At its core, a trade secret protection program is a set of protocols to protect a company’s confidential information – protocols that are not only expected by courts, but, more important, protocols that are designed to prevent the misappropriation of a company’s information in the first place.
While “reasonable” efforts are the legal touchstone for protecting trade secrets, the law should not be the motivation. Rather, effective and efficient prevention of misappropriation should be the lodestar.
Few trade secrets are like Coca-Cola, requiring heroic measures for their protection. In most instances, companies can achieve a reasonable balance, preventing misappropriation while enabling employees to use the company’s information for legitimate business purposes. The goal should be to ensure that protecting the information is the easy path. If the balance tips too far toward preventing misappropriation, making it difficult for employees to get their work done efficiently, they will find a workaround. In contrast, the less resistance, the more likely compliance will happen naturally.
A decade ago I wrote, “The Who, What, Where, When, How, and Why of Trade Secret Audits,” providing an overview of how to do this. The process remains the same. But, like everything else, shifting paradigms require recalibrating tools. What is reasonable today is qualitatively different from what was reasonable in the past. What worked for a physical Rolodex needs to be recalibrated for iPhone contacts, LinkedIn, and other social media. And what worked pre-coronavirus may no longer work in a post-COVID world.
There is no one size fits all approach. Rather, the reasonableness – and effectiveness – of the protection measures will depend on the nature of the information, the value of the information, the potential risks to the information, and the circumstances of the company.
A Summary Checklist for Trade Secret Protection in the Wake of COVID-19
Set forth below are the steps – together with an abbreviated checklist of the basic questions and issues – for a proper trade secret protection program (“TSPP”), with specific focus points arising from the current and foreseeable future work-from-home (“WFH”) environment in red. A significantly more detailed checklist (too long to post) is available on request (by emailing me).
Remember that companies and their culture and circumstances, work-from-home environments, trade secrets, and risks vary widely and will require different approaches – and they all change over time. What may have made sense at one time may no longer be sufficient or may be too restrictive. So this process should be considered a work-in-progress, to be reevaluated on a regular basis.
Also note that this checklist does not address the requirements imposed by potentially applicable regulatory overlays such as HIPAA or Reg S-P. Accordingly, the checklist is necessarily general and must be tailored to the specific circumstances.
Step One: Understand the Landscape
The starting point for protecting trade secrets (and other company information) is gaining an understanding the landscape: What information is at risk and where do the risks come from?
There is an endless variety of trade secrets and confidential information. They can include product developments; specifications or plans for new, revised, or existing products; technical data; designs; patterns; formulas; computer programs; source code; object code; algorithms; subroutines; manuals; products; business plans; business strategies; financial information; customer lists; summaries of customer interactions; customer needs, preferences, and buying patterns; client credit profiles; contract pipeline and opportunities; pending projects and bids; bidding strategies; contracting strategies; marketing and sales strategies; pricing strategies; profitability targets; profit margins; markup rates; price lists; employee lists; vendor information; and so on.
Companies should identify and categorize the information, not catalog it. And, depending on the organization, this inquiry may require the involvement of management, human resources, legal, corporate governance, sales, marketing, information technology, information management, research and development, manufacturing, and other relevant stakeholders.
- What are the company’s trade secrets (e., what information is important to company)?
- Does the company own the information?
- Is the information secret?
- Does the information have value, whether now or in the future?
- How widely is the information known in the company?
- How widely is the information known outside the company?
- How much money and effort did the company expend in developing the information?
- How easy would it be to recreate the information?
- Is there a process to identify trade secrets on an ongoing basis?
- How are the company’s trade secrets protected?
- Where are the company’s trade secrets kept?
- Who has access to the trade secrets?
- Which of the following is permitted with respect to the trade secrets?
- Copying/downloading?
- Sharing?
- Printing?
- Taking of screenshot?
- Photographing?
- Emailing?
- Removing the information from the premises?
- Are trade secrets marked as confidential?
- Are the trade secrets secure?
- What are the highest value trade secrets or greatest vulnerabilities?
- Are there additional protections?
- Are there appropriate backups in case of loss?
- Are any trade secrets shared with third parties?
- Which trade secrets are shared?
- What are the third parties’ obligations for protecting the information?
- What is the third party doing to protect the company’s information generally?
