Due to the COVID-19 pandemic, 42 states, Puerto Rico and the District of Columbia have adopted shelter-in-place or similar orders. As a result, more employees than ever before are working from home. This sudden increase in telework has created new challenges for employers, including balancing the need to protect their trade secrets and confidential information, with the need to ensure that employees can work effectively from home. This article discusses the unique risks to trade secret protection created by telework arrangements and suggests ways employers can mitigate those risks.
I. What is a trade secret?
The federal Defend Trade Secrets Act (DTSA) defines “trade secret” as “all forms and types of financial, business, technical, economic, or engineering information” that (1) derive independent economic value from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from it; and (2) the owner has taken “reasonable measures” to keep secret. In other words, under federal law, a “trade secret” has two components: economic value and secrecy. The majority of states have their own trade secret statutes with identical or similar definitions of “trade secret.”
II. What are “reasonable measures” to maintain secrecy?
Neither the DTSA nor various state trade secret statutes define “reasonable measures.” Nevertheless, courts have provided guidance on the efforts employers must take to preserve the “secrecy” of their trade secrets under normal circumstances. In general, “reasonable measures” include the following:
Whether a particular employer’s measures are “reasonable” requires a fact-specific analysis. Notably, the protective measures do not have to be perfect; they need only to be reasonable under the circumstances. Also, the fact that an employer has not used a specific measure does not render the employer’s other efforts unreasonable.
III. What are the unique risks to trade secret protection created by telework?
When employees report to a workplace, the employer has a high level of control over the employees’ access to and use of company information. The employer’s control over its information, however, decreases substantially when employees work remotely. For example, employees without a company computer necessarily will use their personal computers, electronic devices and Wi-Fi networks when working from home. These devices and networks may lack adequate security protections and may be more vulnerable to outside attacks. As recent news stories on video conference hacking and phishing emails related to COVID-19 reveal, telework already has made employees more vulnerable to hacking.
Additionally, once an employee stores company information on a personal electronic device or anywhere outside the employer’s database, the employer loses the ability to control and track that information. The employer also cannot determine whether and to whom its information may have been disclosed. The same is true for hard-copy files, as employees may print confidential documents at home, leave them in open view and fail to properly dispose of them.
The importance of maintaining “reasonable measures” to protect trade secrets cannot be overstated. An employer that fails to take “reasonable measures” to protect its trade secrets loses trade secret protection. Importantly, an employer may lose trade secret protection even though it limits access to only its own employees.
In a recent case, an Illinois federal court held that a company failed to take reasonable measures where it (1) granted employees access to its shared drive without any meaningful inquiry into whether the employee needed access; (2) assigned the same access password to many employees; (3) did not encrypt any files on the shared drive; and (4) did not place any restrictions on employees’ ability to access, save, copy, print or email the information for which it later claimed trade secret protection. In another case, the court expressed “serious doubts” that the employer would succeed on its trade secrets claim where its “information was readily accessible on a shared computer network that could be reviewed by anyone who had access to the computer system.” Finally, yet another court held that even an employer’s use of “layers of passwords and SSL encryptions” may not have been reasonable under the circumstances because “employee computers were generally left on and unprotected.”
Although cases discussing “reasonable measures” in the telework context are lacking, the same principles apply. Protections that may be “reasonable” and adequate in the office may not be sufficient when employees work from home. Indeed, the risk of losing trade secret protection only increases when employees work from home because employers have less control over their employees’ actions.
Accordingly, employers may need to take additional precautions when permitting employees to work from home. Other laws provide guidance on possible additional precautions. For example, the Health Insurance Portability and Accountability Act’s (HIPAA) Security Rule requires encryption when transmitting protected health information when encryption is “reasonable and appropriate.” Thus, employers subject to HIPAA routinely require employees to encrypt emails containing protected health information when using either company-provided or personal electronic devices. Similarly, the American Bar Association recently issued an opinion letter noting “it is not always reasonable [for lawyers] to rely on the use of unencrypted e-mail” to communicate client information. The opinion letter recommends using “strong protection measures, like encryption,” in circumstances warranting increased security.
IV. What can employers do to protect their trade secrets when employees telework?
With telework arrangements more prevalent as a result of the COVID-19 pandemic, employers should evaluate the need for additional steps to protect their trade secrets. This is especially true because many employers will need to downsize with many terminated employees potentially moving to competing businesses during or after the crisis. Future trade secret litigation likely will involve challenges to an employer’s measures to protect its trade secrets during the COVID-19 pandemic. There is no one-size-fits-all approach, however, and employers should tailor efforts to be consistent with their business needs. Below are some suggested protections for employers operating with a significant remote workforce:
Trade secrets are among an employer’s most valuable assets, and employers should evaluate the need for additional protection during the COVID-19 crisis. For more information or guidance on protecting trade secrets and confidential information during the COVID-19 pandemic, please contact the authors, any of the McGuireWoods COVID-19 Response Team, or your McGuireWoods labor and employment contact.