A trusted high-level employee downloads thousands of documents and gives them to the competition. The company wants to take decisive and swift legal action against the employee for having taken its most valuable competitive information and needs to prevent its further use and dissemination. The Uniform Trade Secrets Act, enacted in every state except New York and Massachusetts (which have similar common law causes of action), provides for such immediate injunctive relief. To qualify, however, an essential element of every trade secret claim is that the information be the “subject of efforts that are reasonable under the circumstances to maintain its secrecy.” In an era in which employees and the information to which they have access are more mobile than ever, it is critical that companies evaluate and ensure that they are using best practices as well as more cutting-edge methods to protect their most valuable information.
• Require restrictive covenants.
One of the most well-recognized ways to protect trade secrets is to require employees to sign nondisclosure agreements prohibiting the disclosure of confidential information. It is important to remember, however, that these agreements should not be limited to employees. Any contractor, vendor, or other third-party partner that has access to information that must remain confidential should be presented with and sign such an agreement. The agreement should define confidential information specifically and exhaustively so that all such information is covered by the agreement.
Significant investments in research and development, employee training, good will and customer relationships can also be protected by requiring employees with access to such investments to sign noncompete agreements. These agreements prohibit an employee from working for a competitor for a reasonable term after employment as a measure to protect these investments. Noncompete agreements therefore provide yet another layer of protection for confidential information.
• Put physical limitations in place.
When the commercial world still worked largely in paper, the most important way to protect trade secrets was perhaps a lock and key on a filing cabinet. Even though most businesses have gone digital, companies should not overlook the very important and basic step of securing their information the old-fashioned way: under lock and key, literally. Physical access to areas where the company keeps valuable information, laboratories, prototypes, and the like should be limited to employees that need to work with such information and things. Access cards and log books should be utilized to keep track of employees and visitors who access any such areas. In addition to these physical security measures, information that is confidential should be marked with symbols or legends indicating that the information is, in fact, proprietary and confidential.
• Follow a thorough hiring process.
A company can never underestimate the importance of finding the right people to fill open positions, especially those with access to sensitive confidential information. Adhering to formal hiring policies and procedures can help prevent the wrong people from getting in the door in the first place. Conduct background checks (in compliance applicable employment law) and institute a hiring process with multiple interviews to ensure that company has the best information possible about a candidate before making a hiring decision.
• Use exit interviews and check-out procedures for departing employees.
Gathering information from and about departing employees is just as important as in the hiring process. Exit interviews are a good way to assess whether an employee is headed to a competitor and if trade secret information is at risk. Check-out procedures should be designed so that all confidential materials are accounted for and returned. In addition, electronic access to the networks and physical access to the property should be disabled immediately. If necessary, the departing employee’s data use should be audited and analyzed, based on the assessment of the risk that confidential information has been compromised. The departing employee’s company-issued devices and any other property distributed to the employee should be accounted for. If appropriate, customers and vendors should be alerted to the employee’s departure.
The Necessities for Electronic Data
• Institute electronic limitations.
Most company data is now stored electronically. The bad news is that electronic information can be easily manipulated and taken. The good news is that electronic information is easier to track than paper because it almost always leaves behind an electronic fingerprint when manipulated. Although the development of new technologies has empowered thieves with new and different ways to steal information, companies can also use new technologies to put in place electronic security measures to prevent and track theft more easily. Electronic data may be misappropriated in innumerable ways: by email, downloading to a thumb drive or other storage device, or transferring to or through the cloud, as just a few examples. Companies can and should electronically control employees’ abilities to use all of these facilities by restricting mass downloading or use of external storage devices. Companies can also block access to cloud storage (such as Dropbox or Google Drive), Web-based email (like Gmail or Yahoo), and social media websites that allow transfer or posting of confidential information (i.e., Facebook or Twitter). Further, companies can prohibit the installation of software used to steal information or to conceal theft after the fact. Once these limitations are in place, the company should monitor and ensure that these controls are functioning and be vigilant about keeping up with the latest technologies to address new threats.
• Clearly define computer use policies.
In addition to electronic limitations, it is essential to set clear policies on how employees use (and should not use) confidential information stored on computers and other electronic devices, as well as email and social media. These policies are particularly important if it is unrealistic to completely lock down employees’ access to these technologies. An email policy should include a statement that the company owns the confidential information generated and transmitted over company email, and that the company intends to monitor its email so that employees do not have an expectation of privacy when using company email. Then, when and if there is a suspicion that trade secret information has been transmitted over email, a full investigation can be conducted. Social media and cloud storage policies should prohibit the transmission of confidential information entirely. Having these types of policies in place leaves no doubt as to the company’s position on the ownership and treatment of its confidential information.
• Clearly define mobile device policies.
Companies have recently embraced the idea of permitting employees to BYOD—bring your own device—to work, permitting employees to use their own personal devices for company business. Although it perhaps saves money because the company is not buying and issuing devices to its employees, it raises the risk that information will be compromised. When the company owns the computers and other electronic devices it issues to its employees, it has control over the information and applications on the devices and their use will be governed by company policies. Extra precautions must be taken if BYOD is permitted. A BYOD policy should require that passwords be placed on the device, and company and personal information should be segregated— “sandboxed”—using mobile device management software. Importantly, the company should ensure that it has remote access to these devices to remove and wipe company information when an employee resigns. •