As the number of people vaccinated against COVID-19 steadily increases, many employers are starting to turn their minds to a return to the workplace. However, it’s unlikely that we will be returning in the same numbers as pre-pandemic, with many employers across the world looking to embrace “hybrid working”, that is, a combination of home-working and office-working. What are the consequences of hybrid working for the protection of valuable intangible assets such as trade secrets and other confidential information, and what can employers do to mitigate the risks?
The risks have never been greater
Since the start of the pandemic there has been a significant increase in the number of cyber security attacks and breaches, with criminals exploiting the fact that an organisation’s systems and information are more vulnerable when employees are working outside of the office. For example, the UK Government’s Department for Digital, Culture, Media & Sport reported in March 20201 that two in five businesses had experienced cyber security breaches or attacks in the last 12 months, whilst a report by ESET (available here) found that there had been a 768% increase in remote desktop attacks in 2020.
Understandably, at the start of lockdown most employers were scrambling to get their systems set up so employees could work remotely and they could continue to deliver their services. The speed at which this was required meant that they often did not have the time to carry out in-depth reviews of the data security implications. As we now move towards a hybrid working model, new risks are emerging: employees will be transporting confidential information (whether in digital or paper format) between the home and the office more often, increasing opportunities for data to be lost, misappropriated or intercepted.
Working outside of the office also presents more opportunities for employees to leak confidential information, whether deliberately or inadvertently. For example, disgruntled employees or those who are planning to move to a competitor might take advantage of the fact that their activities are not subject to the same monitoring by sending confidential information externally, or printing sensitive material such as client contact details and pricing arrangements at home.
So, what are the key consequences of a breach of confidential information?
Financial: the cost of trade secret theft can be up to US$1.7 trillion annually. Aside from the costs of legal action, ransoms and fines (e.g. for breaches of data protection legislation), it can result in competitors obtaining valuable information about your business, which they can use to undermine your competitive advantage.
Reputational: data breaches can have a significant negative impact on consumer confidence and an organisation’s perception in the market, particularly if the breach involves the disclosure of customer/client information.
Operational disruption: dealing with data breaches requires significant time and resources, and can significantly disrupt an organisation’s day-to-day operations.
What action can employers take now?
Given these risks, it’s perhaps not surprising that in a report commissioned by CMS and written by The Economist Intelligence Unit, we found that more than a third of board director and C-suite respondents considered trade secret protection an ‘essential priority’. The good news is that by being proactive, organisations can significantly reduce the risk of a breach occurring in the first place.
1. Co-ordinate your approach
To develop an effective approach, it’s critical that an organisation’s HR, legal, compliance and IT teams work together. Whilst IT will need to take the lead putting in place appropriate data security and monitoring measures, HR, legal and compliance will play a key role in ensuring that these measures are lawful and effectively communicated to the workforce.
2. Don’t underestimate the role of your employees
Employees are an organisation’s best (and weakest) asset in protecting against data breaches and trade secret misappropriation. Whilst data security may be an increasing priority for an employer, employees do not always treat it with the same seriousness. For example, a study by Trend Micro of 13,200 workers across 27 countries found that 32% of employees said that it didn’t matter if the application they used was approved by their employer’s IT department, provided it got the job done, whilst 21% of employees in Italy allow unauthorised individuals such as family and friends to access their work devices. This may be why the CMS / Economist Intelligence Unit report found that 47.8% of businesses considered employee leaks to be one of most significant threats to the security of trade secrets.
So, what can employers do to prevent employee leaks?
Businesses should ensure that they have robust policies and processes in place around confidentiality and data security, and that these are effectively communicated to staff. Bear in mind that employees are unlikely to go out of their way to read policies, so ensure that they are provided to staff at the hiring stage and circulated regularly thereafter.
Consider the particular risks posed by hybrid working and ensure that these are addressed in your policy and procedures. For example, under a hybrid model, staff are more likely to be taking confidential information between the office and home – what is your organisation’s position on this? Can confidential information only be removed from the office if it is on an encrypted device? Remind employees that they should not read confidential information in public places (e.g. the train, cafes, communal workspaces) where this could be seen by others.
Don’t just leave it at a policy– ensure that staff are required to participate in mandatory data security training when they join an organisation and annually thereafter. This should clearly explain what trade secrets and confidential information are, the employee’s obligations to keep them secure, and the consequences of non-compliance.
Ensure your contractual documentation with staff adequately protects confidential information. Key clauses include confidentiality undertakings by the employee (which clearly and comprehensively define trade secrets and confidential information), an obligation to return and not retain copies of any confidential information on termination, and post-termination restrictions preventing employees from working for competitors and/or soliciting clients for a set period after their employment ends. Ensure that these clauses and the consequences of any breaches are brought to employees’ attention in your organisation’s annual training.
Ensure that your approach and communications reflect your legal obligations. For example, Italy has introduced specific legislation to cover hybrid-working (known locally as “smart-working”), which requires that employment contracts specify the equipment to be used by an employee outside of an employer’s premises. Meanwhile in Slovenia, government guidelines for remote working recommend that employers set out how trade secrets and other sensitive information is to be protected, whilst the Slovenian Information Commissioner has published advice on “How to protect personal information when working from home?”. Similarly, in France, the French Data Protection Authority has published guidelines on keeping information secure when working remotely.
3. Avoid “bring your own device” (BYOD) policies
Organisations have increasingly adopted BYOD policies to complement their new flexible working culture. However, Professor Matt Marx, professor of entrepreneurship at Cornell University, warns against such an approach in the CMS / Economist Intelligence Unit report, stating “[t]his is a bad idea…As companies increasingly bring external stakeholders into their digital ecosystems and use multiple cloudbased services, the risk of third-party breach also rises.”
Employers considering adopting a BYOD need to be cognisant of the risks and weigh these up against the benefits; if cost-saving is the driver, businesses should bear in mind the financial risks posed by data breaches. If an organisation does implement (or continue with) a BYOD policy, it should ensure that its IT team have put in place sufficient security measures reduce the risk of a deliberate or inadvertent data breach as part of the hybrid working model.
The risks posed to protection of companies’ trade secrets and other confidential information are not going to disappear when we return to the workplace; if anything, new risks are likely to emerge. It’s therefore essential that businesses prioritise this issue, develop a strategy and keep it under regular review. A key part of any such strategy will be the role of employees in keeping data secure – by taking steps now, you can ensure that they are your biggest asset, and not your biggest weakness, in combating data theft.
This article was written by Hannah Netherton who is a member of the CMS trade secrets taskforce, in conjunction with the CMS Employment Team Associates Initiative, in particular Abbie Harley (CMS UK), Federico Pisani (CMS Italy), Aurélie Parchet (CMS France), Sinan Abra (Turkey) and Amela Žrt (CMS Slovenia).