Best practices to protect your company's data from the competition...and well-meaning children.
It has been a year since the COVID-19 pandemic confined millions of workers to their homes. Remote work is now business as usual and may be here to stay. At Schlam Stone & Dolan, we are seeing an uptick in clients’ concerns about data breaches and protecting trade secrets in a remote work environment.
Reassessing or updating data protection policies and procedures is crucial, because failure to take protective measures to keep your company’s sensitive information secret could result in your most valuable information losing its protection under trade secret law.
Trade secrets can include not only technical or scientific information, but also business information such as your customer, client or supplier lists, business plans, budgets, marketing data, or financial information. Thus, implementing procedures to protect trade secrets is not an issue confined to the tech industry. In addition, failing to implement measures to protect third party information—e.g. your clients’ data—may expose your company to liability and negatively impact your business’ reputation.
Whatever the odds for a data breach related to remote work were before the pandemic, assume those odds have increased significantly during the time your staff has been working from home.
Below is important guidance and best practices for protecting your company’s most valuable assets:
Update your policies and training.
Consider issuing new or updated policies, trainings and/or employee certifications to educate and remind employees of their responsibility to protect company trade secrets and data. Even the most well-meaning employees may be too lax with company issued devices or documents, leaving important data open to exposure. Of particular relevance these days, your policies should specify what is acceptable in terms of sharing the company laptop with family members.
Make sure your employees do not have to utilize to their personal computers or email.
Employees should be provided with company-issued laptops and phones. Consider, for example, that you may have parents who share their personal computers with their children, which creates a safety concern if the parent uses that same computer for work. Alternatively, if it is not possible to issue each employee a laptop and phone, setup password protected remote environments that are separate from the environment of your employee's personal computer and phone.
Employers should always be able to access and control all company information, and thus remote sessions are always preferable, even on a company-issued laptop or phone. Additionally, remind employees to avoid printing sensitive documents at home or ensure that employees can print from within a remote session.
Documents should not be saved locally or emailed to a personal email for printing. Remind employees that if they must print sensitive documents at home, they must take reasonable efforts to keep these documents secret, including from their family members.
Do not give your employees sole control over data.
Avoid giving your employees sole control over company data, such as admin privileges on company laptops. Perhaps you ceded control early in the pandemic when your company was in crisis management mode, but now would be a good time to take back that control.
Implement systems to monitor and prohibit breaches.
The level of policing that a company should implement depends on many factors, including the size of the company, the industry, and the sensitivity level of the company's data. A robust system will include software that prohibits employees from downloading data onto an external drive or a file hosting service (e.g. Dropbox), or emailing data to a personal email account. Alternatively, the company can monitor this activity, and allow it only when specific permission is obtained.
Hiring and terminating employees.
This is the first time in the history of many companies that hiring and terminating employees may not involve any in-person interaction. Consider that a person has perhaps not moved from their kitchen table, but yet has changed job and now works for the competitor of their prior employer. This comes with its own set of challenges.
- When onboarding a new employee, they should attest, in writing and during an interview with HR, that they have returned to their prior employer all information and will not use any of it in their new role. You may also want to arrange for a forensic verification of the new employee's computer.
- If an employee is leaving your company, take the necessary steps to ensure the return of all company information. Depending on the employee's role and seniority, it may be necessary to send someone to their home to make sure that all company information has been returned. To forego these procedures because they are impractical in remote work environment could expose your company to various issues in the future.
Have your IT department do its homework to determine what, if any, videoconferencing service is most secure and best adapted to your needs. It may be that your most sensitive meetings should still be held by phone.
Protect your data from hackers.
Most data breaches come from within a company, but external hacking is on the rise. Make sure employees are trained to recognize hacking and phishing schemes. Home networks are more vulnerable to hacking. Requiring your employees to secure their home internet network with a stronger password or blocking access to certain websites may be necessary.
Returning to the office.
As COVID restrictions ease up and employees return to the office, it is important to take steps to correct any potential breaches that may have occurred. This might include directing your employees to:
- Delete any data that may have been saved on their personal computers or personal email accounts.
- Return to the office to file or shred any hard copy documents that may have been printed at home.
- Ensure your IT department cancels any unnecessary admin privileges granted to employees who no longer require those privileges.
- Require supervisors to confirm that these steps have been completed.
- In addition to the practical benefits of protecting your data, being able to point to the specific steps you took to protect your trade secrets will be essential in any trade secret litigation.
If you have questions or are concerned that someone may have misappropriated your trade secrets, contact us today. We can advise you on the steps to take to help protect your business and mitigate potential damages.