Seyfarth Synopsis: Protecting trade secrets from employee theft requires more than using an NDA when onboarding new employees. If businesses want to protect their confidential information, they need to take a cradle-to-grave approach, reiterating employee obligations regularly, including during exit interview. (Yes, you need to do exit interviews!)
The headline stories in intellectual property theft these days tend to involve Russian government hackers or the Chinese military engaged in high-tech attacks to pilfer vast troves of data stored by big businesses or government entities. The losses are staggering, especially in the aggregate. Ahead of a 2009 report, McAfee estimated that cybercrime cost worldwide economies $1 Trillion. That number was cited by (a then-youthful) President Obama in his first speech on cybersecurity. Since that time, attacks by professionals and nation states have remained at the forefront of both news reports and the public perception.
But despite the disproportionate attention given to eye-catching high value, high-tech attacks, a 2014 PricewaterhouseCoopers survey revealed that many U.S. businesses recognize that threats from the inside are just as costly as those from the outside. Nevertheless, “only 49% of all [survey] respondents have a plan for responding to insider threats.”
Trade secrets are particularly susceptible to theft because they by definition consist of secret information that has actual or potential economic value. Those within companies—whether by ignorance or by design—often find such information too tempting to be left behind when changing employers. Therein lies the problem.
Trade secret theft by employees may not grab as many headlines as neo-Cold War espionage, but the data suggests that employees, not foreign nations, pose the greatest risk of loss from trade secret theft. The good news is that a little proactivity by employers will go a long way toward keeping them out of the 49%.
Of course in California, obtaining protection is not all that simple. Non-compete agreements are, but for some very limited exceptions, a non-starter in California under Business and Professions Code § 16600, so you better have your trade secret house in order. And because California trade secret plaintiffs must identify their trade secrets with reasonable particularity before commencing discovery, it pays to invest time on the front-end to identify and inventory your trade secret information before litigation arises.
So, what can employers do?
Update Employee Non-Disclosure Agreements to Comply With the DTSA, and Make Sure Employees Are Informed Why The Agreements Are Important
At this point, almost all employers (hopefully) have confidential/non-disclosure and trade secret protection provisions in their employment agreements. But have these agreements been updated to comply with the recently enacted Defend Trade Secrets Act (“DTSA”) and its important employee/whistleblower notification provisions? And what are employers doing to help ensure compliance with their agreements? Rolling out new agreements is relatively easy. Making sure they are most effective takes some doing.
Remember, your organization will not even have trade secrets to protect unless it has made “efforts reasonable under the circumstances” (under the California Uniform Trade Secrets Act) or has taken “reasonable measures” (under the DTSA) to maintain the secrecy of the information it claims to be trade secret. CAL. CIV. CODE § 3426.1(d); 18 U.S.C. § 1839(3)(A).
Implement Computer Use and Social Media Agreements and Policies
The vast majority of trade secret theft is accomplished via electronic devices. Make sure your company uses computer use and access policies/agreements that:
- Set forth that the company’s computers, network, related devices, and information stored therein belong to the company;
- Indicate that access to the company’s computers and network is password protected, with access authorized only for the purposes of conducting work on behalf of the company;
- Make use of data storage/access hierarchies, with the company’s most valuable information being accessible on only a need to know basis, with security access redundancies (housed in a highly secure database that requires unique user credentials distinct from the log-in credentials used by the employee to access his/her computer workstation);
- Identify which devices are allowed in the workplace—BYOD practices have become popular, but also present challenges in regulating information flow and return. If employees are using their devices to perform work for your company, make clear that that company data on those devices belongs to the company;
- Notify employees that the company reserves the right to inspect devices used for work to ensure that no company data exists on the device(s) upon termination of employment;
- Define whether cloud storage may be used by employees, under what terms, and what happens when employment ends;
- Define whether external storage devices (e.g., thumb drives) are allowed and under what terms; and
- Identify whether, to what extent, and the terms under which employees may use social media associated with their work for the company—company trade secrets must never be publicly disclosed, but beware of overreach that suppresses employee communications protected under Section 7 of the National Labor Relations Act.
Build a Culture of Confidentiality—Make Sure Employees Know What The Company Regards as Confidential Information and Then Remind Them Routinely
Employees need to understand what information your company considers confidential. Educating employees on this should start at the beginning of employment/during onboarding, throughout the employee’s tenure with you company, and at the end of employment. Tools that can help with this include:
- Onboarding procedures that emphasize the importance of company confidential information;
- Including in employee non-disclosure agreements an express representation that the employee does not possess and will not use while in your employ confidential information belonging to her/his former employer or any third party;
- Using yearly (or more frequent, depending on your organization) reminders/very brief interactive e-modules emphasizing to employees the importance of maintaining the confidentiality of company information;
- Requiring that the employee sit for an exit interview; and
- Requiring that the employee certify by his/her signature during the exit interview that she/he has returned all company information and property (the employee may provide property on the spot or make statements about what will be returned—you should inventory all such indicated property/information).
Properly Exiting Employees—Particularly for High Risk Employees—Matters!
Not all employees present the same risk of loss. Generally, the higher up the food chain/the greater the exposure to company confidential information, the greater the risks presented upon employee departure. The following recommendations are for mid-to-high risk departing employees:
- Whomever in your company conducts exit interviews needs to be prepared—use a checklist;
- “Preparedness” will vary depending on employee type, but for higher risk employees, should include, where possible: (1) to have identified prior to the exit interview the trade secret and confidential information the employee routinely accessed and used during employment; (2) reviewing for unusual activity the departing employee’s computer and work activities (including card key facility access data, where available) in the days and weeks leading up to their exit; (3) use of an exit certification as noted above; and (4) inquire where the employee is going and what position she/he will occupy;
- Where initial investigation warrants it, conduct discrete interviews with company-friendly coworkers of the departing employee to identify potentially suspicious conduct;
- Immediately shut the departing employee’s access to company computers, networks, and other data repositories (e.g., cloud or other off-site storage). Cutting-off access to company computer and data may be warranted before exiting the employee depending on perceived risk of data theft;
- Send a reminder of obligations letter to the now former employee reminding her/him of ongoing obligations to the company and attaching, where useful (i.e., properly drafted), a copy of the non-disclosure agreement signed by the employee;
- Consider sending a notice letter to the new employer, but tread carefully here to not overstep or provide a basis to be accused of interfering with the employment relationship between your former employee and the new employer; and
- Depending on the threat level you perceive, consider having a departing employee’s e-mails preserved and their electronic devices forensically imaged.
With best practices in place, protecting your company’s trade secrets should be more like routine, but vigilant maintenance, than preparing to do cyber battle with foreign states. Organizations understandably focus on creating the next “big thing,” increasing sales, and building investor value, but slowing down enough to be purposeful in protecting intellectual property is a must.