- What is the third party doing to protect the company’s information during the crisis?
- Are additional protections needed?
- Do specific expectations need to be communicated to the third party?
- Which trade secrets belong to third parties?
- What are the company’s obligations to the third parties?
- Is the company complying with its obligations?
- Have there been any changes resulting from the current crisis that affects the company’s compliance?
- Is the company complying with its obligations?
- What are the company’s obligations to the third parties?
Step Two: Evaluate and Update Protections
Once the landscape is clear, the next step is to evaluate the sufficiency generally and, in particular, from a physical, electronic/technological, and administrative standpoint and then to update the protections, removing anything no longer needed and adding anything missing. The focus on this step is the company’s information. (Third party issues are treated separately.)
- General Sufficiency
- What has worked in the past?
- What has not worked in the past?
- What is missing?
- Physical security takes two forms: (1) access to the company and (2) access to information.
- What protocols are in place for entrance to and exit from the premises, buildings, and facilities housing any company trade secrets?
- Does the company maintain video surveillance?
- Is photography or video permitted?
- Is computer network hardware (including all severs, modems, routers, switches, hubs, and access points) kept in a secure location?
- Are trade secrets physically isolated in a secure location (whether a building, office, room, closet, safe, filing cabinet, or desk drawer)?
- Is the identity of trade secrets appropriately obscured where necessary?
- Electronic/technical security (like physical security) takes two forms: (1) access to the equipment housing the information and (2) access to the information itself. And, most physical security measures have electronic or technical analogues.
- Is electronic access to the network secure?
- How is the company’s network accessed remotely?
- Is VPN required?
- Is multi-factor authentication required?
- Are the protocols sufficient to prevent unapproved connections?
- Is the network segmented/partitioned so information can be compartmentalized and access restricted by location on the network?
- Are there technological limitations preventing employees from accessing parts of the network where information they do not need to access is stored?
- Is information accessible only on a need-to-know basis?
- Does all of the information need to be accessible?
- Is information segmented to the extent possible so that portions of the secret are kept separate from other aspects of the secret?
- Are appropriate identity and access management (IAM) protocols in place?
- How is the company’s network accessed remotely?
- Are all computers and equipment appropriately secure?
- Are all laptops and mobile devices physically secured when not in use?
- Are all computers password protected?
- Are all computers full-disk encrypted?
- Are screens set to lock and require reentry of user credentials after a period of inactivity?
- Is the period sufficiently short given the location of the computer?
- Are all software, hardware, and operating systems up to date?
- Are all computers adequately protected with firewall, anti-virus, anti-malware software?
- Are all appropriate updates applied, including security updates?
- Are employees’ administrator functions appropriately limited?
- Are there limitations on access to websites?
- Do all computers and other devices have an appropriate, up-to-date backup system?
- Is the use of personal backup systems permitted?
- If so, does the company have access to the backups?
- Is there a process for removal of company information from personal backups?
- Can computers and other devices be wiped remotely?
- Is there an inventory of all computers and other electronic equipment, including their locations?
- Does the inventory contain all necessary usernames and passwords?
- Is the inventory updated as equipment, passwords, and locations are changed, added, retired, or transferred?
- Is the use of personal backup systems permitted?
- Are all electronically maintained trade secrets adequately protected?
- Which trade secrets are accessible remotely?
- Should they be?
- Are files containing confidential information maintained in a separate folder?
- Do the file names indicate that they are confidential?
- Do documents containing confidential information contain legends or other markings to indicate that they are confidential?
- Are the files containing confidential information password protected?
- Are the files containing trade secrets encrypted?
- Are document watermarking, “paper town,” “digital signature,” or tracking mechanisms used?
- Which trade secrets are accessible remotely?
- If any of the following is banned, are there technological restrictions on such actions?
- Copying/downloading trade secrets?
- Sharing trade secrets?
- Printing trade secrets?
- Taking screenshots of trade secrets?
- Photographing?
- Emailing?
- Removing the information from the premises?
- If technological impediments are not in place, are such banned activities monitored?
- If any of the above is not banned, are there popups or other notices to indicate that the information is a trade secret and that require employees to confirm that they intended to engage in the activity?
- Are electronic materials containing trade secrets that are outdated or otherwise no longer needed electronically “shredded”?
