The number one risk for trade secrets exfiltration is from insider threats—employees, contractors, or even executives with access to sensitive information who either intentionally or accidentally compromise it. It can be malicious or accidental. For example, if you email a list of clients to your personal account out of convenience, sometimes it is. Your company should take the necessary steps to ensure that its confidential information and trade secrets are not leaked. Your company may suffer severe financial losses and even lose its competitive advantage in the market if you do not take action. This case study will help you understand this further.
We represent a firm that has invested a lot of time, money, and effort to gather, analyze, and aggregate various operational processes, structures, and systems to deliver the best services to its customers. As with many other companies, the success of this company depends on all types of confidential information pertaining to its operations. This includes products, pricing and standard operational processes as well as key performance indicators, training strategies, and maintenance of such confidential data. The company makes it a requirement for certain employees to sign a confidentiality contract before they can access its confidential information.
1. Businesses should regularly identify, catalog and audit their trade secrets.
One of the most common mistakes that companies make involves assuming that everyone understands what needs to protected. Trade secrets can be buried within day-today operations, and are overlooked. Security isn’t just a technology problem, it’s also a process and people issue. The executives of a company should consider the most important processes, formulas and relationships in their organization and ask themselves: Who has access to this information, who tracks it, and how does it get stored? In order to protect data, a company must also inform employees about the types of sensitive information (and why it is worth protecting). After answering these questions, a business can implement classification, tracking, security protocols and distribute the appropriate policies. Do not forget to consider what happens with information after it is no longer required. Inadequate document disposal is one of many ways that sensitive data can be lost.
2. Businesses should train their employees on how to handle confidential information and trade secretes.
This training can include (i), terms of use, for devices, systems and data; (ii), the use of restrictive covenants and/or non-disclosure agreement; (iii), assignment agreements; (iii), security awareness training; and (iv), training on confidentiality. Employees cannot protect information they don’t know about (or refuse to acknowledge as confidential). Regular and ongoing training is necessary to ensure that employees know what sensitive information is and how it should be handled. This training is not only for new hires, but also for existing staff. It helps to reinforce expectations, as well as keep security in the forefront of your mind. If employees are well-trained, they will become active participants in your protection strategy rather than just potential risk sources.
3. Many red flags can be seen in the personal and behavioral traits of employees. These are things that are easily observable and should not go unnoticed before sensitive information is compromised.
A disgruntled worker or someone who has a poor record of performance may be more inclined to mishandle or act out sensitive information. Also, you should be on the lookout for those who don’t believe in rules. You should also be on the lookout for people who think they are above the rules (i.e. If someone goes straight to the leadership or bypasses his supervisor, this may indicate a conflict or lack of trust. Repeated security violations or strange work patterns, such as showing up late or at weekends, can also indicate a concerning behavior. Someone who complains about being underappreciated may be more at risk of stealing trade secrets.
4. Companies should monitor all digital activity to the extent possible. While certain personal behaviors may raise suspicions, the technology can often reveal the truth.
With the right monitoring, you can get an early warning of a breach before it happens. All sudden changes in email patterns, device usage or access patterns can be indicators of a trade secret being stolen. It is important to have monitoring systems in place which not only collect data but also flag suspicious activity and review it in real time. This is particularly true for companies whose highest risk window occurs just before or immediately after an employee leaves. Companies need to have policies that prevent employees from downloading documents onto USB devices or sending sensitive company information to personal email accounts. They may also want to monitor emails of their employees to ensure this does not happen. The conduct could be due to a careless employee or a malicious employee that wants to harm your company. However, in terms of protecting confidential information for your company, either situation is risky. It can lead to sensitive data being exfiltrated. Prior to terminating an employee, the company should review their email history to ensure that they recover all emails sent to that employee’s personal email. This is especially important if those emails contain proprietary or confidential information.
5. Physical security is crucial, because it is where digital protection often fails.
Depending on the industry you are in and/or the products that your business produces, your company might want to restrict who has access to sensitive areas. This could be done through visitor protocols or badges. You may also want cameras and recording devices restricted when sensitive information is present. Logs, video surveillance cameras and ID systems may be used to identify any unusual patterns of access. The most sensitive physical documents should be marked and monitored by companies. These documents must also be stored safely and disposed of correctly. Employees should be empowered to report suspicious behavior if they observe it on site. If possible, companies can even implement a system for reporting suspicious behavior.
6. Every company should have an established plan to manage trade secrets exfiltration. This is especially important during times of employee turnover or insider threats.
Finaly, your company needs to plan a roadmap for onboarding as well as offboarding. This should include plans for dealing with a possible insider threat. One of the easiest ways to expose trade secrets is through departing employees. In order to prevent trade secret exposure, companies should regularly conduct exit and entrance interviews. They also need a clear policy on how to deal with employee terminations. The exit process must be complete and not rushed. It should also include recovering all electronic devices, removing the access to these devices, and holding a face-to-face conversation with employees about their confidentiality obligations. Cloud tools, shared folders or auto-saved passwords can easily be overlooked by your company. Do not assume, as in the case of our example, that technology issued by your company will be returned to you in a clean state. Secure the hardware, and maintain a chain-of-custody. A final inventory ensures that nothing is lost, physically or electronically.
Implementing the strategies above isn’t a one-time task. You and your company will need to revisit trade secret protection as your business grows and changes. Keep these strategies in mind to ensure that you can rest assured knowing your company’s confidential and proprietary data and trade secrets are adequately protected.
Jordan B. Schwartz He is a partner at the Washington, DC, office of Conn Maciel. Mr. Schwartz counsels employers on complex employment-related matters. He defends his employers against allegations of discrimination and harassing, misappropriation trade secrets and wage and hour violation. He counsels employers in all aspects of the employee-employer relationship. His practice includes the following: wage & hour law; non-compete agreements and trade secrets; the Americans with Disabilities Act (ADA); harassment and discrimination; employment counseling; and Occupational Safety & Health Administration (OSHA). Mr. Schwartz is a lawyer who practices in many different industries. He has a wealth of experience and knowledge within the healthcare, retail and government contracting sectors.
The original version of this article appeared on HospitalityLawyer.com.
