The ability to protect trade secrets (and other legitimate business interests, including customer goodwill) has been hit by a perfect storm caused by the current coronavirus pandemic:
- Loss of control. With much of the workforce working from home for the foreseeable future, it can be difficult to ensure that trade secrets (and other legitimate business interests) are properly protected.
- Risk of theft. In the best of times, more than half of employees admit to taking information with them when they leave a company. But these are not the best of times. Employees have been laid off or furloughed in record numbers, increasing the risk that information will be taken or destroyed.
- Loss of protections. In many states, employees who have been laid off without cause are relieved of their noncompete obligations, even though subsequent employment may place their former employer’s trade secrets, customer relationships and other legitimate business interests at risk.
- Limited judicial assistance. Many courts continue to operate with skeleton crews and are hearing only limited civil matters.
- Increased skepticism. Even as the courts reopen and catch up from the backlog of cases, hearings on motions for temporary restraining orders and preliminary injunctions (the keys to protecting trade secrets and other legitimate business interests) are typically even harder to obtain in times of significant unemployment and economic upheaval (the Great Recession being the most recent example) than in “normal” times.
- Threats to the use of safeguards. Noncompete agreements — one of the key tools to protect trade secrets and other legitimate business interests — are under increased threat by the Department of Justice and Federal Trade Commission, which recently issued a joint statement warning about “anticompetitive non-compete agreements” and noting that they may “challenge unilateral anticompetitive conduct by employers that harms competition in a labor market.”
While we can hope everyone will comply with their legal obligations, particularly during a time of crisis, we need to plan for the opposite.
Accordingly, this article provides practical guidance for how to manage trade secrets (and other legitimate business interests), both generally and while employing a remote workforce. Detailed questions to ask and issues to address can be found in a companion checklist available at FairCompetitionLaw.com.
An ounce of prevention, especially now
When it comes to the protection of trade secrets, an ounce of prevention is worth a pound of cure. That is even more true now.
The current circumstances mandate increased vigilance — but tempered by practicality. And, the dynamics of life under quarantine, shelter-in-place orders, and lockdowns have provided significant insight for how to achieve that balance, both now and for our return to the new “normal.”
The important thing to remember is that the rules have not changed. Only the circumstances and how the rules will be applied have. Accordingly, it is critical to have a working trade secret protection program that reflects the current realities.
Proper trade secret protection program explained
At its core, a trade secret protection program is a set of protocols to protect a company’s confidential information — protocols that are not only expected by courts, but, more important, protocols that are designed to prevent the misappropriation of a company’s information in the first place.
While “reasonable” efforts are the legal touchstone for protecting trade secrets, that mandate should not be the motivation. Rather, effective and efficient prevention of misappropriation should be the lodestar.
Few trade secrets are like Coca-Cola, requiring heroic measures for their protection. In most instances, companies can achieve a reasonable balance, preventing misappropriation while enabling employees to use the company’s information for legitimate business purposes.
The goal should be to ensure that protecting the information is the easy path. If the balance tips too far toward preventing misappropriation, making it difficult for employees to get their work done efficiently, they will find a workaround. In contrast, the less resistance, the more likely compliance will happen naturally.
A decade ago I/Russell Beck wrote “The Who, What, Where, When, How, and Why of Trade Secret Audits,” providing an overview of how to do this. The process remains the same. But, like everything else, shifting paradigms require recalibrating the tools.
What is reasonable today is qualitatively different from what was reasonable in the past. What worked for a physical Rolodex needs to be recalibrated for iPhone contacts, LinkedIn and other social media. And what worked pre-coronavirus may no longer work in a post-COVID world.
There is no one-size-fits-all approach. Rather, the reasonableness — and effectiveness — of the protection measures will depend on the nature, value and potential risks to the information, and the circumstances of the company.
Summary of trade secret protection in wake of COVID-19
Below are the steps for a proper trade secret protection program (TSPP). But remember that companies and their culture and circumstances, work-from-home environments, trade secrets, and risks vary widely and will require different approaches — and they all change over time.
What may have made sense at one time may no longer be sufficient or may be too restrictive. So this process should be considered a work-in-progress, to be reevaluated on an ongoing basis.