- Are potentially non-secure communication platforms, such as Zoom, Slack, conference call lines, and social media, permitted to be used for work communications?
- If so, is confidential information permitted to be discussed or shared?
- If so, have all necessary steps been taken to ensure that confidential information is protected?
- Have all security settings been set to limit the risk of loss?
- For Zoom and other video conference platforms, have each of the following settings been turned on, if available:
- Requiring authorized users only?
- Requiring a password for entry?
- Using the “waiting room” to exclude people until the host permits entry?
- Using non-guessable meeting IDs generated for each meeting?
- Turning off automatic recording?
- Prohibiting recording (unless affirmatively desired and people have been notified)?
- Prohibiting screen shots (unless affirmatively authorized)?
- For Zoom and other video conference platforms, have each of the following settings been turned on, if available:
- Has the information been password protected, encrypted, or otherwise concealed?
- Is the audience specifically limited to those who need to know?
- Have people been cautioned not to forward invites?
- Is the confidential information narrowly tailored to the audience?
- Have all security settings been set to limit the risk of loss?
- If so, have all necessary steps been taken to ensure that confidential information is protected?
- If so, is confidential information permitted to be discussed or shared?
- Is electronic access to the network secure?
- Administrative measures, including in particular policies and procedures, are the key to setting and enforcing expectations. Many of the policies will reflect and reinforce the physical and electronic/technological security measures and expectations.
- Does the company have all necessary and appropriate policies?
- Does the company require employees to acknowledge that they received, reviewed, and understand and will abide by the policies?
- Is there a trade secret, confidentiality, or information protection policy?
- Does the policy describe the information to be protected?
- Does the policy explain why the information the procedures are in place?
- Does the policy explain that the protection is extremely important?
- Does the policy explain that employees have a duty to protect the information?
- Does the policy explain how the company expects trade secrets to be protected?
- Does the policy limit employee access on a need-to-know basis?
- Does the policy explain that the information may be used only for company purposes, as authorized by the company?
- Does it explain with whom and how information can be shared within the company?
- Does it explain with whom and how information can be shared outside the company?
- Does it require presentations, speeches, newsletters, press releases, postings on company websites, and other announcements to be pre-screened to ensure that no confidential information is inappropriately shared?
- Is there a process for screening potential disclosures?
- Does the policy explain that employees may not discuss or view confidential information publicly?
- Does it explain not to discuss confidential information where others might overhear?
- Do employees know not to display confidential information where others might see it – including on their computer screens?
- Does the policy prohibit employees from removing trade secrets and other confidential information from the premises, including preventing the information from being taken home?
- If not, under what circumstances can such information be taken home?
- Does it address whether and, if so, how COVID-19 has changed any restrictions?
- If not, under what circumstances can such information be taken home?
- Does the policy explain that confidentiality obligations continue post-employment, including that confidential information cannot be retained, used, or disclosed post-employment?
- Does the policy explain that employees have a duty to report threats to the company’s trade secrets?
- Does the policy encourage employees to ask for assistance if there is any uncertainty about what is confidential or how to protect it?
- Is there a computer and mobile device use policy?
- Does the policy match all physical, electronic, and technical restrictions?
- Does the policy make it clear that employees are to use computers (including the company’s computer network and all computer-related equipment and services) and mobile devices (including smartphones, tablets, and external storage devices) for work purposes only?
- Does the policy instruct that employees may not access or use portions of the company’s computer network that they are not authorized to access or use?
- Does the policy make clear that employees are not to permit anyone else to use their devices, except as expressly required or authorized by the company?
- Does the policy instruct that employees should not make changes to security and administrative settings or otherwise bypass technological restrictions?
- Are computers and other devices required to be safely secured when not in use?
- Do employees have an expectation of privacy when using company equipment?
- Does the policy provide for the disposal of computer hard drives and external hard drives?
- Is there a password policy?
- Does the policy require the use of passwords for all devices (including computers, cellphones, tablets, and external storage devices)?
- Does the policy establish protocols to reduce the risk that passwords can be guessed or hacked?
- Does it provide specific rule-based requirements for password length and strength?
- Does it require a minimum length?
- Does it require special characters?
- Does it require capitalization and lower case?
- Does it require numbers?
