Corporate Counsel 1

10 Questions Companies Should

Address for a Remote-Work
Environment
The proliferation of remote work has created, and will continue to create, risks for trade-
secret protection with long-term consequences
By Corporate Counsel Staff

Person illustrated working from home during coronavirus quarantine outbreak.

Companies face an unprecedented new normal—which may last for months or prove
permanent—of a fully or partially remote workforce. This transition to remote work has
forced rapid technology adoption (e.g., cloud-based technologies) and increased long-
and short-term risk for trade-secret protection. Below are ten key questions that
companies should ask, with practical guidance that they can follow, to safeguard and
protect their trade secrets in a remote-work environment.

1. Do employees understand what constitutes a “trade secret”?

Corporate Counsel 2
What constitutes a “trade secret” is broader than most employees recognize. This is
problematic given that the employee creates, saves, and disseminates trade secrets.
Recommendations: Companies should deploy a learning-based, trade-secret training
program, and not just a cursory section in employee on-boarding. Policies and
agreements should not use boilerplate language to describe “confidential” information
as it may not practically or legally put employees on notice. If a company does not have
a stand-alone trade-secret policy, this is a ripe time to produce one.

2. Is access to information limited on a need-to-know basis?

Under U.S. federal, state, and EU law, a trade-secret owner must take reasonable
measures to protect the information for it to qualify as a trade secret. Winston
determined that more than 11% of contested federal trade-secret cases (2008–2019)
were dismissed because the plaintiffs failed to take sufficient measures to protect the
information. A key measure courts look at is whether access to information was limited.
Recommendations: Companies should utilize written policies obligating employees
to share information only on a need-to-know basis and provide guidance on where to
save information. Technical controls should be used to limit access to information on a
need-to-know basis and should be audited periodically. When transitioning resources
to cloud-based architecture, service providers do offer features like role-based access
control and detailed auditing to ensure access to sensitive resources is restricted.

3. Are employees re-certifying understanding of compliance with security,

trade secret, and confidentiality policies?
With remote-work security, trade-secret protection and confidentiality obligations need
to be front of mind, and companies need to have reassurance that employees are
meeting their obligations.
Recommendations: Employees should be reminded of their obligations and
companies should require a re-affirmation of employee compliance; ideally, this would
be updated annually. Periodic reminders of the importance of these obligations can
both increase compliance and build a record for a future trade-secret theft case.

4. Are employees using free cloud-based storage or collaboration tools?

If secure business solutions are not provided, employees will circumvent restrictions to
make their jobs easier and more efficient (e.g., if Slack is blacklisted on corporate
laptops, employees might set up a free account to collaborate with their colleagues on a
personal computer). Free versions of software may be outside of the company’s
view/control and create risk of IP leakage due to data being mined by the platform.

Corporate Counsel 3
Recommendations: Companies should have policies and training on the use of free
platforms, restrict unapproved programs on corporate devices, and provide enterprise
solutions that employees need to work efficiently.

5. Are employees using non-secure communications platforms?

Video conferencing usage has skyrocketed with free solutions (Zoom, HouseParty) for
group chats. Poor security habits expose IP to unauthorized participants.
Recommendation: Educating employees to regularly change meeting passwords and
activating waiting rooms to permit the host to grant access are healthy security practices
to mandate. Video conferencing solutions stored on a private cloud with default security
protocols, such as not storing instant messaging logs, should be considered.
Organizations should monitor use of platforms for appropriate use and access.

6. Are employees sharing data with third parties in a protected way?

Employees default to email or cloud-based platforms to share information with third
parties. Such mechanisms, especially if done over personal accounts, can cause the
company to lose control over its data and give a third party the ability to keep or
disseminate the information.
Recommendations: Companies need to clearly articulate protocols for third-party
sharing, educate employees on those tools, and explain that the existence of an NDA is
not sufficient protection. Such mechanisms could include: secure transfer (such as
through a password-protected FTP), limited number of downloads, and expiration
dates.

7. Are security policies being deployed to protect data from outside and
internal threats to personal devices?
Employees’ personal devices can be more vulnerable to outside attacks than a
company’s secure architecture. Copying and pasting sensitive and confidential data to
external media is a common tactic used by trade-secret theft offenders.
Recommendation: Companies should have security policies with minimum
requirements for employees’ devices and Wi-Fi settings. Employees should certify
compliance. Implementing a domain-wide group policy to restrict writing to media
connected via USB port can prevent copying and pasting to external media. Companies
should evaluate VPN and remote-access protocols to determine what limitations a
remote employee has to copy data outside that system to a local device.

Corporate Counsel 4
8. Are hard copy or tangible trade secrets protected?
If an employee prints a document or has tangible trade secrets at home, someone
outside the company may view them. This risk is high when the employee has
roommates who could even be working for rival companies.
Recommendations: Companies should review “clean desk” policies and bolster them
to apply to remote-work scenarios, including discouraging printing trade-secret
documents. Companies should provide instructions for destruction, and educate
employees on secure ways to store tangible company material, such as in a locked
drawer and, where appropriate, provide tools, like shredders.

9. Are devices being collected or wiped promptly?

Prompt collection of devices and termination of access to company data when an
employee resigns or is terminated is critical to minimizing theft and protecting legal
options. Remote work injects logistical hurdles into this process.
Recommendations: Companies should prepare a plan, with input from HR, IT, and
business managers, to ensure prompt collection and termination of access, ideally
before any termination occurs. Remote covert collection, such as requesting an
employee return a device for maintenance/upgrade, can be used. Companies should
consider having employees consent to a review of personal devices with company data
through agreements/handbook provisions.

10. Do the enterprise applications provide visibility to detect cyber threats

and potential theft by remote employees?
Flagging suspicious conduct and retaining logs of activity can help quickly detect,
respond to, and contain theft.
Recommendation: Companies should ensure their SaaS products provide
appropriate logging to enable effective and efficient cyber investigations, and ensure
that such capabilities are enabled to record key events. Companies can also use
monitoring technologies to flag, in real time, behavior that violates established rules
(e.g., large downloads, emails to personal accounts, impossible travel).
The proliferation of remote work has created, and will continue to create, risks for trade-
secret protection with long-term consequences. While trade secrets may not be front-of-
mind under current circumstances, actions companies take now can significantly impact
the chance that secrets are stolen. Fortunately, there are practical, feasible, and scalable
solutions that minimize these risks.

Join us on Facebook

Corporate Counsel 5