The need for robust trade secret protection policies
Under U.S. state and federal law as well as the EU Trade Secrets Directive, a trade secret is generally defined as information that the owner has taken reasonable measures to keep secret, and that has economic value from not being generally known by others. Trade secret protection extends to a wide spectrum of information and technology, including research and development materials, technical know-how, source code, manufacturing processes and techniques, customer lists, marketing plans, business and financial information, and vendor information.
Unlike patents, trademarks and copyrights, which are formally registered with the government and thus presumed valid, trade secrets are not. Nonetheless, they often comprise a large portion of the value of a company’s IP assets – and sometimes secret technical formulae or processes represent the company’s “crown jewels.” But for IP assets protected under trade secret law, it is critical that companies take the necessary steps to keep them secret. Otherwise, companies risk not being able to enforce those rights in the event of theft.
Maintaining strict controls around company trade secrets is all the more important given the massive increase in IP theft in recent years, with increased security threats from new hacking technologies, competitors, supply chain vendors and contractors, and foreign state actors. A recent report to the U.S. Congress estimated total theft of U.S. trade secrets at anywhere between $180 billion to $540 billion per year.
Against this backdrop, having a robust trade secret protection program has become more important than ever, and the COVID-19 pandemic raises a variety of issues that companies should examine with an eye toward strengthening or adapting their internal controls and policies.
Heightened concerns for a remote workforce
With much of the workforce suddenly working remotely, companies should consider at least the following steps:
- Assess your company's secrets and how they are being protected. Identify what they are, where they are located (servers, shared drives, cabinets, reactors), who has access to them, and what measures are currently in place to protect them. Business partners, vendors, and other third parties may have copies of certain secret technology (under nondisclosure agreements), and it is important to know how they are protecting the company's secrets in their changed circumstances during the pandemic.
- Reinforce confidentiality obligations. Remote-working policies should include reminders about existing employee confidentiality obligations and policies, and practical advice about how to handle confidential information at home. Consider preparing “e-training” reminders and requiring confirmation that they have been viewed.
- Shore up access restrictions. Along with having employee and vendor confidentiality agreements, the company should have policies in place to internally restrict access to trade secrets and confidential materials. If not, such policies should be implemented now. Even if such policies do exist, now is the time to minimize the risk of theft or improper disclosure by segmenting access on a “need to know” basis – for example, limiting access by business unit (R&D versus manufacturing), or subgroups within business units (for example, by product lines or specific research projects). Even with sophisticated companies, some of the worst trade secret thefts occur when a single employee can access virtually all of the company’s confidential R&D or other materials. This risk is heightened now, when companies are busy addressing the myriad “front burner” issues impacting their business.
- Restrict at-home use. Confidential materials should be encrypted and password protected, and companies should consider limiting or altogether restricting employees’ ability to save confidential information on personal devices, print such materials from home, or take other actions that threaten disclosure of confidential information. Employees should be instructed that any confidential materials kept at home need to be maintained securely.
- Implement a reporting protocol. Remote-working policies should include a clear protocol for employees to identify and report any suspected cyberattacks, security breaches, or inadvertent disclosures of confidential information. At the management level, there should be an incident response plan in the event of a serious breach.
Use of secure networks
The transition to a remote workplace has led to a sharp increase in the number of COVID-19-related phishing and other cybersecurity attacks, some of which have been directed toward stealing a company’s trade secrets or confidential information. Consider the following protective measures:
- Ensure secure connections. Use secure and fully patched VPNs with multifactor authentication, properly configured firewalls, and current anti-malware and intrusion prevention software. Where possible, company business should be restricted to company-managed VPNs and work-issued devices.
- Monitor access. Monitor internal networks for irregular activity, such as downloading large volumes of files or data and, where feasible, for employee access to sensitive databases containing trade secret information.
- Train employees. Remote workers should be alerted to heightened cyber risks and reminded to be careful about clicking on links. They should also be instructed to password-protect their own Wi-Fi networks and not to use public Wi-Fi networks for confidential communications.
- Use secure communication platforms. Employees should be instructed to use secure company email accounts for work communications, and not personal accounts. Highly confidential materials should not be transmitted or shared via unsecure platforms. If using Zoom, for example, employees should secure communications as much as possible by using passwords, disabling file sharing, implementing host-only sharing, and following the FBI’s other recent recommendations to prevent “Zoombombing.” Alternatively, companies should consider choosing a service provider that offers end-to-end encryption.
The impact of terminations and furloughs
Widespread workforce reductions require strict adherence to company policies that protect confidential information from risks created by departing employees.
For terminated employees, key measures include:
- Requiring the return or permanent deletion of all company information, including confidential information, and return of company devices. During the pandemic, companies may need to be more proactive to retrieve such materials promptly from employees’ homes, including arranging delivery logistics and safe storage means for companies whose business premises remain closed.
- Reminding employees of contractual confidentiality obligations and obtaining written certification that the employees (a) have complied with their contractual obligations, (b) understand continuing obligations, and (c) have returned all confidential information and removed it from any personal devices.
- Disabling the employees’ network access and accounts.
- Monitoring network activity prior to departure of high risk employees (such as those going to competitors or with significant trade secret exposure) and preserving forensic copies of returned computers (before the computers are turned back on) and other devices where appropriate.
Any furloughed employees should be reminded of their contractual and ongoing obligations to maintain company trade secrets and confidential information in secrecy during their furlough (and, in fact, during the furlough period, such employees should not have access to the company’s networks or other electronic systems).
The need for a comprehensive trade secret audit
A trade secret audit entails identifying the company’s secrets, assessing current protective measures, evaluating and addressing shortcomings, and creating a comprehensive, written trade secret protection plan – consistent with the company’s business objectives – for consistent governance on these issues. Once trade secrets are gone, they are virtually impossible to get back. Conducting an audit now and implementing improved policies minimizes the risk of theft and inadvertent disclosure of company trade secrets, as well as the potential damage if such events occur.
Our team is at the ready to assist with an audit and advise on how best to protect trade secrets and other IP assets.
Our Reed Smith Coronavirus team includes multidisciplinary lawyers from Asia, EME and the United States who stand ready to advise you on the issues above or others you may face related to COVID-19.
For more information on the legal and business implications of COVID-19, visit the Reed Smith Coronavirus (COVID-19) Resource Center or contact us at COVID-19@reedsmith.com.
Client Alert 2020-253