- Does it prohibit dates?
- Does it prohibit sequential or repeating letters and numbers?
- Does it preclude use of words associated with the company, the person (g., their own name or names of family members, birthdays, anniversaries, phone numbers, addresses, pet names, usernames, etc.), or the information?
- Does it require passwords to be changed at specific intervals?
- Does it preclude the reuse and recycling of passwords?
- Does it provide specific rule-based requirements for password length and strength?
- Does the policy require that passwords be stored in a secure location not accessible or visible to others?
- Does it require that stored passwords be encrypted?
- Does it permit or require the use of password managers?
- Does the policy prohibit sharing passwords?
- Does it prohibit employees from asking other employees to borrow their password?
- Is there a document management and retention policy covering trade secrets and other confidential information?
- Does the policy address where documents containing trade secrets may be stored?
- Are documents containing trade secrets permitted to be stored locally, such as on laptops, thumb drives, or physically in employee offices (as opposed to on networks or the company’s designated storage locations)?
- Does the policy establish a check-in / check-out process?
- Does the policy permit any of the following?
- Copying/downloading trade secrets?
- Sharing trade secrets?
- Printing trade secrets?
- Taking screenshots of trade secrets?
- Photographing?
- Emailing?
- Removing the information from the premises?
- To the extent any of the above are permitted, under what circumstances are they permitted?
- Are there limitations on the quantities of copies?
- Are printouts required to be numbered or otherwise controlled?
- Are printouts required to be collected from the printer immediately?
- Does the policy establish appropriate procedures for the disposal and shredding of materials containing trade secrets that are no longer needed?
- Does the policy address how long documents are retained?
- Does the policy address where documents containing trade secrets may be stored?
- Is there a clean desk policy?
- Does the policy require all confidential materials to be removed from the workspace and secured at the end of the day?
- Does it require removal and/or securing when the workspace is not going to be occupied for relatively brief periods?
- Does the policy require whiteboards containing confidential information to be thoroughly cleaned?
- Does the policy require all confidential materials to be removed from the workspace and secured at the end of the day?
- Is there a social media policy?
- Does the policy address who owns social media accounts used for business or mixed purposes?
- Does the policy prohibit the posting, sharing, or discussion of confidential information on or through social media platforms?
- Does the policy address mandatory privacy settings for accounts used for business?
- To the extent that the policy permits the dual personal and company use of social media accounts, does it provide a process to unwind the commingling?
- Does the policy prohibit the employee’s use of work-related social media accounts to announce the termination of the employment relationship?
- Has the policy been updated for changes in applicable laws governing employee personal social media accounts used for work?
- Is there a BYOD (bring your own device) policy?
- Does the policy specify which types of devices (including computers and mobile devices) and services are permitted to be used for work purposes?
- Does it require company approval before a device or service can be used?
- Does it expressly prohibit all devices and cloud platforms that have not been expressly authorized?
- Does the policy require compliance with any computer use policies?
- Does it specifically address mobile devices such as cellphones and tablets?
- Does it specifically address external storage devices (for example, thumb drives, external hard drives, home network backups, home cloud backups)?
- If permitted, are they subject to same requirements for other devices (encrypted, storage and disposal protocols, company access, monitoring, wiping, etc.)?
- Does it require company approval before a device or service can be used?
- Does the policy address privacy and security settings for the device?
- Does the policy require personal devices to be password protected in accordance with company password policies?
- Does the policy require personal devices to be encrypted?
- Are the privacy and security settings up to the same standards as for company-owned devices?
- Does the policy require all devices to be inventoried with the company?
- Does the policy provide for sandboxing or segregation of company information from personal information?
- Does the policy place restrictions on software that may be installed or used?
- Is there a protocol for approval of the installation and use of software?
- Is software used to enforce the policy?
- Does the policy provide for company technical support?
- Does the policy delineate where the company’s right to monitor and investigate ends and the employee’s right to privacy begins?
- Does the policy address who else is allowed to use the device?
- Are family members permitted to use the device if they have their own password-protected accounts on the device?
- Does the policy permit other family-owned equipment to be used to access or store company information?
- If so, under what circumstances?
- Does the policy address the removal of company information on the device when the employment relationship ends?
- Does the policy address what happens if a personal device with company information is lost or stolen?
