“Data moves at the speed of a mouse click. When potential misappropriation is identified — regardless of the motives of the suspected perpetrators — victims of such theft must act immediately.”
The end of even the best employer-employee relationship can be fraught with challenges, not the least of which is the possibility that the employee may — unintentionally or with malice — depart with valuable trade secrets, proprietary data, or sensitive information. To minimize the likelihood of such misappropriation, employers should establish, communicate, and follow clear policies and procedures at each stage in the hiring, employment, and separation process:
- When recruiting employees
- At regular intervals during an individual’s employment
- When the employment relationship is terminated
- If evidence of theft or misappropriation is uncovered during routine and follow-on investigations
Trade secrets are protected under the federal Defend Trade Secrets Act (DTSA), which defines a trade secret as business or technical information that derives value from not being generally known or readily accessible to the public through proper means and which the owner has taken reasonable measures to protect. Trade secrets are also covered by numerous state laws, the overwhelming majority of which have been based on the model Uniform Trade Secrets Act. When developing their trade secret protection strategies, employers should consult with legal counsel to ensure that any policies and practices conform with applicable law. Even if information does not rise to the level of a “trade secret” under the law, it may still be protected by employers as confidential or proprietary information as long as reasonable measures are taken to keep the information confidential.
An Ounce of Prevention
The ideal time to address potential trade secret or confidential information theft is before it occurs. Every business should develop, communicate, and maintain clear guidelines that:
- Define and provide descriptive examples of trade secrets and other proprietary and confidential information (with a particular emphasis on employer-specific data, including customer lists, manufacturing processes, engineering schematics, recipes, internally developed software, usernames and passwords, etc.).
- Provide lists of disallowed activities (copying files to portable memory devices, sharing internal emails with persons outside the organization, etc.).
- Document to the employee the consequences of data theft, ranging from counseling or reprimands to termination, litigation, and notification of law enforcement officials.
Such policies should not focus solely on the employer’s confidential information; they should also make it clear that sharing or exploiting trade secrets of a former employer and/or competitor, even with the intent of “benefiting” the current employer, are unacceptable. Such policies should make it clear that employees engaging in such activity will be subject to consequences similar to those that would arise if they were to misappropriate their current employer’s trade secrets.
In addition to helping minimize accidental or intentional trade secret theft, communicating this information to potential, new, and longtime employees can also demonstrate that the employer has taken “reasonable measures” to prevent data losses. It is a common tactic for defendants in litigation to claim that they could not be accused of misappropriation because the plaintiff did not provide sufficient protection for its proprietary information.
As part of the hiring process, new recruits should be made aware of the policies described above and be required to sign confidentiality and nondisclosure agreements (NDAs) that acknowledge that they have been informed of and understand the employer’s trade secret protection standards.
(It is important to note that the DTSA expressly includes protections for whistleblowers who disclose trade secrets under certain circumstances. An employer’s failure to provide an employee with notice of such potential immunity can limit the business’s ability to pursue certain damages against an employee under the DTSA.)
Although these preventive steps appear to be more stick than carrot, they can be presented to employees in a positive manner. Every business depends on the loyalty and commitment of its leadership and employees — to the organization as a whole and to each other. One of the best ways to help ensure organizational success is to ensure that valuable intellectual property is protected — a service that every individual can provide to the group.
Trade secret protection doesn’t stop once an employee has signed an NDA. Cybersecurity experts recommend that regular, ongoing data security training be provided to all staff, the timing and level of which should be based on specific responsibilities, access to sensitive information, and other factors. This not only minimizes risks arising from data breaches, ransomware attacks, phishing, and other outside threats, but it also helps ensure that employee vigilance does not degrade over time.
In addition to creating standardized onboarding procedures, employers should develop, document, and implement routine offboarding procedures to ensure that departing employees (including those who leave their jobs voluntarily and those who are dismissed by the employer) are aware of their ongoing, post-employment confidentiality and nondisclosure obligations.
Exit interviews should include a review of the trade secret protection agreements signed by the employee. The departing employee should also return to the employer:
- All identification badges, entry cards, fobs, mechanical keys, and other items that identify the person as an employee of the company and allow access to secured premises.
- All employer-owned computers, tablets, mobile phones, and other computing and telecommunications devices, as well as external storage devices. Departing employees should be directed specifically to maintain all information on such devices — deleting nothing — and be required to provide any passwords or passcodes necessary to access the devices.
- All company-issued credit and debit cards.
- All physical records containing proprietary company information, including books, files, and other printed materials.
In addition to removing access to the employer’s electronic systems and platforms, employers should also work with their IT department to conduct standard reviews of the company’s electronic records to identify any suspicious or unusual activity by departing employees prior to their departure. This is particularly important for employees who have had access to sensitive or highly valuable information as a routine part of their job responsibilities. It is also important for the employer’s IT department to conduct the investigation in a manner that will not alter or delete information from the devices and accounts.
These reviews should examine:
- Email, text, messaging, and other employer-based accounts to identify communications that included proprietary or sensitive data and were sent outside the organization or to the employee’s personal email addresses.
- User profiles in corporate platforms, intranets, databases, etc., to identify unusual computing activity.
- Web-based file-sharing accounts, including internally managed systems and third-party cloud computing and task management solutions such as Dropbox, Box, OneDrive, Google Drive, Microsoft Teams, Trello, Basecamp, etc.
- Whether external thumb drives or hard drives were attached to devices, and if so, what information was transferred and/or viewed from those external devices.
- Social media activity, including business accounts and authorized postings created as part of an employee’s job responsibilities, as well as private posts and comments on third-party platforms such as Facebook, Instagram, LinkedIn, and the like.
If these standard inquiries identify any suspicious activity, employers should consult with legal counsel and digital forensics providers immediately to pursue further investigations that can document suspected misappropriation and establish an evidentiary record.
Develop Relationships with Outside Advisors
Corporate IT budgets vary greatly and depend on the size, sophistication, and priorities of the business. Most companies, however, do not maintain an in-house computer forensics team or have an internal legal department dedicated to managing issues relating to potential employee misappropriation of trade secrets.
Acknowledging these gaps, employers should develop relationships with outside legal counsel and vendors that provide digital forensics, electronically stored information (ESI) preservation and drive imaging, e-discovery, hosted document review, and related services. Such advisors can leap into action immediately, identifying potential losses, preserving records, and setting in motion legal and law enforcement proceedings aimed at preventing or stopping the dissemination and misuse of confidential and proprietary information.
Pursue Legal Action and Relief
Data moves at the speed of a mouse click. When potential misappropriation is identified — regardless of the motives of the suspected perpetrators — victims of such theft must act immediately.
Legal counsel can take a number of actions to prevent, minimize, and stem information losses, including:
- Issuing cease-and-desist letters.
- Seeking temporary, preliminary, and permanent injunctive relief.
- Seeking temporary restraining and seizure orders.
- Working with key internal staff and third-party vendors to preserve information and develop evidence.
- Reporting the theft to law enforcement.
Where clear evidence of wrongdoing is established, employers can seek a range of penalties and financial relief, such as monetary damages (including lost profits, reasonable royalties, amounts reflecting the former employee’s unjust enrichment, and exemplary damages) as well as costs, attorneys’ fees and pre- and post-judgment interest.
Employers must take seriously every threat to their valuable proprietary information. An important element of preparedness involves identifying internal risks, whether such risks involve an employee who accidentally shares trade secrets or a more threatening wolf in sheep’s — and corporate — clothing.
Image Source: Deposit Photos