By Joanna Adcock, Associate, Stevens & Bolton LLP
With huge swathes of the UK now working from home, protecting a business’s trade secrets and confidential information has arguably never been harder. This makes it increasingly important for businesses to understand the steps they can take to protect themselves.
Trade secrets can take many forms, from a confidential algorithm to a customer list or technical knowhow. They are often key assets of a business, and their legal definition under the Trade Secrets Directive is something: which is secret (i.e. not generally known or easily accessible to people that move in circles linked to the information); has commercial value because it is secret; and has had reasonable steps taken to protect it by a person lawfully in control of such information.
Whether something is in fact a trade secret or confidential information is often the most hotly contested issue; and, in particular, distinguishing genuine trade secrets from the general skill and knowledge that employees learn while working for a business can be difficult.
For that reason, perhaps the most important things a business can do to protect itself is work out what trade secrets it actually holds and where they are. The increase in homeworking has resulted in a lack of visibility of employees, and to a certain extent a loss of control of the business environment. With so much more of a business’s operations happening online from multiple locations, controlling who has access to what and from where is harder than ever.
Ensure adequate protection
Ideally, electronically stored confidential information should be stored within a document management system that allows for tracking of individuals’ use and with access limited to only those who need it in order to do their job.
Additionally, password-protecting documents and ensuring security software is up to date (to protect against cyberattacks) are important, but relatively straightforward, steps to take. However, businesses should exercise caution when considering further employee monitoring tools, such as keystroke and screen monitoring, as there are complex rules around their use.
Create clear policies
Clear policies should back up any protections chosen, including those covering working from home, IT and security, emails, monitoring and data protection. It is hard to argue that a piece of your business’s information is truly confidential when any employee can download it onto their personal laptop.
Engaging with employees and ensuring they are aware of what information is confidential is also key. New employees should be deterred from unlawfully bringing trade secrets or other confidential information from their former employer, otherwise they may face a claim for breach of contract and the new employer may face a claim for inducing such a breach.
Employment contracts can offer protection during a person’s employment (and beyond) with appropriate confidentiality provisions protecting the business. A former disgruntled employee seeking to harm or disrupt a business can pose a threat to trade secrets and confidential information. This risk is minimised when their exit from the business is well managed, with a reminder of their obligations of confidentiality and any restrictive covenants and confirmation that these obligations are taken seriously.
When any employee leaves the business, collect all company property, including documents, laptops and mobile phones from them promptly. Any passwords and login details should be updated upon their departure and any confidential information held on their personal devices should be deleted with confirmation from them that this has been done.
If you send documents, such as pitch documents, containing confidential information to third parties you may wish to consider using a non-disclosure agreement to ensure those receiving it know to keep the contents confidential.
What if there is a breach?
Quickly ascertaining what information has been transferred (or accessed) and then responding rapidly and decisively is vital in limiting the risks a business may face. The breach should be contained so far as possible to minimise damage, which can be achieved by way of an injunction or an external statement. Additionally, you may be required to report a breach to the Information Commissioner’s Office, within 72 hours, in order to comply with data protection obligations and to avoid penalties.
Above all, be proactive
Businesses need to manage the protection of their confidential information with regular reviews taking place in order to minimise the risk of unauthorised access. Putting procedures and policies in place now can give business owners peace of mind that they are doing what they can and will save time should the need ever arise to respond to a breach.