- Does the policy require employees to immediately notify the company if their device has been compromised or if company confidential information is otherwise compromised or at an increased risk?
- Does the policy provide for discipline for violation?
- Does the policy specify which types of devices (including computers and mobile devices) and services are permitted to be used for work purposes?
- Are there other policies that may address the protection of trade secrets, such as a code of conduct?
- Does the company require the following agreements:
- Nondisclosure or confidentiality agreement?
- Noncompetition agreement?
- Nonsolicitation (of customers) agreement?
- Invention assignment?
- No raid agreement (also known as a nonsolicitation of employees)?
- Does the company require any other restrictive covenants (such as a no-service agreement) from any employees?
- Are the appropriate agreements required from those employees whose roles create the need for them?
- Has each employee signed all necessary agreements?
- Has the company signed all applicable agreements?
- Does each agreement comply with current law, including changes in applicable laws?
- Does the company have all necessary and appropriate policies?
Step Three: Evaluate Third Party Implications
The involvement of third parties raises three categories of issues: (1) obligations the company owes to third parties whose information the company is in possession of; (2) obligations of third parties that are in possession of the company’s confidential information; and (3) risks associated with bringing in employees (and others) who may possess, use, or disclose information from third parties, such as competitors, former employers, and other trade secret owners.
- What are the company’s obligations to the third parties?
- Are they documented in a contract?
- Are they sufficiently clear?
- Are the company’s protocols sufficient to satisfy the obligations?
- Are the company’s remote work policies adequate?
- Which employees are permitted access?
- What can they do with that access?
- What are the consequences of a violation of those obligations?
- What obligations are owed to the company by third parties?
- Do the third party’s protocols sufficiently address a remote work environment?
- Are there protocols in place to ensure that employees do not bring third parties’ trade secrets to the company or use or disclose third parties’ trade secrets?
- Does the company make clear to new employees that it does not want trade secrets of others?
- Does the company explain not to bring, use, or disclose information from prior employers (or others)?
- Is there a process for reviewing whether an employee (new or existing) has brought, used, or disclosed information?
- Is there a process for determining whether any third party information been uploaded?
- How does the company respond to the discovery that information of others has been brought into the company or used or disclosed at or for the company?
- Does the company evaluate preexisting obligations of potential new employees and restrictions on the employee’s conduct?
- Is there a protocol for when to involve legal counsel (in-house or outside)?
Step Four: Special Considerations in Connection with Work-From-Home (WFH) and Other Remote Work Environments
Work conducted remotely (whether from home or other locations outside of the company’s direct control) substantially alters the typical trade secret risk profile in many ways, including the potential for the use of improperly secured Wi-Fi, other people in close proximity, and a lack of formalities that otherwise appertain to typical work environments. Accordingly, a purposeful awareness of and focus on the different and additional risks is necessary, particularly now and as the new normal continues to evolve. And, equally important, employees should be counseled to affirmatively think about their obligations and use basic common sense when company confidential information is at risk.
- Physical security in a home workspace should be designed to achieve, as close as possible, the same level of security as in the company’s facilities.
- Is the workspace a separate, isolated room?
- If not, is the space physically separate?
- Are other members of the household excluded from the workspace?
- Can the workspace be locked when not in use?
- If so, is it kept locked when the employee is not using it?
- If it cannot be locked, is all equipment and confidential information secure and, to the extent appropriate, stored in locked cabinets or drawers when not in use?
- If a clean desk not an option at home, what precautions are in place to protect the company’s confidential materials?
- Are documents and materials containing confidential information shielded from view from others in the house?
- Are documents and materials containing confidential information secured when not in use?
- Is printing kept to a minimum?
- Are documents removed immediately from the printer?
- Is shredding available?
- If not, are documents secured until they can eventually be shredded?
- Is the workspace a separate, isolated room?
- Electronic/technological security requirements are heighted in the home where home networks tend to be less secure than those at an office.
- Is the home network secure?
- Is the network ID (SSID) broadcasted?
- Is Wi-Fi password protected?
- Is the password sufficiently secure?
- Does the router meet current security standards?
- Is the firmware updated?
- Is an appropriate firewall in place?
- Are computer screens set to lock when not in use?
- Have any members of the household used any device that is being used for work?
