Client Alert
COVID-19 Shelter-in-Place Orders May Be Threatening Trade Secrets: What to Know
April 10, 2020
The COVID-19 pandemic has fundamentally changed working life. To date, in the United States, approximately 85% of states have enacted shelter-in-place orders, leading to an unprecedented surge in the number of remote workers. This means “at least 316 million people in at least 42 states, three counties, nine cities, the District of Columbia, and Puerto Rico are being urged to stay home.”1 For employers trying to protect trade secrets and other confidential information, this shift to remote work brings new risks, including the following:
Employees using unsecure networks;
Employees printing and storing physical materials off company property;
Third-party hacking, including on conference calls and videoconferencing platforms; and
Decreased employer security standards implemented to make it easier for employees to work from home, including permitting the use of personal email accounts or personal USB devices to transmit or download confidential company information.
Given these risks, there is a heightened need for employers using remote employees to take additional steps to protect company data. In fact, taking such steps may be necessary for a company to seek legal recourse in the event of trade secret misappropriation. In one case, a remote working arrangement did not affect the protection of trade secrets, only because the employer required employees to sign confidentiality agreements and provided network access, which obviated “any need to transmit messages and documents containing Plaintiff’s trade secret information to his personal account.”2 Likewise, in another case, the court granted Plaintiff’s motion for a preliminary injunction based on a trade secret misappropriation claim against Defendant employees who worked remotely, upon finding the Plaintiff employer “took steps to protect [confidential] information from falling into the hands of outsiders”, including through the use of confidentiality policies and by restricting access to confidential materials.3
In light of this, employers should consider the following best practices:
Leverage Existing Protections
Remind employees of their existing contracts, including employment agreements, confidentiality agreements, invention assignment agreements, employee handbooks, and any other agreements that provide for the protection of trade secrets and confidential information.
Provide training and/or written guidance discussing best practices for working from home to protect confidential information and trade secrets. Training and guidance should include an overview of the employer’s expectations for protection of information, usage of computers and electronic storage devices, as well as policies for holding video and/or teleconferences.
Work with Counsel to Create or Enhance Computer and Data Usage Policies
Ensure the company has computer usage and monitoring policies, as well as Bring Your Own Device (“BYOD”) policies, which should account for monitoring employees’ computers and laptops, external storage devices, internet history, email/webmail, instant messenger communications, and external and internal blogging.
Determine whether the company is subject to heightened compliance requirements (e.g., HIPAA requirements for healthcare businesses, legal privilege obligations for legal departments and law firms) and ensure specific protections are built into the policies in light of those standards.
Confirm that company policies provide clear guidance to employees regarding protection and destruction of physical documents containing sensitive information.
Remember that computer usage and data usage policies are not “one size fits all”, and suchpolicies should be closely tailored to the employer’s specific business model and reviewed by counsel to ensure compliance with state and federal law.
Ensure Remote Access Platforms Are Optimized to Protect Company Data
Survey employees to identify which devices they are using.
Limit employee access to company data and files on a need-to-know basis.
Supplement passwords and logins with multi-factor or two-step identification.
Use company-provided software to prevent viruses, phishing, and malware, and conduct training regarding these topics.
Encourage remote access through a Virtual Private Network (“VPN”), with strong end-to-end encryption.
Require additional levels of security, such as additional credentials or encryption, for employees who are downloading or transferring highly confidential information.
Prohibit use of public Wi-Fi.
Ensure that the Legal or Information Technology Department vets any video platforms employees use to discuss confidential or privileged information.
Create a Plan for Off-Boarding Remote Employees
If a remote work employee is laid off or terminated, create policies and procedures to ensure that the employee cannot steal or otherwise compromise the company’s trade secrets, and monitor for any attempts to access company data after termination.
Work with counsel to develop protocols for terminating remote employees, including a process for recovering company property, returning employee possessions, and conducting remote exit interviews.
If an employee has a company-issued computer or cellular phone that contains confidential company information, work with IT and/or a forensic expert to remotely lock the devices and safely recover the devices and data.
Plan for the Post–COVID-19 World
Create a protocol for the transition back to the workplace to ensure the company is prepared to review employees’ systems efficiently (if necessary) and can quickly remediate large amounts of data in employees’ possession.
For high-risk employees (including those with access to sensitive/critical data), have the employee certify that he or she has identified and remediated all company data in his or her possession.
Determine whether the company will keep some (and which) employees as remote workers following the return to normal working conditions.
Even after the shelter-in-place orders end, a remote workforce may be the reality for the foreseeable future. Employers should proceed with caution and protect their business assets and intellectual property. This is particularly true as the courts are closed in many jurisdictions and/or are hearing only emergency motions, so recovery of stolen confidential information may be a slower process than normal.[4]
1 See Which States and Cities Have Told Their Residents to Stay Home, April 7, 2020, Sara Mervosh, Denise Lu and Vanessa Swales (https://www.nytimes.com/interactive/2020/us/coronavirus-stay-at-home-order.html); see also How coronavirus has changed US employment, in 6 charts, April 3, 2020, Rani Molla (https://www.vox.com/recode/2020/4/3/21203199/state-of-employment-charts-unemployment-rate-claims-hiring-work-from-home) (“To get a sense of how coronavirus accentuated the trend, we looked at public company transcripts mentioning work from home. In April, there were 423 transcripts mentioning the topic — more than there were in the last decade combined — nearly all in conjunction with mentions of coronavirus.”).
2 API Ams., Inc. v. Miller, 380 F. Supp. 3d 1141, 1149-50 (D. Kan. 2019).
3 Computer Assocs. Int’l v. Quest Software, Inc., 333 F. Supp. 2d 688, 696–97 (N.D. Ill. 2004).
4 At least one court has suggested that an immediate hearing on a temporary restraining order to prevent misappropriation would not qualify as an emergency in the midst of a global pandemic. See Art Ask Agency v. The Individuals, Corporations, Limited Liability Companies, Partnerships, and Unincorporated Associations Identified on Schedule A hereto, C.A. No. 20-cv-1666 (N.D. Ill., March 18, 2020), slip op., available: https://www.courtlistener.com/recap/gov.uscourts.ilnd.374383/gov.uscourts.ilnd.374383.27.0_1.pdf (“Plaintiff recognizes that the community is in the midst of a ‘coronavirus pandemic.’ But Plaintiff argues that it will suffer an “irreparable injury” if this Court does not hold a hearing this week and immediately put a stop to the infringing unicorns and the knock-off elves. . . The world is facing a real emergency. Plaintiff is not.”).