To prevent the
further spread of the coronavirus (COVID-19), many companies have sent large parts of their
workforce home and drastically changed working practices.
Pressure is now mounting
for businesses to improve their employees’ ability to work effectively from
home, sometimes by deploying new technologies or changing existing policies,
all at short notice.
Remote home working, apart from practical issues, presents
significantly increased risks to companies’ trade secrets and confidential information.
To be protected by
law, trade secrets must not only be kept secret but also be subject to reasonable
steps to keep them secret.
To comply with the latter requirement – and to prove
this in court proceedings – would be a challenge for companies under ordinary
circumstances but is even more difficult in current times.
Below are some key
points for businesses to consider.
remotely are using their own devices, new conferencing tools and their home
This raises the risk of companies falling victim to a cyber
Cyber criminals see opportunity,
while public prosecutors and cyber taskforces have only limited resources and work
To mitigate the cyber risk, companies should consider:
- reviewing existing
policies and assessing the need for updates – what works at the office may not be
suitable in a home-working environment;
- reviewing responsibilities
and roles regarding cybersecurity in light of changed working conditions and the potential need for increased
- using industry-standard
VPN or similarly secure access solutions where possible;
the use of public, unsecured wi-fi for work purposes;
- reminding employees of the importance of keeping corporate information away from personal devices and systems, except where this is fully compliant
with the company’s policies and procedures;
blocking remote access to particularly sensitive information (the 'crown
- ensuring remote
lock-out and wipe capabilities are available to cope with lost company devices;
system access to detect irregularities in real time;
- issuing specific
guidance for employees on how to detect and react to COVID-19-related phishing and
downloads of any unauthorised programmes or applications on company-provided hardware
without consulting the IT department;
- issuing guidance
on how to communicate with colleagues, customers, etc via secure channels; and
- checking the
resilience of systems with penetration tests that take account of the current IT
Bring your own device (BYOD)
Extensive home working
is likely to be associated with an increased use of personal devices for work
purposes, including information being stored on personal devices and sent to
personal email addresses.
The likely lower
security levels on personal devices means an increased risk of leakage of
To reduce the risk, companies should ensure that
employees do not need to use their personal devices for work purposes by providing
them with appropriate equipment wherever possible.
If employees using their
own devices is unavoidable, the following measures should be implemented:
- set up and
enforce BYOD policies and procedures;
and ensure full compliance with password-protection and encryption policies
- impose an
obligation that all necessary and recommended (security) updates are installed;
- prohibit the
use of private email accounts for work purposes;
- enforce policies
that documents stored on personal devices are deleted immediately after use;
- use software
that identifies whether an employee has downloaded or copied confidential information
to a personal device; and
BYOD devices can be blocked and wiped remotely in case they are lost or stolen,
or in case of security incidents.
Employees are likely
to take home hard-copy information from the workplace.
Having hard copies of
information outside the secured corporate environment increases confidentiality-related
These steps are advisable:
- limit hard
copies being stored or printed outside the workplace;
- ensure that
employees do not remove or print at home confidential information unless
specifically authorised, with such authorisations only granted where absolutely
necessary and not for particularly sensitive material;
- ensure employees
do not dispose of hard-copy information in household waste, but keep it for
safe disposal upon return to the workplace;
- ensure that
employees immediately report any document losses;
- implement systems
to keep track of any confidential information removed from the workplace; and
‘electronic print’ protections to prevent home printing of confidential
Many employees do
not live on their own but share accommodation with others.
In most cases this
will be family, but shared accommodation with other individuals is also
This brings security risks to hard copies stored in the shared living
Employees may also face
difficulties in conducting confidential telephone calls and video conferences.
To mitigate the
risks resulting from shared home workplaces, companies should instruct their
- work in
a separate, lockable room or, where that's not possible, set up a separate
- not allow others living with them access to equipment and documentation provided by
conversations and information strictly away from others in the household, even
other family members;
- tidy up
all documents after the end of the working day (‘clear desk policy’); and
- not work from public places, such as parks, but solely from home.
Employee exits are a significant risk in ordinary
circumstances, including the chance that departing employees might take
confidential information and documents with them to a future job.
This risk is further
increased by the economic challenges resulting from COVID-19 shutdowns and by some
companies’ need to dispose of parts of their workforce.
In addition to the
safeguards already in place, companies should:
- establish a procedure to terminate remotely working employees who have access to confidential information;
- ensure that
all confidential information is delivered back to the company and that remote-access rights are revoked without delay; and
- remotely lock and safely recover company-issued computers and mobile phones that contain confidential information.
employees working remotely, office buildings may be sparsely populated.
avoid unauthorised access to sensitive information, documents containing
confidential information should be securely locked away.
An element of ‘community security’
– employees’ common-sense day-to-day surveillance – may currently be reduced, so increasing on-site
security may be advisable.
Any companies sharing confidential information with third parties (eg suppliers and customers) must go beyond ‘reasonable
measures’ to keep sensitive information confidential; it is mandatory to ensure that contractual
partners have suitable protection measures in place.
Companies must make sure that contractual partners adapt to the increased trade-secret-related risks. If this cannot be ensured, access to confidential information should be restricted during the crisis.
The COVID-19 crisis
poses a range of challenges for society, individuals and companies.
Businesses are under
pressure to facilitate an efficient environment for their employees to work
remotely from home should strive to continue protecting confidential information and
In fact, such
protection should now be increased and adapted to the new circumstances to
adequately address heightened security risks.
returns, failures during the crisis could have a negative impact on the future
enforcement of trade secrets. Acting now is crucial.