- Are the devices checked for malware?
- Are appropriate safeguards in place to avoid compromising company information?
- Are smart devices like Alexa, Siri, and Google Assistant (as well as other video and/or listening devices such as baby monitors) turned off or sufficiently distant (or directed away) from the workspace to avoid them picking up sound or video?
- Is the home network secure?
- Administrative measures for a work-from-home environment should explain that the same rules that apply at the office apply as close as possible to the home workspace. Given the prevalence of potentially non-secure communication platforms like Zoom and Slack, specific reminders about the requirements concerning their use should be provided.
- Do employees understand that all of the same rules apply when it comes to protecting the company’s trade secrets and other confidential information?
- Is it clear that the informality of home does not translate to a relaxation of the need to protect and protocols for protecting trade secrets and other confidential information?
- Have employees been told that it is critical to follow the same policies and procedures for marking and handling documents and information?
- Have employees been told that if information was not to be accessed, printed, used, shared, or disclosed before, it should not be accessed, printed, used, shared, or disclosed now?
- Have employees been told that it is critical to follow the same policies and procedures for marking and handling documents and information?
- Is it clear that the informality of home does not translate to a relaxation of the need to protect and protocols for protecting trade secrets and other confidential information?
- Have employees been instructed that confidential information should not be viewed where others may see it?
- Is it clear that this includes on their computers in their home?
- Are all video cameras turned off or sufficiently directed away from the workspace?
- Have employees been told that confidential information should not be discussed publicly or anywhere else others may overhear it?
- Are phone calls or video calls made from or received in a location – whether inside the house, in the yard, or elsewhere – where no one can hear?
- When calls are on speaker, is the volume sufficiently low to avoid anyone from hearing?
- Can headphones be used (to address the inbound portion of the communication)?
- When calls are on speaker, is the volume sufficiently low to avoid anyone from hearing?
- Are phone calls or video calls made from or received in a location – whether inside the house, in the yard, or elsewhere – where no one can hear?
- Do employees understand that all of the same rules apply when it comes to protecting the company’s trade secrets and other confidential information?
Step Five: Communicate and Reinforce Expectations
Having policies and procedures that no one understands, remembers, or follows undermines the reason for having them in the first place. The key to ensuring their ongoing utility is employee education and training on a periodic basis. This is particularly true now, when employees have been thrust into a new work regime, which may require very different processes and procedures from what they are used to.
- Is trade secret training provided at the start of employment in connection with employee onboarding and orientation and then at periodic intervals during the course of employment?
- Do the trainings explain what trade secrets are, why they are important to the company, and that protection of the company’s trade secrets is of critical importance?
- Do the trainings instruct employees to review and comply with the company’s policies and procedures?
- Do the trainings instruct employees to comply with any preexisting obligations to prior employers?
- Does it explain that the company does not want trade secrets of others?
- Does it instruct employees not to bring, use, or disclose information from prior employers (or others)?
- Do the trainings cover important restrictions on access to and use of trade secrets?
- Do they reinforce that employees should not access (or try to access) information that they do not have a right to access?
- Do they reinforce that employees should not access (or try to access) parts of the network they do not have a right to access?
- Do they reinforce that employees should not use company information for any purposes other than for the company’s benefit, as authorized by the company?
- Do they instruct employees to review their contractual obligations?
- Do they reinforce obligations to third parties?
- Do the trainings address how to avoid inadvertently installing malware?
- To the extent the use of USB devices is permitted, are employees instructed that such devices – including thumb drives distributed at conferences – may contain malware?
- Are employees trained on the following:
- To be suspect of emails from people they do not know?
- That unusual language, broken English, typographical errors, and other mistakes in emails, texts, and similar communications is oftentimes an indication that the message is a scam?
- Not to click on links or open files that they were not expecting until their authenticity is confirmed?
- To investigate any request for information when the request was not anticipated or seems unusual?
- To check the return address in emails before responding to the email?
- Do the trainings encourage employees to ask for assistance if there is any uncertainty about what is confidential or how to protect it?
- Does the company ask employees to watch for and report suspected actual or potential misappropriation or other policy violations?
