COVID-19 is bringing systemic change in the way businesses are operating and employees are working. With almost all of businesses' staff working remotely for the foreseeable future, companies face additional layers of risk to keep trade secrets and information confidential. There is, more than ever, a risk of businesses losing control of previously established trade secrets protection measures. We set out below some guidance on the heightened areas of risk and where businesses can try and limit their exposure.
Protecting trade secrets
The law will only protect information as a trade secret/confidential information where it meets all of the following requirements: (i) the information has been kept secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question; (ii) where it has commercial value because it is secret; and (iii) where it has been subject to reasonable steps, by the person lawfully in control of the information, to keep it secret.
The moving of staff to homeworking brings a number of risks to established trade secrets protection measures, such that there are increased risks of trade secrets information losing its confidential nature. These added risks and potential ways to mitigate them are set out below.
Areas of risk and ways to mitigate
||Steps to Mitigate
|Non-corporate devices & Email
Extensive homeworking can, due to some of the practical realities it brings, cause an increased use of personal devices and email for work purposes, including information being stored on personal devices and sent to personal e-mail addresses. This, given the likely lower security protections, and the fact it is leaving the corporate domain, can increase the risk of trade secret leakage.
- Ensure password protection and/or encryption policies are fully adhered to throughout the crisis
- Continue to remind staff of the importance of keeping corporate information away from personal devices and systems, except where it is fully in compliance with the company's BYO policies and procedures
- Enforce policies to the extent possible that documents should not be stored on personal devices and any that are deleted immediately
- Ensure workers are provided with appropriate equipment wherever possible to reduce the risk of non-secure devices being used
|Hard copy documents
Whether necessary or not, staff may be more likely to remove hard copy information from the workplace and/or print information at home to better enable home working. Any physical copies of information whether in transit from or stored outside of the secure corporate environment brings obvious increased risks of loss of confidentiality.
- Strictly limit hard copy materials existing outside of the workplace to the extent possible, with reminders to staff to ensure confidential information is not removed to or printed at home unless specifically authorised
- Communicate and enforce destruction policies to ensure that documents are not discarded in domestic bins/refuse, but are shredded or delivered back to the company for destruction
- Ensure staff immediately report any documents lost in transit or at home
- Registration system to keep track of what information has been removed from office premises
- Consider electronic print protections to prevent home printing of documents
The COVID-19 crisis may result in higher churn of staff including contractor staff and relationships with third party vendors. Departing employees and contractors are often key risk points concerning information leakage, so this risk may be exacerbated by the crisis.
- Appoint a member of the company to manage trade secrets protection and answer staff queries
- Ensure access restrictions to confidential information including under NDAs is strictly enforced throughout the crisis
- Remind staff not to email company confidential information except as authorised by the company
- Present regular training sessions around trade secrets policy, encouraging reports of potential vulnerabilities
- Upon termination of any employee or contractor relationships, ensure all information is delivered back to the business
- Ensure third party vendors / agents with access to trade secrets have relevant protection measures in place
Heightened cyber security risk, and phishing
Home Wi-Fi and non-corporate networks can be significantly less secure than corporate systems. This, together with an increase in criminal attempts to compromise systems by way of phishing attacks (including exploiting the heightened sensitivity of staff to apparent COVID-19 information emails) is causing extra layers of risk of theft and exfiltration of corporate information.
- Continually remind workers of risk of phishing e-mails and encourage reporting of suspicious messages to your business's IT security team
- Provide general tips to workers such as looking out for:
- E-mails from public accounts (e.g. @gmail.com), instead of those with an organisation's domain name e.g. "@gov.uk"
- Misspelled or incorrect domain names e.g. "@gove.co.uk"
- Badly written e-mails with poor grammar and typos
- Messages with suspicious attachments or links (including those hidden in 'buttons') which could contain malware
- Messages that demand urgent action
- Ensure that workers switch off/log out corporate devices each night so that security updates can be implemented by the business overnight in accordance with usual practice
- Encourage access through a VPN, and IT security to continually review security issues during the heightened risk of the crisis
Employees may be occupying a range of different living spaces and living arrangements including flat-shares and some in large houses of multiple occupation (HMOs), sharing space and resources with other individuals. As well as this bringing security risks to physical assets stored in such environments, employees may be unable to or find it difficult to conduct confidential calls, vid-cons and other business.
- Roll out or revisit existing WFH policies, including considering issues like ensuring Alexa type devices are switched off; workers understand the need to conduct business in confidential settings, etc
- Remind workers to ensure they keep conversations and information strictly away from others in the household, even other family members
- Corporate information to be kept secure within homes in lockable rooms or cupboards etc wherever possible
- Ensure corporate devices are set to lock after a short time period
- Ensure remote lock-out and wipe capabilities are in place to address misplaced corporate devices
Post COVID-19: points to consider
Looking forward, and as we proceed through this period of extended homeworking, including to its exit point, businesses should consider taking the following steps:
- A recovery and destruction exercise of any materials that were migrated out of the secure corporate environment where copies of electronic or hardcopy documents are collated and logged (to increase capture) and either delivered back to office premises or destroyed.
- A clean up exercise of employee systems and emails etc. to ensure any migration of corporate information onto private devices/systems is recovered.
- A review of employee terms around WFH and confidentiality policies and procedures to address any shortfalls.
- A review of the restrictions in place in the normal course for employees and contractors with respect to access to different levels of confidential information.
- A holistic 'lessons learned' review to review the risks, mitigation deployed, and to develop best practices going forward.
Feel free to get in touch if you would like to discuss any of the points raised.