Tips for Efficiently Managing New Trade Secret Risks Created by Shelter-In-Place Restrictions and Remote Working
On April 14, 2020, California Governor Gavin Newsom outlined the six “critical indicators” the state will monitor during the next phase of its COVID-19 response as it considers when to modify its statewide shelter-in-place order. Other states, including New York and Texas, have also begun announcing plans for when and how they will ease shelter-in-place restrictions and reopen some non-essential businesses. Companies must begin planning for this next phase, too, and one imperative for many companies will be taking stock of legal risks posed by widespread remote working.
Trade secrets are a key area of increased risk in this environment, and there are several concrete steps that in-house counsel can take now to address this risk. In-house counsel should focus these efforts on current and former employees and on business partners because statistics show that, unsurprisingly, in over 90% of state and federal trade secret cases, the alleged misappropriator fell into one of these categories.
Current Employees: “Reasonable Measures to Protect” Trade Secret During Remote Working
For employees, the widespread shift to working from home has created a unique environment for trade secret risk. Both the federal Defend Trade Secrets Act and the California Uniform Trade Secret Act require that parties take “reasonable” measures to protect the confidentiality of their trade secrets or else lose trade secret protection. 18 U.S.C. § 1839(3)(A); Cal. Civ. Code § 3426.1(d)(2). Cases have generally found that what is “reasonable” is flexible and depends on the kinds of measures that others involved in the same industry take to protect their valuable information.
The rapid shift to widespread remote working means that companies also must adjust their strategies for protecting their information. Even where previous security measures are still in place, they may be insufficient in this new landscape considering the dramatic increase in cybersecurity attacks during shelter-in-place. A study by Sophos Labs reported that COVID-19-related spam campaigns were on the rise in March and that over 1,700 malicious domains were using “corona” or “covid” in their names. According to Barracuda Networks, phishing emails spiked by over 600% since the end of February, with just 137 incidents in January, rising to 1,188 in February and over 9,116 in March. While the threat of cyberattacks or data breaches has always existed, the recent increases in online vulnerability and the increased reliance on personal devices and remote networks emphasize the need for companies to educate employees on best practices for reducing exposure to cybersecurity threats.
In addition to strengthening anti-hacking defenses, companies should strongly consider restricting access to sensitive information to only those employees on a “need to know” basis whenever possible. The “reasonable measures to protect” trade secret information is a flexible inquiry, but a statistical study of trade secret litigation found that courts are “15 times more likely to find that the owner engaged in reasonable efforts if the owner restricted access to employees than if the owner did not.” The same study found that “only three factors predicted that a court would find a plaintiff took reasonable measures to protect its trade secrets: agreements with employees; agreements with business partners; and restricting access to certain persons, such as the adoption of need-to-know rules.”
Many of the recent concerns related to cybersecurity and the protection of a company’s trade secrets have existed for years. The shift to a remote workforce triggered by health concerns and shelter-in-place orders is simply bringing these issues to the forefront in a visible and dramatic way—like a stress test for a company’s confidentiality practices and cybersecurity systems. While courts may excuse minor lapses or informalities considering the unusual circumstances created by COVID-19, that is far from certain. Strengthening trade secret protection now can establish internal procedures that benefit the company even in the post-pandemic world.
Former Employees: Layoffs and Furloughs Also Increase Trade Secret Risk
Increasing layoffs and furloughs caused by the pandemic also create greater trade secret litigation risk. The U.S. Department of Labor reported that, unsurprisingly, layoffs caused by the pandemic have led to a massive spike in claims for unemployment insurance, with 4.4 million new claims the week of April 18. This means that “the last five weeks have marked the most sudden surge in jobless claims since the Department of Labor started tracking the data in 1967,” according to CNN.
An April 2020 Lex Machina report on trade secret litigation found that trade secret cases “tend to occur when an employee leaves a company and takes some sort of know-how with them.” This analysis is consistent with the experience in our civil and criminal trade secret litigation practice—many of our cases stem from allegations involving former employees. With so many employees leaving so many companies during this crisis, the risk that some may seek to misuse valuable company information is especially high.
In-house counsel should review employee exit protocols that are in place and work with internal or external IT teams to develop a program for assessing trade secret risk when any employee who had access to sensitive information leaves the company. These programs can range in sophistication and cost.