Step Six: Monitor Compliance
Trust but verify. While companies may hope and assume that their employees will comply with all security measures, policies, and trainings, there is no foolproof way to ensure it. Accordingly, companies should consider monitoring for compliance – whether on a continuous or spot-checking basis. Even when monitoring is limited and unlikely to catch misconduct or inadvertent trade secret exposure, it may still have the benefit of encouraging employees to think twice.
- Does the company monitor network activity and email traffic?
- Are alerts sent for suspicious or prohibited activities, including, for example, the following:
- Spikes in usage or data transfer?
- Large downloads from or uploads to the network?
- When employees connect to unauthorized file sharing and FTP sites?
- Substantial printing?
- Access to certain areas of the network?
- When USB storage devices are connected, particularly if they are prohibited?
- Are emails screened for attachments potentially containing trade secrets or keywords disclosing trade secrets?
- Are alerts sent for suspicious or prohibited activities, including, for example, the following:
- Does the company check that all policies and procedures being followed?
- Have all employees signed the necessary acknowledgements and agreements?
- Have all employees undergone the required trainings?
- Is there a process for reviewing whether employees have brought or used third-party information?
- Is there appropriate discipline if policies or procedures have not been followed?
Step Seven: Exit Practices and Procedures
Even in the best of circumstances, departing employees pose a significant risk to a company’s information and customer relationships. These risks are significantly increased in times of crisis and economic turmoil, particularly when employees are furloughed, laid off, feeling disconnected, or just in need of a change. Accordingly, it is extremely important to take this opportunity to lock down as much as possible at this last stage of the employment relationship. This involves four basic steps: (1) conducting the exit interview; (2) terminating post-employment access; (3) recovering all equipment; and (4) evaluating the potential risks.
- Exit interviews are ideally performed in person, though when that is not possible, they are best conducted through videoconferencing tools like Zoom. The purpose of the exit interview (from a trade secret protection standpoint) is to understand what, if any, risks are posed by the employee’s future plans and to remind the employee of ongoing obligations to the company.
- Where is the employee going?
- What is their new role?
- What are their duties?
- Will the new job violate their ongoing obligations?
- Will it place the company’s trade secrets (or goodwill or other legitimate business interests) at risk?
- Is there a way to protect the company’s interests while allowing the employee to work in the anticipated role?
- Does the company remind employees about their ongoing confidentiality obligations and any other obligations?
- Is the exit interview documented?
- Where is the employee going?
- Post-employment access to any company equipment and information must be terminated immediately, absent some continuing relationship necessitating and warranting continued access. This is also true in connection with furloughed employees, who, although not officially separated from the company, are not working and therefore should no longer have access to company equipment or information.
- Does the company immediately terminate the employee’s access to all company resources and accounts, including each of the following:
- Computer network?
- Email?
- Phone system and voicemail?
- Company cloud storage accounts?
- Third party platforms used for business, including, for example, DropBox, Microsoft 365, and contact management systems like Salesforce?
- To the extent not covered by the above, does the company change all of the employee’s passwords upon termination?
- Is there a process for remote wiping or purging company information from the employees’ personal devices?
- Is there a process to disable any physical access cards retained by the employee?
- Does the company immediately terminate the employee’s access to all company resources and accounts, including each of the following:
- Recovery of company-owned equipment, materials, information and other property is a critical step in the departure process.
- Is there a process to collect all electronic equipment, such as laptops, tablets, smartphones, external storage devices, and other devices?
- Is the company set up to arrange (and pay) for the equipment to be shipped back when workers are not coming into the office?
- If that is not feasible, is the timing such that a forensics company needs to remotely gather a forensic image of a device’s hard drive?
- Are all devices returned intact?
- Is the company set up to arrange (and pay) for the equipment to be shipped back when workers are not coming into the office?
- Will the employee cooperate with the company to disentangle personal information and files (g., family photos) from work devices and work information?
- Is there a process to collect all hardcopy documents and materials?
- Is there a process to collect all other property, including access keys, badges, credit cards, etc.?
- Is all returned property inventoried?
- Will the employee certify that everything has been returned and nothing has been retained?
- Have remaining employees been advised of any restrictions regarding communications to or from the furloughed or former employee?
- Is there a process to collect all electronic equipment, such as laptops, tablets, smartphones, external storage devices, and other devices?
