April 01, 2016
Cybercrime has garnered increasing attention in the last few years as tales of espionage and widespread theft of consumer information and intellectual property grab headlines and garner media scrutiny. Such attention is justified. Theft of intellectual property has been estimated to cost American businesses hundreds of billions every year.
However, there is another persistent threat to a company’s business—its employees. Although it is vitally important to ensure that a company’s technological infrastructure is protected against external cybersecurity attacks, it is equally vital for a company to be vigilant about internal threats of trade secret misappropriation by employees. Whether motivated by revenge, financial gain, apathy or a sense of entitlement, instances of ‘‘insider’’ trade secret theft by employees is a persistent and increasingly pervasive given the ease of duplicating and moving data in our digitized business environment. Indeed, a study by Symantec showed that half of employees who left or lost their jobs in the prior 12 months kept confidential corporate data and 40 percent planned to use that data in their new jobs. What can you do about it?
This article provides suggested steps for any business to safeguard trade secret information against inadvertent disclosure and/or intentional theft by employees.
Know Your Business
The first step in protecting trade secret information is to identify what the company considers to be its trade secrets. The Uniform Trade Secrets Act (UTSA) defines ‘‘trade secret’’ as information (including a formula, pattern, compilation, program, device, method, technique or process) that: (1) derives independent economic value from not being generally known; and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. Every business possesses some information that is valuable–often critical–to the company’s success and which could harm the business if that information fell into a competitor’s hands. Such information could range from a company’s core technology (e.g., software, source code, process recipes, algorithms and computer programs) to business and financial information (e.g., cost and pricing information, customer information, customer lists, business opportunities, plans, budgets, forecasts, etc.) to negative information (i.e., a design that did not work, customer problems, etc.).
The nature and type of confidential information valuable to a given company is unique to that business, but every company has its ‘‘crown jewels’’ that simply cannot fall into the hands of a competitor and which the company needs to keep secret. Decision-makers need to look internally and identify those ‘‘crown jewels.’’ There is no reason to delay such a valuable exercise.
Safeguard Trade Secrets with Well-Defined Policies and Procedures
Once the company’s trade secrets are identified, measures to delineate and protect the trade secrets need to be implemented through well-defined policies and procedures, which should be strictly enforced. If litigation become necessary following trade secret misappropriation (i.e., wrongful access, use or disclosure of trade secret information), the trade secret owner must establish that it took reasonable efforts under the circumstances to maintain secrecy. These efforts could include:
- Requiring that all trade secret material be marked as confidential.
- Requiring encryption of all electronic devices like laptop computers and flash drives.
- Restricting access to trade secret information on a ‘‘need-to-know’’ basis. This could be accomplished by developing a matrix that classifies employees, consultants, contractors and vendors according to the degree of access necessary for their jobs.
- Restricting physical access of the confidential information by requiring use of key cards, or allowing access through virtual means only, or requiring complex, rotating network passwords and access codes.
- Requiring employees to confirm recipients before sending external emails.
- Prohibiting employees from using personal electronic devices and personal e-mail or cloud storage accounts for work-related tasks and prohibiting use of personal portable electric storage devices like USB drives and/or external hard drives.
- Monitoring employee’s usage of electronic devices and access to company network and specific files.
- Implementing policies covering what employees can and cannot discuss about the company on social media.
- Implementing contractual protections through confidentiality agreements, non-disclosure agreements, work-from-home or telecommuting agreements, and when appropriate, non-compete agreements (keep in mind that enforceability can vary depending on jurisdiction).
- Continually refreshing company policies and contractual protections. This includes reviewing and updating confidentiality and proprietary information provisions in agreements and company policies on a regular basis. s Routinely monitoring suspicious activities and training key personnel to recognize ‘‘red flags.’’
By implementing comprehensive policies and procedures, a given business will reduce the opportunities for misappropriation, catch wrongdoers before irreversible harm befalls the business and place the company in the best position to obtain redress for any harm caused by misappropriation.
Protect Trade Secrets During Onboarding Process
Employees should be informed of the company’s policies on protecting confidential information upon joining the company. Offer letters should specifically spell out the company’s core policies regarding the protection of confidential information (and should also include express prohibitions against accessing, using or disclosing confidential information belonging to other companies, including former employers). New employees should acknowledge the policy in writing and sign nondisclosure agreements affirmatively stating that they will not use or disclose confidential information belonging to the company during and after the course of employment.
When appropriate, require employees to sign invention disclosure agreement with automatic assignment (‘‘I hereby assign’’) and obligation to disclose all intellectual property conceived, developed or reduced to practice that relates to the company’s business or results from work performed for the company or during working hours.
Regularly Train Employees on Trade Secret Policies and Procedures
A company’s efforts to protect its trade secrets are futile unless those within the company understand what the company considers to be its trade secret or confidential information and the company’s policies and procedures with respect to protecting those trade secrets. Thus, it is important to provide periodic training for employees to reinforce expectations around confidentiality. Employees should be required to sign periodic compliance statements acknowledging the company’s policies and their compliance with those policies.
Ensure That Trade Secrets Are Protected During and After Employee Departures
Every company should maintain and follow a proper protocol for handling employee departures. Such protocol should include procedures specifically targeted at protecting the company’s confidential information. First, conduct an exit interview with the employee to learn where the employee is going and what role he/she will perform at the new job. To the extent the employee had access to confidential information, review recent activity to determine whether confidential information was accessed, downloaded or forwarded. If there are reasons to believe that a former employee may pose as a potential security threat, consider bringing up evidence of suspicious activities in the exit interview.
During the exit interview, require the employee to acknowledge their confidentiality obligations in writing and state under penalty of perjury that he/she have not and will not take, use or disclose any company confidential or proprietary information outside the company. Also, if applicable, require employee to acknowledge that all intellectual property subject to invention disclosure agreement has been disclosed and assigned to the company and discuss the specific IP and list inventions.
After the employee departure, it is imperative that the company preserve and perform a thorough review of the electronic devices used during employment. To the extent not undertaken before departure, such a review should include an analysis of the devices for any unusual activity, such as access to company confidential information immediately prior to leaving, downloading or copying or transferring of files onto flash drives, external storage drives and/or cloud storage. Do not wipe, refurbish or throw away laptops and/or portable electronic devices until the investigation is completed. To the extent that litigation is necessary, such evidence will be essential in asserting and proving a trade secret misappropriation case.
Last, if the employee is leaving to work for a competitor, it may be prudent to send a short, non-litigious business letter to the competitor’s legal and human resources departments explaining the departing employee’s confidentiality obligations.
While there is no way to prevent malicious conduct by disgruntled employees with respect to disclosure of company trade secrets, by proactively implementing the suggested steps above, a company can drastically reduce the chances of losing its most valuable assets and place itself in the best position to protect win a trade secret misappropriation claim should litigation become necessary.
Reprinted with permission from the April 1, 2016 edition of Bloomberg BNA's Patent, Trademark & Copyright Journal. Further duplication without permission is prohibited. All rights reserved.