Is your intellectual property at risk in the new era of working from home?
Trade secrets and confidential information are often the most valuable assets held by a business, particularly within the technology sector. In a fast-paced and fiercely competitive marketplace, the careful preservation of this highly sensitive information is critical to the long-term success of any organisation.
The technology sector is renowned for embracing flexible and a-typical workforce models, with remote working and home working prevalent well before businesses were compelled to move to such practices in response to the COVID-19 pandemic.
Nevertheless, for all employers using remote working models, it is critical they ensure they are taking suitable steps to protect their business and trade secrets.
Trade secrets in the time of COVID-19
Against the backdrop of the coronavirus pandemic and the shift towards home-based working arrangements for employees, businesses have seen an increased risk of confidential information falling (whether intentionally or inadvertently) into the hands of competitors.
In the current climate, trade secrets have never been more valuable nor more portable. The protection of this information is therefore paramount.
Recent media reports of an “intellectual property war” waged by hackers attempting to steal confidential information about coronavirus vaccine developments also provide a timely reminder for all organisations about the importance of rigorous cybersecurity measures.
What is a “trade secret”?
Understanding what company sensitive information could be categorised as a trade secret is an essential first step.
The Trade Secrets Directive clearly defines this as information that is secret (not generally known or readily accessible to persons within the circles linked to the information); has commercial value because it is secret; and has been subject to reasonable steps to keep it secret by a person lawfully in control of that information.
Trade secrets can take many forms. Algorithms, secret recipes, client lists or technical know-how could all be considered trade secrets if they meet the three requirements above.
Once trade secrets have been identified, business owners must keep these under review and, as set out in the third requirement above, take steps to keep the information secret.
Given the requirement for businesses to keep trade secrets confidential, a proactive approach to protecting sensitive information is key.
Safely storing confidential information (ideally within a document management system that tracks individuals’ use) and restricting access to only those who need it are important starting points.
Other measures for business owners to consider include password protection for sensitive files, taking steps to minimise vulnerability to cyberattacks, and using non-disclosure agreements when sending pitch and proposal documents externally.
New hires and the existing workforce
Trade secrets can be particularly vulnerable at the beginning and end of the employment relationship. Employers should deter new hires from unlawfully bringing trade secrets or other confidential information from their former employer, or they may face exposure to breach of contract or inducement claims.
It is also essential that employers include appropriate protection in the employment contract. This can include well-drafted confidentiality provisions that protect the business both during and after termination of employment.
Employers should make clear to employees what information is deemed confidential and should restrict disclosure of it. Such information should only be shared with employees for whom it is necessary, for them to do their job.
The spike in home-working has led many employers to turn to employee monitoring software to protect their trade secrets. Employers do not have ‘free rein’ to track staff as they please. Employee monitoring is a complex area with many nuances and employee protections.
Invasive forms of monitoring, such as keystroke and/or screen monitoring are subject to more stringent rules. Where employers use spyware technology, they are typically expected to warn their employees that this is in place e.g. through an internal privacy notice. However, employers do not necessarily have to obtain employees’ consent to the monitoring.
Employers should also consider the employee relations implications of employee monitoring. A recent survey carried out by the trade union Prospect found that 48% of workers thought that introducing monitoring software would damage their relationship with their manager.
This figure was even higher – 62% – among younger workers. Employers should, therefore, seek to consult with employees about monitoring where possible to avoid damaging trust.
Protections used by employers should be underpinned by robust policies, including policies on working from home (where applicable), IT and security, emails, monitoring, and data protection.
End of employment
A disgruntled employee can pose a threat to an employer’s trade secrets and confidential information, particularly where they are seeking to inflict harm or disruption on the business. A well-managed exit process can mitigate these risks.
For example, under a well-managed exit process, the employee should be reminded of, or required to re-affirm, their confidentiality obligations and any restrictive covenants. It should be made clear to the employee that any breaches of these obligations will be taken seriously by the company.
The employer should also arrange to collect any company documents and property from the employee, including laptops and mobile phones. Passwords and log-in details should be changed quickly.
Further, employees should be required to delete any confidential information held on their personal systems and confirm to their employer that this has been done.
Responding to a breach
Despite best efforts, both accidental and intentional data breaches can occur. Acting swiftly and decisively in the event of a breach is a vital element of trade secret protection measures.
If a security incident arises, business owners must quickly ascertain what information has been accessed or transferred, and what risks the organisation faces as a result.
Rapid responses, whether by way of an injunction, court order, emergency security measures, or external PR statement, are fundamental to containing the breach and minimising damage.
Additionally, employers may need to report a personal data breach to the Information Commissioner’s Office. Reportable breaches must be notified within 72 hours, so it is key that employers act quickly to comply with the GDPR and to avoid related penalties.
Run a tight ship
Trade secrets are highly valuable assets, and businesses should carefully and proactively manage their protection.
The unauthorised access of trade secrets has been proven to be a costly distraction, which can cause serious reputational damage and impede business growth.
Particularly in the new era of remote working, even a modest investment by business owners in trade secret protection and breach response preparation will be time and money well spent.
This article was first published in Minutehack, see here.