- Evaluation of the risk to the company’s information will often require nothing more than a quick determination that the employee poses no substantial threat. Other times, it may be readily apparent that the employee poses a significant threat. In many cases, however, the process is more involved. When the answer is not obvious, the company can ask a series of questions to assess the level of threat and appropriate next steps, up to and including full enforcement of the company’s rights. When all of the questions are answered in the affirmative, the risk will typically be at its height.
- How great a risk does the employee pose based on the following seven, high-level questions? (See Venn diagram below for a visual assessment.)
- Was the employee in a senior / strategy role or exposed to sensitive trade secrets?
- Can the information to which the employee was exposed be retained in memory and used elsewhere?
- Was the departure sudden or did it occur at a critical juncture?
- Is the employee going to a competitor?
- Will the new role result in the inevitable use or disclosure of the company’s information?
- Was the departure involuntary (or otherwise not amicable)?
- Did the employee take, retain, or delete information and, if so, was it intentional (as opposed to part of the normal course or work or routine backups)?
- How great a risk does the employee pose based on the following seven, high-level questions? (See Venn diagram below for a visual assessment.)
- Does the risk warrant a forensic review of the employee’s computer?
- Does the email history reveal any misconduct?
- Are there any logs that reveal that the employee accessed, downloaded, or printed information or documents at a time, in a volume, or of a nature that should not have been accessed, downloaded, or printed?
- Were USB storage devices connected?
- Did the employee use Dropbox, iCloud, Google Drive, Microsoft 365, or other online storage or backup sites?
- Does the internet search history reveal any improper conduct?
- Is there a process to monitor for and assess signs of misconduct?
- Is the employee’s work email forwarded to someone at the company to watch for misdirected emails from customers?
- Are the employee’s social media accounts monitored for evidence of improper conduct?
- Are there unexpected changes in the marketplace?
- Is the company losing business that it expected to get?
- If so, is it likely due to the employee’s conduct or something other market condition (such as the effects of COVID-19)?
- Is there a sudden new competitor?
- If so, is the employee involved?
- Has the employee attempted to access the company’s systems?
- Under what circumstances?
- Did the company fail to turn off access?
- Is there a form (digital or electronic) for reporting and investigating an incident?
- Under what circumstances?
- Is a private investigator warranted?
- Is the company losing business that it expected to get?
- Does the risk warrant a forensic review of the employee’s computer?
Step Eight: When All Else Fails, Have a Plan and Implement It
While the goal is to avoid the need for enforcement of the company’s rights (in particular through lawsuits), unfortunately no amount of protection efforts, education, or training will prevent some people from doing something they should not. Accordingly, the company needs to have an “incident response plan” (“IRP”) – and a designated person (or team) responsible to lead the incident response – before there is an accidental or intentional disclosure or use of the company’s confidential information.
- Is there a person or team responsible for responding to misappropriation or breaches of restrictive covenants?
- Is there a reason not to send a letter reminding the departed employee of their confidentiality obligations and any other post-employment restrictions?
- Is a cease and desist letter warranted?
- Should the new employer be contacted?
- Is litigation necessary?
- If so, is a temporary restraining order, preliminary injunction, or similar emergency relief necessary?
- Does the need for injunctive relief take into account the current circumstances?
- Are damages a sufficient, even if not complete or satisfactory, remedy under the circumstances?
- If restrictive covenants are involved, can they be enforced?
- Was the employee furloughed or laid off?
- If so, does it affect enforcement?
- Are the courts enforcing restrictive covenants in the jurisdiction?
- Was the employee furloughed or laid off?
- Are the courts available for injunctive relief in sufficient time?
- If not, are courts in other potentially appropriate venues available given the current circumstances?
- Does the need for injunctive relief take into account the current circumstances?
- If so, is a temporary restraining order, preliminary injunction, or similar emergency relief necessary?
Takeaways
Courts help those who help themselves. But companies are best off protecting themselves so they don’t need the courts – especially now, when what the courts (and we as lawyers) consider an emergency has fundamentally changed.
Accordingly, given the current circumstances, following this checklist should help companies quickly identify what they’re doing right and what they need to do differently.
If you would like our more detailed checklist please email me.
Thank you to Erika Hahn for working this through with me and to Steve Reed for proofing reading it for me – a substantial task, given its length!