WFH (“working-from-home”)? It’s the new normal. We know the coronavirus pandemic is temporary, but in a few months, when the work-at-home-quarantine is no more than a bad memory, we also may be forced to engage in damage control to address serious and unintended consequences of the access given employees to company networks and databases enabling work from home. At this time, many companies are either preparing their employees to operate from their homes for the foreseeable future or the employees have started to work-from-home already. With various states issuing executive orders requiring many individuals to stay home, companies must adapt quickly. As these companies are creating and otherwise checking their lists, they have to be sure not to forget about protecting their trade secrets and confidential information from misappropriation.

A company may lose trade secret protection if it does not implement and enforce proper procedures. Courts consider many factors when deciding whether to grant trade secret protection to a company. For example, one factor courts have examined is whether employees have the ability to download company information onto their own personal computers. With the current landscape of our society and, in particular, the increased number of employees working from home due to the coronavirus, some companies may feel compelled to increase their employee’s remote access to information. As a result, confidential information may be at risk of being transferred surreptitiously, including protected trade secrets.

Trade secrets include those items of information that generally are not known to competitors and that the company takes reasonable steps to keep secure and confidential. This information has an independent economic value. For example, client lists are generally (but not in all states) considered to be trade secrets. In Florida and Georgia, client/customer lists are specifically mentioned in trade secret statutes. In Delaware, Massachusetts, and Washington, under the right circumstances, courts have found that client lists should be afforded trade secret protection. Other examples of trade secrets may include chemical formulas, pricing formulas, logistics techniques, software codes, business plans, marketing data, and advertising plans. In short, if the confidential information creates value for your company because your competitor does not know it, then we recommend you treat it like a trade secret.

How can a company safeguard its trade secrets? Take steps to protect it. For example, if the trade secret is a formula stored electronically, password protect it separately, and do not allow all employees to have access—just those who have a need to know. If it is software code, then consider implementing the same or similar protections. Protecting trade secrets becomes more difficult when the number of employees with access to the protected information increases. Protecting client lists becomes more difficult when a company uses outside sales people—those people who need to continue to make connections with your customers to keep your supply chain moving. Keeping your client lists in a single source (SalesForce®, for example) helps control access and prevents copying and distribution. Compare that to an excel spreadsheet that can be printed, emailed, changed, imported and exported into a variety of mediums. If your company is using a medium that is that flexible, now is the time to move that information to a secure place.

A few tips and reminders:

• Review your employee handbook. If there are existing confidentiality obligations, take a moment to remind your staff of those obligations (e.g. cut and paste into an email) and, if necessary, update or re-visit these obligations to account for employees working from home. Whether or not your handbook contains any existing confidentiality obligations, you may want to consider (i) reminding your employees that they must protect and otherwise ensure that confidential information remains protected when working from home, which includes having their home WIFI password-protected; (ii) reiterating to your employees that, unless authorized by the company, they are prohibited from maintaining or transmitting confidential information through non-company accounts (e.g. personal emails, social media); (iii) prohibiting your employees (to the extent possible) from printing documents and leaving them out in the open; and (iv) frequently sending out a notice of confidentiality to the employees to let them know that just because they are working from home, that does not mean their obligations to the company have disappeared. For example, the notice could read:
  
  Team: Please remember that is our obligation—wherever we are working—to maintain the confidentiality and security of the company’s data. [Reference employee handbook, if applicable.] That includes our customer lists, pricing data, financial information, and the like. Please do not share company information with those in near proximity. Please do not download company information to any personal devices. If you need to share confidential information, please use secure transfer methods, including password-protecting files, as appropriate. Confidential communications via telephone should be taken where they cannot easily be overheard. If need be, take that call from the privacy of your car. If you have any questions about how to maintain the company’s confidential information, please contact your supervisor immediately.

Similar to the warning in the notice, if employees can sign on to company databases through a portal, remind those engaging in remote access that the information beyond this point is confidential and subject to restrictions. This is particularly important if your employees have not signed confidentiality agreements at the outset of their employment. If your company currently does not require employees to sign confidentiality agreements, the company should seriously reconsider. A basic confidentiality agreement is a keystone to protecting any type of trade secret. Such agreements can be tailored to meet your company’s particular needs.

• Do not move all the company trade secret documents to a free version of DropBox® for the time-being. Cloud storage services, particularly free ones, can be risky because they allow anyone with a link to the site the ability to transfer that information anywhere else. This information can then be copied and/or shared. Parties can also download this information to their own computers. There are better options available, including controlled services like Sharefile®, and others, that have advanced restrictions on access and downloading. If you must use DropBox, make sure to password-protect the documents. Take your time to research what works best for your company and employees.
• Keep track of your equipment. As everyone heads for the hills, who took home their work laptop or desktop? Was that equipment itself password protected (in addition to the key files)? Remind employees that any equipment taken from the office should be returned to the office at the end of the remote working arrangement (with all data intact). Remind employees that they are not to leave laptops, thumb drives, or other data in their cars and that they should be properly secured when not in use. It should be clear that confidential company information should be accessed only by those with prior authorization.
• Have a plan in place for when the system is overloaded. This may be reassuring for many companies, but also remind remote workers that they are not to copy or download any company or client sensitive information onto their own devices to avoid the slowness of working remotely. If there is an office-wide document retention system in place, ensure that it is secure and that employees can access it and use it to preserve data.
• Educate employees about cybersecurity safety. Companies need to take steps to educate employees on phishing and/or malicious emails. Your employees may receive an email titled “click here for the latest on the coronavirus in your area”, or other similar statements. Employees should only open messages from trusted sources, and immediately report anything suspicious.

When customizing a plan, there is no universal or a one size-fits-all approach to protecting trade secrets. Instead, each company must ensure that its efforts are reasonable under the circumstances to maintain or otherwise preserve its confidential information. If you have any questions regarding protecting your trade secrets or maintaining your cybersecurity, please contact Bret Cohen, Erika Birg, or Lynda Jensen.