The rapid transition to remote work in the spring of 2020 brought with it new risks for businesses managing their confidential information. Helpfully, existing trade secret law is designed to adapt to circumstances, and can cover the transition to remote work. For proprietary information to continent to qualify as a trade secret, the plaintiff must show that it took “reasonable measures” under the circumstances to protect the secrecy of the information.
Trade secret owners should revisit and upgrade existing policies as they continue to refine their remote work policies. Even a few simple measures, like a review and updating of confidentiality agreements, tracking access to certain confidential information, and documentation of a trade secret protection policy can significantly bolster protection for a company’s trade secrets.
How to Qualify for Trade Secret Protection
In order to qualify for trade secret protection, the owner of the trade secret must demonstrate that it took “reasonable measures to keep such information secret.” Confidentiality agreements are considered the bedrock of any well-managed trade secret protection policy. The presence or absence of a confidentiality agreement is often the most important factor in determining whether the owner of the trade secret took “reasonable measures” to protect the confidentiality of the information. First Fin. Bank, N.A. v. Bauknecht, 71 F. Supp. 3d 819, 842 (C.D. Ill. 2014). Other measures, like ensuring that key employees are subject to noncompete agreements can be part of a well developed trade secret protection program. Restricting access to confidential information to employees with a business reason to know about the information, physically securing the information on site, and protecting the information from publication are also considered “traditional” measures that any company should take to protect its trade secrets.
Pre-Pandemic Case Law
Before the pandemic, some case law already existed on the topic of protecting trade secrets in a remote-work arrangement.
In Computer Assocs. Int’l v. Quest Software, Inc., Northern District of Illinois affirmed that a remote work policy was consistent with “reasonable measures” to protect secrecy because (1) the employees were subject to confidentiality policies set out in employee manuals, (2) employees were reminded of their confidentiality obligations on leaving the company, (3) access to the plaintiff’s main facility was limited by the use of key cards, (4) the alleged trade secret was never made available to the plaintiff’s customers or the general public, and (5) the defendants were aware of the confidentiality measures and understood they were intended to protect the secrecy of the information. 333 F. Supp. 2d 688, 696 (N.D. Ill. 2004). The court ruled the plaintiff’s procedures “could have been stronger,” but nevertheless ruled that the plaintiff had demonstrated it took sufficiently “reasonable measures” to protect the secrecy of its information.
Similarly, in API Americas Inc. v. Miller, the District of Kansas ruled that permitting an employee to work remotely was consistent with “reasonable measures” to protect trade secrets because the company had a confidentiality agreement and a noncompete agreement with its remote worker. 380 F. Supp. 3d 1141, 1149 (D. Kan. 2019). This was the case even though the remote worker sent “trade secrets to and from his personal email account ‘frequently’; and that [his employer] knew about this arraignment and permitted it.”
Trade Secret Policies For the Work-From-Home Era
To ensure maximum legal protection for trade secrets while employees are working remotely, companies should consider doing the following:
- Review and update confidentiality agreements. Any employee, vendor, or potential business partner who has access to confidential information should be subject to a nondisclosure agreement. Those agreements should be stored in appropriate personnel files and with the legal department’s contract management system.
- Update remote work agreements. Remote work agreements spell out an employer’s expectations for remote employees. A remote work agreement will reiterate the employee’s confidentiality obligations, set expectations with respect to home working environments, reiterate the importance of safeguarding information, and reiterate network acceptable use policies.
- Double down on training. Implement a regular schedule of trainings on the business importance of maintaining confidentiality. Training can tend to reduce the number of incidents of trade secret misappropriation. In the event of misappropriation, frequent trainings are good evidence of a trade secret owner’s “reasonable measures” to protect the information.
- Leverage IT resources. Remote access should only be permitted through a secure VPN with dual factor authentication. For particularly sensitive information, employers can implement individualized watermarking, access logging, and other electronic security features.
- Appoint an access czar. Appoint an executive to make case-by-case decisions for access of certain information. Doing so ensures that the information is only provided for business-critical reasons and proper records of access are kept. Depending on the information, the trade secret owner might consider making the access czar a high-level executive in the company.
- Do not skip exit interviews. Meet with departing employees, even if virtually, to ensure return of confidential information and remind the employee of post-employment restrictions. This part of the employee life cycle is an important step in ensuring that information does not leave the company and to support a later claim of misappropriation (if necessary).
- Update guidelines for vendors and partners. Any sharing of confidential information with third parties should be subject to confidentiality agreements. The trade secret owner should also consider requiring the recipient of confidential information to take their own measures to ensure confidentiality.
- Document your efforts. Policies should be written down, employee confidentiality trainings should include written materials, employee access logs should be preserved, and decisions about remote access to confidential information by individual employees should be noted (with reasoning).
This post is an adaptation of my article, “Protecting Trade Secrets in the Era of Remote Working,” Managing IP, June 30, 2020 (subscription required).