Step 1: Understand the landscape
The starting point for protecting trade secrets is gaining an understanding of the landscape: What information is at risk and where do the risks come from?
There is an endless variety of trade secrets. They can include product developments, specifications for new products, technical data, computer code, business plans and strategies, financial information, customer information, client credit profiles, contract pipelines and opportunities, pricing strategies, and so on.
Companies should identify and categorize the information, not catalog it.
Depending on the organization, this inquiry may require the involvement of management, human resources, legal, corporate governance, sales, marketing, information technology, information management, research and development, manufacturing, and other relevant stakeholders.
Step 2: Evaluate and update protections
Once the landscape is clear, the next step is to evaluate the sufficiency generally and, in particular, from a physical, electronic/technological and administrative standpoint, and then to update the protections, removing anything no longer needed and adding anything missing.
Step 3: Evaluate third-party implications
The involvement of third parties raises three categories of issues: (1) obligations the company owes to third parties whose information the company is in possession of; (2) obligations of third parties that are in possession of the company’s confidential information; and (3) risks associated with bringing in employees (and others) who may possess, use or disclose information from third parties, such as competitors, former employers and other trade secret owners.
Step 4: Special considerations in connection with work-from-home (WFH) and other remote work environments
Work conducted remotely (whether from home or other locations outside of the company’s direct control) substantially alters the typical trade secret risk profile in many ways, including a lack of visibility into employee conduct, the potential for the use of improperly secured Wi-Fi, other people in close proximity, and a lack of formalities that otherwise appertain to typical work environments.
Accordingly, a purposeful awareness of and focus on the different and additional risks is necessary, particularly now and as the new normal continues to evolve. And, equally important, employees should be counseled to affirmatively think about their obligations and use basic common sense when company confidential information is at risk.
Step 5: Communicate and reinforce expectations
Having policies and procedures that no one understands, remembers or follows undermines the reason for having them in the first place. The key to ensuring their ongoing utility is employee education and training on a periodic basis.
This is particularly true now, when employees have been thrust into a new work regime, which may require very different processes and procedures from what they are used to. Distribution of a training video to all employees with access to trade secrets can be an effective way to quickly and easily educate employees on the critical aspects of protecting the company’s trade secrets. (Contact us for our firm’s video, “Protecting Trade Secrets — Ten Minute Training — Working at Home.”)
Step 6: Monitor compliance
Trust but verify. While companies may hope and assume that their employees will comply with all security measures, policies and trainings, there is no foolproof way to ensure it. Accordingly, companies should consider monitoring for compliance — whether on a continuous or spot-checking basis.
Even when monitoring is limited and unlikely to catch misconduct or inadvertent trade secret exposure, it may still have the benefit of encouraging employees to think twice.
Step 7: Exit practices and procedures
Even in the best of circumstances, departing employees pose a significant risk to a company’s information and customer relationships. These risks are significantly increased in times of crisis and economic turmoil, particularly when employees are furloughed, laid off, feeling disconnected, or just in need of a change.
It is therefore extremely important to take this opportunity to lock down as much as possible at this last stage of the employment relationship. This involves four basic steps: (1) conducting an exit interview; (2) terminating post-employment access; (3) recovering all equipment; and (4) evaluating the potential risks.
Step 8: When all else fails, have a plan and implement it
While the goal is to avoid the need for enforcement of the company’s rights (in particular through lawsuits), unfortunately no amount of prevention, education or training will prevent some people determined to do something they should not.
The company thus needs to have an “incident response plan” (IRP) — and a designated person (or team) responsible to lead the incident response — before there is an accidental or intentional disclosure or use of the company’s confidential information.
Courts help those who help themselves. But companies are best off protecting themselves so they don’t need the courts, especially now, when what the courts (and we as lawyers) consider an emergency has fundamentally changed.
Accordingly, given the current circumstances, it is more important now than ever before to ensure that companies have a strong plan for protecting their trade secrets.
Russell Beck is a founding partner of Beck, Reed, Riden in Boston. He litigates and advises on trade secret, noncompete agreement, and employee mobility matters nationally and assisted the Legislature with the new noncompete and trade secrets laws. Erika Hahn is a paralegal at the firm. She has been a substantial contributor and editor on a book on Massachusetts noncompete law, a book on trade secrets law, and various other publications.