Fox Rothschild LLP
Before the COVID-19 pandemic, only a few companies offered remote work options. However, the workplace scenario changed drastically in the wake of the global pandemic that gripped the world since early this year. Overnight, employers were forced to move into a work-from-home reality for the unforeseeable future. For many companies, the future would include employees working from home, skeletal onsite staff, and employees practicing social distancing at work, leaving employers grappling with a bigger concern: protecting IP assets of the company while managing a remote workforce.
Typical intellectual property assets of a company can be broadly divided into four categories:
- Sensitive business information and trade secrets
While patents, copyrights, and trademarks can be protected by filing and obtaining an application, trade secrets are protected by keeping the information confidential. In the current scenario, chances of employee or third party IP theft have significantly increased since employees are regularly accessing, sharing, creating, or maintaining confidential information remotely. Employers should take a multi-pronged approach in protecting IP assets.
- Tracking IP assets:
- Non-tradesecret IP assets: Identify and document all the company-owned patent, trademark, and copyright registrations and pending applications and highlighting applicable deadlines. Identify a team of key employees who would be responsible for regularly manage and update the list.
- Trade secret: Document all the trade secrets labeling them as confidential and store in a secure place with only need-to-know basis access. Examples of such trade secrets can be data related to research and development, business know-how, data related to marketing, manufacturing data, or sales data. The documentation should include a description of the confidential information and the measures taken to keep it confidential. Further, implement a policy to limit the information on a need-to-know basis. Companies might consider adding further measures such as using secure logins, encryption, firewalls, pop-ups delineating the trade secret policy to protect the trade secrets further. If trade secret information is being shared with a collaborative third party, ensuring that the precise scope of any information-sharing agreement is clear to all employees involved. Employers should also evaluate suppliers, vendors, and other contractors / outside professionals involved in hosting, facilitating access, or accessing company information to ensure that they are taking steps to protect trade secrets if they, too, have remote work policies.
- Tracking physical inventory: In the current situation, it is more important than before for the companies to issue at least a laptop (and other smart devices as necessary) to every employee and requiring all employees to perform any remote work using a company-issued device only. While issuing the company-owned devices, companies should equip the devices with tracking and control applications to ensure the safe return of those devices in case of employee departure. Issuing company-owned devices to employees is particularly important because otherwise, when an employee leaves, he/she still might have sensitive information about the company on their personal device.
- Network security measure: Employers should consider requiring implementing security measures for employees’ home internet networks, such as the use of a virtual private network (VPN), anti-virus and anti-malware software, and regular password changes.
- VPN: Companies should ensure that employees can access proprietary information using a company authorized VPN only.
- Use of company-issued device: Employers should discourage employees from personal use of company-issued devices. Additionally, employers may restrict access to non-secure websites.
- Incident reporting procedure: Employers should create a robust reporting procedure to allow employees to report any suspicious activity.
- Trade secret access: Employers should create a check-in/check-out procedure for accessing confidential documents remotely.
- Monitoring usage: Employers should implement a system that notifies the IT department whenever an employee downloads, copies, prints, or deletes a significant amount of data from the company network.
- Policy updates: Employers should update employee manuals and employment agreements and reinforce employee training for handling confidential company information.
- NDA and IP agreement policy update: Updating NDA and IP agreement policies and requiring employee execution before granting remote access, or as a condition for continued access.
- Confidentiality and non-disclosure agreements: Ensuring appropriate confidentiality agreements are put in place, especially for disclosing novel ideas during a collaboration.
- Clear Authorization: Set-up an authorization policy and procedure for accessing confidential information remotely.
- Update exit policy: Updating exit policy to ensure exit interviews are conducted (even if done remotely) for every departing employee expressly demanding the return of any tangible sensitive business information and any company-issued computers, storage media, or other equipment. Employees should be reminded that disclosure of any confidential information that the employee learned during employment remains prohibited under company policies. Further, employers should immediately remove network access for departed and furloughed employees and audit the returned company-issued device to ensure any sensitive information has not been transferred, retained, or misused.
- Employee awareness and training: Employers should create a remote working policy clearly outlining security protocols for accessing sensitive documents for employees. Employees should be trained to use all security features of video conferencing software. Employees should also be trained about how to spot and avoid typical phishing scams, like deceptive phishing (impersonating a company like Apple), spear phishing (customized targeted emails), and executive fraud (impersonating a CEO or other high-level executive).
- Reasonable efforts to maintain secrecy: Employers should request employees to work in a secluded location if possible. If not possible, the employee should be reasonably vigilant to ensure the confidentiality of sensitive information. Employers should further encourage employees to turn off Home Assistant devices if the employee anticipates discussing sensitive information over phone or video conference. Employers should also discourage employees from printing sensitive information to the extent possible. Further, employers should also provide a secure recycle bin to every employee for discarding documents containing sensitive information.
- Increased preference for patents: Companies should consider filing patents for valuable information versus keeping the information as a trade secret as the risk of disclosure is high in a remote environment.
In the wake of the current unprecedented challenges, most companies are now moving towards maintaining a remote workforce for an indefinite future. Businesses should prioritize information management, protection efforts, and agreements, to remain afloat, competitive, and in the best position to endure trying times. Protecting IP assets should be a key focus of every organization especially in this environment.