This article, co-authored by WLJ attorneys Meredith Lowry and Daveante Jones, originally appeared in the March 15, 2021, issue of Arkansas Business.
The pandemic continues to cause major changes for businesses.
Workforces have suffered furloughs and layoffs. Employees are now spread out from the traditional workplace to remote working environments in their homes, stretching servers over company and personal devices.The need for businesses to prioritize protection of confidential information and trade secrets and avoid accidental disclosure and misappropriation is at an all-time high. Doing so is going to take effort and planning to 1) identify trade secrets, 2) limit access to secrets and 3) enact further measures to guard them.
What is a trade secret?
The most common trade secrets include software algorithms, inventions, designs, formulas, ingredients, devices and methods. While trade secrets are common, laws that govern them are often state-specific or used in conjunction with the federal Defend Trade Secrets Act. For instance, under both Arkansas and federal law, a “trade secret” is defined as information, including a formula, pattern, compilation, program, device, method, technique or process, that the owner derives independent economic value, actual or potential, from it not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
Taking this into consideration, businesses should be sure to identify what they see as trade secrets and make sure to educate employees on those. This could include as a training program and stand-alone trade-secret policy. As more employees continue to work from home, businesses should also be sure to remind them that they must comply with data-security policies.
In ConAgra Inc. v. Tyson Foods Inc., Arkansas courts endorsed the following factors in determining whether company information qualifies as a trade secret: “(1) the extent to which the information is known outside the business; (2) the extent to which the information is known by employees and others involved in the business; (3) the extent of measures taken by the company to guard the secrecy of the information; (4) the value of the information to the company and to its competitors; (5) the amount of effort or money expended by the appellee in developing the information; and (6) the ease or difficulty with which the information could be properly acquired or duplicated by others.”
More often than not, the most important of these factors is the extent to which the information is known by employees and others involved in the business and the extent of measures taken by the company to guard the secrecy of the information.
Limiting Access to Trade Secrets
Limiting access to trade secrets in remote work environments can be hard. It takes both having in place the necessary information security systems to guard against cyberthreats and limiting access to certain employees. Information security experts and legal counsel can help businesses develop a cybersecurity framework and risk management plan now during the pandemic and as workers move back to an office environment.
Pre-pandemic remote workers previously raised a cybersecurity risk through use of unsecured internet connections. In our current pandemic world, the risk of cybersecurity attacks increased with the rapid shift to remote work, our new reliance on videoconferencing, and the presence of employee personal devices like Amazon Alexa or Google Home.
Companies now need to assess whether their policies provide sufficient trade secret protection to prevent breaches or make sure any cybersecurity insurance covers breaches for the transfers of information outside of the company network. Many companies prohibit transfers to remote storage devices, like USBs or cloud networks, but companies should also consider using secure networks for employee connections to company networks and limiting access to certain digital files to key individuals. Information system professionals and company counsel should work in concert to make sure current cybersecurity standards are implemented and access is limited for trade secret information.
Although a good starting point, keeping confidential and proprietary information on password-protected servers may not be enough. For instance, a business that assembled, fabricated, installed and serviced scales, control and indicating systems that separated and weighed items of food did this. See Weigh Systems South Inc. v. Mark’s Scales & Equipment Inc., 347 Ark. 868, 68 S.W.3d 299 (2002). The information, however, was available to multiple departments, including employees who worked in the parts room, accounts payable department, service department and other management. The court held that this did not weigh in favor of the subject information being deemed trade secrets.
With this in mind, administrative access to networks with proprietary and confidential information should be restricted and “least privileged access.” Restricting access rights to only those who absolutely need the data should be practiced religiously. Businesses should also be sure to have clear policies for employees to save and store sensitive corporate data over secure network access and only on work-issued devices.
Enacting Other Secrecy Measures
A topic that often comes up with enacting measures to guard trade secrets is prohibiting the disclosure of information post-employment. The increased number of furloughs and layoffs during the pandemic makes prohibiting the post-employment disclosure of trade secrets more critical now than ever.
A couple of ways to do this have normally been:
- Restrictive covenants such as noncompetition, confidentiality and nondisclosure agreements and
- Immediate collection of work-issued devices and termination of access to company data.
With closed courts and furloughed and laid-off employees, however, there are new challenges for businesses when it comes to restrictive covenants like noncompete agreements that limit the possibility to pursue other employment.
Courts have always been hesitant to enforce noncompetition agreements against laid-off employees, but now states like Oregon, Washington, Massachusetts and Virginia have enacted laws subjecting certain restrictive covenants to intense scrutiny.
For instance, Virginia passed a law, effective July 1, 2020, prohibiting businesses from entering noncompetition agreements with “low-wage employees” or, in other words, employees who earned less than the average weekly wage of the state (i.e., about $1,200 weekly or $62,000 annually). Mayor Muriel Bowser signed the D.C. Ban on Non-Compete Agreements Amendment Act of 2020 on Jan. 11. D.C.’s ban does not include a wage cutoff like Virginia’s and goes even further to ban policies and agreements that prohibit employment with other entities during employment.
Finally, President Biden has proposed a nationwide noncompetition agreement ban except in limited circumstances that are necessary to protect a narrowly defined category of trade secrets. There is skepticism that it will happen but it’s definitely something to know about. With so many evolving laws nationwide, businesses should be proactive in researching any issues with any current agreements with employees and updating agreements that may be used in the future to address remote work situations.
While there are a number of laws that place heavier restrictions on noncompetition agreements, most state laws do not place the same level of prohibition against nondisclosure and confidentiality agreements that are tailored around protectable business interests like trade secrets.
Thus, continue to remind employees of any company confidentiality and nondisclosure policies, as well as any current confidentiality or nondisclosure agreements that employees may have entered. Also, the employees should be reminded that working remotely does not change any of these policies. For employees who may not have entered into a nondisclosure or confidentiality agreement, follow up with them and have them sign one.
Whatever the case may be for restrictive covenants, businesses should also be sure to prepare a plan to collect any work-issued devices immediately upon the end of an employment relationship. Also be sure to terminate any access to sensitive company data by way of any work-issued or personal device by a secure network.
In conclusion, businesses should:
- Identify company trade secrets;
- Educate employees on trade secrets and data security and storage policies;
- Ensure that up-to-date and secure systems are put in place;
- Limit access to sensitive and proprietary information on a need-to-know basis;
- Develop a plan to promptly collect devices and terminate access to company data once an employee is furloughed, laid off or terminated;
- Develop a cybersecurity framework and risk management plan with the assistance of legal counsel and IT professionals;
- Update any restrictive covenants the business uses to address remote work situations and incorporate any changes in the law in the applicable forum; and
- Have employees sign confidentiality or nondisclosure agreements to prohibit disclosure of trade secrets and other confidential and proprietary information.
As the pandemic continues, businesses should stay vigilant in their efforts to protect confidential information and trade secrets.