Protecting trade secrets at home: the risks of remote working through COVID-19 (World Intellectual Property Review)
Because of the very nature of trade secrets, it is prudent to prioritize and invest in preventive measures to protect them, rather than hoping for a cure after the event as in the current pandemic, say Jones Day partner Rebecca Swindells and trainee Andrew Aistrup.
COVID-19 has forced businesses around the world to adapt rapidly to new ways of working. For some, government-ordered lockdowns and social distancing policies have resulted in entire workforces being redeployed to work from home, while others have made the more difficult decision to furlough or terminate employees altogether in an effort to weather the storm.
Both scenarios raise a number of logistical and, invariably, human challenges. One that may not have been at the fore of consideration is the ongoing protection of trade secrets, a particularly sensitive concern during times of crisis.
Through disruption to normal procedures, heightened risks of disclosure present themselves, and ultimately many businesses will rely on the commercial value of the information to carry through to the other side once operations can return to a more normal state.
Unlike many other forms of intellectual property, the existence and perpetuity of a trade secret depends on its being kept a secret and, per EU Directive 2016/943, an owner in the UK/EU will need to show that it has taken reasonable steps to do so. Similar requirements can be found in a number of jurisdictions, for example in the US where a “reasonable efforts” obligation forms part of the statutory test. This onus subsists, even when it may be more difficult to ensure maximum secrecy and to determine whether such information is being accessed and made use of remotely.
Risks of working from home
Trade secrets that are accessible to employees are most commonly stored in the form of data. While there may be little difference in how an employee interacts with data in their workplace and their home (ie, access via the same devices), a number of risks might be exacerbated through remote working arrangements. These include:
- Unauthorized copies (digital or hard copy) of trade secret information being made and disclosed (intentionally or otherwise);
- Authorized copies made, but without an adequate level of security applied to their location and storage;
- Information being accessed and stored over an employee’s public or unsecured network;
- Less visibility over communications (content and format) from employees to external third parties;
- Data security parameters being relaxed;
- Oversharing of trade secrets to non-essential personnel within the business;
- Use of non-work issue devices that may have serious security issues;
- Inadvertent disclosure to other household members or to third parties, eg, by failing to dispose effectively of documents containing confidential information; and
- Greater reliance on email, and the risk of phishing and spam
These risks are not unique to remote working arrangements, but extended periods can greatly reduce visibility and control over how employees work and their handling of trade secret information.
The Absolute Software “2019 Endpoint Security Trends Report” revealed that more than 42% of endpoint devices experienced encryption failures at any point in time and, regardless of industry, 100% of devices experience encryption failures within one year. It is for these troubling reasons that additional safeguards should be considered, both as part of remote and standard workplace procedures.
Setting standards and managing risk
Clarity of policy and categorization of trade secrets are vital first steps for the education of employees, as are regular reminders of these policies, particularly during periods of extended remote working arrangements.
As part of any remote working strategy, a number of safeguards to reduce the risk of inadvertent disclosure or misuse of a trade secret should be considered. Such safeguards may include:
- Ensuring all trade secret information is clearly labeled as confidential, with regular reminders to the workforce about how to identify, use, and protect this information. Automated pop-ups may be programmed on each occasion that an employee accesses certain documents or programs;
- Using and regularly updating appropriate levels of data encryption and system security, particularly on remotely accessible systems;
- Reviewing data copying/printing policies and consider restricting for certain information;
- Limiting access of trade secret information only to those who require it;
- Reviewing, and if necessary, revising with legal counsel, non-disclosure agreements with employees, or confidentiality provisions in employment contracts;
- Investing in a secure VPN system to overcome network security or privacy issues that may arise from home network connections;
- Using remote download monitoring software for key files or folders;
- Where possible, providing all necessary IT equipment (eg, laptop, phone) and prohibiting use of personal devices for work matters, or the transfer of information outside of work devices;
- Using secure document exchange systems rather than emails, which may be vulnerable to attack;
- If trade secret information is being shared with a collaborative third party, ensuring that the precise scope of any information-sharing agreement is clear to all employees involved. Similarly, if third-party trade secrets are being shared into the business, employees should be trained and made clear on the precise scope of its permitted use and disclosure; and
- Continuing to follow internal best practice guidelines on limitation and tracking of third party disclosures
When considering which risk management safeguards to implement, a proportionate approach should be taken relative to the scale and value of the trade secrets in question. During the COVID-19 pandemic, the life sciences industry is likely to be particularly sensitive to these issues, and businesses are expected be reviewing and scrutinising their remote working procedures in balance with the need to facilitate ongoing operation.
Risks from terminated employees
As well as the risk of employees inadvertently disclosing or misusing trade secrets, businesses should also be mindful of what information terminated employees may take with them on departure. This is all the more difficult to police remotely where such employments come to an end during the lockdown period; it may be prudent to postpone decisions on such terminations of high risk employees until “normal” business resumes.
Actions in the event of a breach
In the event of a suspected breach, prevention of further occurrences should be an immediate priority. How did the breach occur? What security or training measures might be necessary to prevent future breaches? What additional safeguards should be considered, even if only interim measures during the extended remote working period?
Beyond taking preventive measures, there is a wide range of legal remedies available from the courts in instances of foul play, including interim injunctive relief to prevent further damage. The UK courts allow for particularly draconian measures in appropriate cases, including search and seizure orders, preservation orders and delivery up or destruction of infringing material.
On the court’s satisfaction that there has been a misappropriation of trade secrets, the owner may be entitled to either an award in damages, or an account of profits. The former is calculated by reference to the claimant’s loss, and the latter by reference to profits enjoyed by the defendant as a result of its infringing acts.
In the UK, remedies in tort aim to effectively restore the claimant to its position as if the misappropriation had never occurred, although remedies for leaks of confidential information may be difficult to quantify if there is permanent and lasting damage.
Because of the very nature of trade secrets, therefore, it is prudent to prioritise and invest in preventive measures to protect them, rather than hoping for a cure after the event.
Reprinted with permission from the April 21, 2020 issue of World Intellectual Property Review. © 2020 Newton Media Ltd. Further duplication without permission is prohibited. All rights reserved
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.