Even before the COVID-19 pandemic, many employers offered remote work options. Now employers all over the world are encouraging or requiring their employees to work remote from home. This means employees are accessing, maintaining, and sharing proprietary information outside of the office more frequently than ever before, thereby increasing the risk of employee and third-party IP theft.
Luckily, even in a remote-work-world, there are a variety of measures employers may consider to reduce the risk of IP theft:
- VPN: Employers can maintain proprietary information on their network and ensure that the network is remotely accessible only when using the employer-controlled VPN.
- Inventory Tracking: Many employers issue company-owned laptops, phones, and business accounts and require that employees perform remote work using only those devices and accounts. When issuing those devices, companies can utilize inventory tracking and control applications, such as barcoded devices, to manage and track the assets during deployment and ensure their safe return. However, during a crisis, it may not be feasible to deploy company-issued devices; still, employers can take steps to address security of personal devices, including, for example, facilitating integration of security applications and VPN systems into employees’ personal devices—to the extent they are used for work purposes—so employers can monitor and manage employees’ personal devices like they would their company-owned devices.
- Employee Awareness and Training: The risk of IP theft by hackers and phishers is particularly high; many of these bad actors are technologically savvy and they may attempt to use the present COVID-19 crisis to their advantage. There are, however, various steps employers can take to help address this risk. Employers can, for example, clearly communicate security protocols to their employees, including restrictions on use of personal devices and accounts for work purposes, which may include having employees sign remote working agreements. Employers can also educate employees about how to spot and avoid typical phishing scams, like deceptive phishing (impersonating a company like Google), spear phishing (customized targeted emails), and executive fraud (impersonating a CEO or other high-level executive), as these scams, which often involve tricking the target into clicking on a malicious URL or email attachment, can expose an employer’s proprietary information even if the employee is using a work device and VPN. IT and security personnel can likewise be on the lookout for COVID-19-related phishing emails. Additionally, employers can implement training on remote work that addresses where and how employees can use proprietary information while working remotely. Without being able to physically monitor employees, there is always a risk they may choose to work in a public space; this can lead to accidental disclosures of sensitive information through, for example, an unattended laptop, a print jobs sent to a publicly accessible printer, or hardcopy documents left behind. Remote working agreements that delineate from where employees can work and how hardcopy documents should be treated can help to mitigate these risks.
- Security Protocols: Creating strong security protocols can help employers keep their proprietary information safe. Employers can, for example, limit employee access to data on an “as needed” basis—particularly for sensitive information like trade secrets. Administrative safeguards, such as password protection, restrictions on access (e.g., “need-to-know” access for portions of databases), restrictions on printing, and multi-factor authentication for sensitive documents and databases, can be implemented to ensure access is only granted to those employees who truly need such access. Logs monitoring access to sensitive data can be maintained and checked regularly for unauthorized or unusual access. Similar monitoring of physical systems, such as routers and servers, can be conducted as well. Moreover, employers whose employees frequently discuss confidential information over phone or video chat may want to consider instructing employees to turn off in-home smart speakers (such as Amazon Echo and Google Home) during working hours to address the risk of such devices recording confidential conversations while employees are working from home.
- Clear Authorization Parameters: Employers can clearly delineate what types of information each employee or position has authorization to access. Setting clear authorization parameters can decrease the number of employees who have access to proprietary information and set employers up for successful lawsuits in the event an employee exceeds their authorization. For example, the Computer Fraud and Abuse Act (“CFAA”) criminalizes conduct involving accessing a computer without authorization or exceeding authorized access, but the CFAA is only effective when the employee’s authority to access information is sufficiently defined.
- Software Security and Monitoring: Some of the most profitable companies in the world license their software to other companies as their primary means of revenue. As more employees are forced to work remotely, the risk of unauthorized software use is likely to increase (e.g., giving employees unauthorized access to software on their home computers). Therefore, licensing companies should ensure that their software is protected by robust encryption measures and that their employees understand how to securely facilitate access to authorized users only. Companies may also consider investing (if they haven’t already) in license monitoring software to detect and possibly halt unauthorized use. Notably, under the Digital Millennium Copyright Act (“DMCA”), each “circumvention” of an access control exposes the violator to anywhere from $200 to $2,500 in statutory damages; therefore, companies may want to invest in technology that accurately detects and records each time an access control is broken.
- Maintaining Sense of Community and Common Purpose: Perhaps the most insidious risk created by large numbers of employees working remote is the loss of community, camaraderie, and common purpose. When employees feel like they are a part of a team and share a common purpose they are less likely to betray their employer (and their fellow employees) by misusing proprietary information. But with everyone working remotely, and no face-to-face interaction, employees may lose that sense of camaraderie and common purpose, which may lead employees to behave in ways they otherwise wouldn’t, especially if they feel they may be laid off due to the COVID-19 crisis. To combat these challenges, employers can schedule regular team meetings, whether by phone or video conference, and actively reach out to employees to ensure they feel like valued team members.
- Increased Preference for Patents: Companies that conduct R&D have always had the choice to either guard the results of their R&D as trade secrets or publicly disclose the results in exchange for patent protection. One of the primary advantages to protecting R&D as a trade secret is that the information can theoretically remain protected in perpetuity, while a patent right only grants a 20-year monopoly. However, as companies are forced to conduct R&D remotely, thereby increasing the risk of exposure of such R&D, patent protection may become a more attractive choice because public disclosure in exchange for a patent effectively eliminates the risk of unauthorized disclosure. In such cases, companies should keep in mind that the U.S. is now a first-to-file patent system, meaning it is best to file for patents as early as possible. This may mean involving patent attorneys early on during the R&D process to determine the proper time for public disclosures and patent filings; companies should also be sure to emphasize clear internal communication regarding the status of R&D efforts so that patents are filed as soon as possible.
- Non-Disclosure and Confidentiality Agreements: These agreements should require employees to use proprietary information for work purposes only and not to disclose such information to third parties except when necessary and authorized by someone with authority to permit such disclosure. Companies may also want to use NDAs/confidentiality agreements when contracting with independent contractors and/or partners, especially as companies increasingly look to third parties for support rather than adding employee headcount.
- Reasonable Efforts to Maintain Secrecy: In order for information to qualify for trade secret protection, it must be the subject of “reasonable efforts” to maintain its secrecy—this generally includes steps like requiring employees to sign confidentiality agreements, limiting access to the information on a need-to-know basis, and using security measures like encryption to protect the information. However, what constitutes “reasonable efforts” varies depending on the circumstances; therefore, if a company has instructed employees to work remotely, it may be prudent to reassess current protocols to ensure the company is meeting the “reasonable efforts” standard during the work remote period.