For example, the simple step of preserving a former employee’s laptop and other work devices for a period of time instead of wiping and reusing them can help save crucial evidence of misconduct if the employee moves to a competitor or starts a competing line of business. For companies with greater IT resources, creating automatic alerts based on employee behavior (such as downloading sensitive files or emailing them to external addresses) can help stop trade secret theft before it damages the company. And conducting some degree of forensic investigation for key employees is also a sensible step.
Business Partners: New Risks Posed by Video Conferencing
Shelter-in-place orders have also changed the way companies interact with third parties and potential business partners. Key meetings where confidential information is shared are no longer taking place in a company’s conference room but are on video sharing platforms. The recent growth in video conferencing is dramatic. Zoom, for example, saw its peak number of monthly users surge from 10 million in December 2019 to 300 million this April. This explosion in Zoom’s popularity was quickly followed by a series of security issues, including unauthorized access to private meetings by hackers.
This shift to meeting online instead of in person eliminates some of the standard protective measures that some companies have in place.
For example, many companies with highly valuable trade secrets have routine policies of requiring outside guests to sign NDAs to access the company’s office building or to sit in on detailed presentations given at conferences or trade shows. During in-person meetings with third parties, physical documents can be stamped as confidential and controlled, and information can be conveyed electronically without providing third parties with actual copies of the information presented.
Now that these conversations are shifted to online communications, employees cannot rely on these routine NDA practices and may need to take more proactive measures to protect trade secrets. Creating a template confidentiality agreement for employees to use and requiring third parties to agree to NDAs before participating in video or telephone conferences before confidential information is exchanged could help recreate previous in-person safeguards that are no longer effective. Employees should continue to remain vigilant about protecting the confidentiality of documents shared with third parties electronically and should be reminded to emphasize the confidential nature of the documents in writing (preferably on the document itself) as much as possible.
Even as shelter-in-place restrictions begin to ease, it is reasonable to expect that the widespread use of video conferencing will continue. So it makes sense to establish protocols now that replace the physical security measures companies used when most of their workforce came to the office.
Tips for Mitigating Trade Secret Risks
Companies and in-house counsel should consider the following actions to reduce new trade secret risks posed by our new working environment:
- Designate and Restrict Confidential Information Where Practicable
- Designate sensitive information, either by marking documents (especially when those documents might be shared externally) or placing them in specified folders.
- If possible, restrict employee access to highly confidential information to those with a “need to know.”
- Encrypt and/or password-protect sensitive information when possible.
- Implement policies for securing and disposing of any copies that must be printed during this period, and inform employees of these policies.
- Bolster Privacy and Anti-Hacking Systems
- Continue working with IT and privacy teams to routinely audit and tighten up IT policies and remote access systems.
- Strengthen anti-phishing and network attack defense technologies meant to protect employees from accessing fraudulent websites.
- Consider anti-phishing training for employees.
- Review the privacy features of any screen-sharing or conferencing software to identify and eliminate any security vulnerabilities. Check software updates for these programs as they emerge. Consider altering the default settings or disabling certain features for such programs to ensure safe practices by employees.
- Enhance IT Resources
- Ensure that the number of simultaneous VPN connections is great enough to allow for safe remote access for all employees. Limited access could lead employees to find unauthorized and less secure workarounds.
- Source and implement network security, monitoring, and logging tools that enable the company’s IT teams to detect when employees are accessing company information over untrusted networks or unauthorized applications.
- Train Employees on New Security Measures
- Develop trainings to remind employees of their confidentiality obligations and to brush up on remote access policies.
- Remind employees to use secure networks for exchanging sensitive materials.
- Require employees to password-protect their personal Wi-Fi networks and not to use public Wi-Fi networks for confidential communications.
- Review or Develop Contractual Restrictions on Confidential Information
- Review employment contracts to ensure they impose confidentiality obligations on employees.
- Review form contracts with third parties to ensure they impose confidentiality obligations and preserve the ability for your company to develop competing technology
- Review protocols regarding requiring third parties to sign confidentiality agreements and ensure the process can easily be implemented during remote working.
- Develop and Strengthen Protocols on Employee Exits
- When employees leave the company, conduct in-house or third party forensic analysis of key employee devices and email accounts.
- Preserve devices as a backstop to conducting forensic analysis.
 David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 58 Gonz. L. Rev. 57, 69 (2010), available at: http://blogs.gonzaga.edu/gulawreview/files/2011/01/AlmelingSnyderSapoznikowMcCollumWeader.pdf
 Almeling, et al., supra, fn. 1, at 83 n.146.
 Id. at 82.