Many offices around the country are closed and workers are sheltering in place due to government issued quarantine and stay-at-home orders. Nevertheless, employees who can are telecommuting. But as a result, confidential information—once reserved for company servers or desks in the workplace—has now found its way onto personal computers and kitchen tables. Which means the time is ripe to remind your employees of the need to maintain the confidentiality of your sensitive materials.
Toward that end, Michelman & Robinson encourages you to consider the following 10 action items that could serve to protect your trade secrets.
- Reissue—via email—your company’s electronic use and confidentiality policies to all employees. In doing so, make sure the policies specifically speak to the challenges of working from home and the need to remain vigilant. It is important that you remind employees that their obligation to maintain company secrets is ongoing, which means they are not to share confidential information with unauthorized personnel, or give access to their personal or company computers to other members of their household or anyone else while working remotely.
- Educate your employees how to spot phishing attempts or other fraudulent schemes designed to infiltrate company computing systems.
- Work with your IT department to issue protocols for the storage of company documents on personal computers. This may include setting up a virtual desktop infrastructure (VDI) or mobile device management protocol to ringfence company data from personal materials. Private cloud storage is also a viable option to ensure that company-owned information is protected from outside access.
- Insist that employees use strong passwords, and that their computers (1) auto-lock after brief periods of inactivity and (2) are equipped with company-provided anti-virus and protective software. In addition, you should encourage regular backups and establish protocols for immediate reporting of lost or stolen devices. Of course, employees will need to be trained to carry out all of these procedures.
- While employees generally have no right to privacy in the workplace, they do have an expectation of privacy in and to their personal computing devices—their homes as well, even when they become alternate work sites. For this reason, think about having your employees read and sign an online acknowledgement form giving you access to their personal devices for the limited purpose of locating and securing company documents. Within the acknowledgement, you should be transparent as to why the company feels such access is important, and make it clear that the company reserves the right to inspect employee devices if it has reason to suspect a security breach (or in order to conduct a security audit). While you are at it, inform employees about what may and may not get wiped from their devices should their duties change or if they leave the company.
You should understand that accessing your employees’ personal devices is a delicate subject. Thus, before allowing employees to retrieve company data on their own computers, tablets, or smartphones, be sure all parties—management and IT included—are explicitly clear on the aforementioned rules. And to the extent there is crossover between company and personal information on any given device, let your employees know how their private (non-company) data will be protected.
- Implement guidelines and an IT hotline to be used if an employee loses a device or suspects he or she has been hacked, or in any instance where company trade secrets or confidential information may have been improperly disclosed or otherwise compromised.
- Institute rules about remote printing, document storage, and the proper disposal of company documents (in file form or hard copy).
- Establish protocols for video conferencing, including security passwords and private spaces. In addition, given recent reporting in the press, be cognizant of issues, if any, regarding the security integrity of your video conference platform.
- While this might seem ripped from a James Bond thriller, participants on video conferences and emails may want to use code names for highly sensitive or confidential products or projects.
- Given our new, higher risk environment, you may want to purchase a policy of cybersecurity insurance. This type of coverage is designed to mitigate losses from a variety of cyber incidents, including data breaches, business interruption, and network damage.
As always, M&R stands ready to help you address all of these issues, including the design of privacy policies and cyber security insurance procurement and evaluation.
This blog post is not offered, and should not be relied on, as legal advice. You should consult an attorney for advice in specific situations.