In 2013, Marissa Mayer’s memo to Yahoo employees cancelling Yahoo’s work-from-home policy sparked a debate on whether working from home hurts or benefits companies, and whether any cost-savings associated with such an arrangement are outweighed by a decrease in productivity of remote employees. Very few critics, however, discussed the added risks of trade secrets theft by remote employees. It seems that many companies put a lot of emphasis on in-the-office security measures, but apply a much laxer set of rules to those who work from home. Because of that approach, the work-from-home arrangements often become the Achilles heel of the companies’ security measures.
Here are 10 tips on how to eliminate, or at least reduce, the risk of trade secrets theft by remote employees:
1. Do Not Allow Employees with Access to Highly Sensitive Information to Work from Home. While almost every employee would prefer to work from the comfort of their home, when a high-level employee has access to a highly sensitive information, working from home should not be an option. The risk of somebody duplicating or downloading the company’s proprietary information at their “home office” is much higher than in the regular workplace. So, have your key employees come in the office if they are going to handle your top-level proprietary information.
2. Have Remote Employees Sign Confidentiality and Non-Disclosure Policies. If a company allows its employees with access to less sensitive but still confidential information to work from home, it should require employees to execute a non-disclosure and confidentiality policy that describes what types of information the company considers confidential and what repercussions the employees will face if they violate the policy.
3. Have Log-In Reminders Emphasizing Confidentiality. If employees are required to log into a proprietary software or a program that contains the company’s proprietary data, have the software vendor create a pop-window that reminds the employees when they log in that they are accessing confidential information. This acts as a constant reminder to the employees that the data they are accessing does not belong to them.
4. Allow Remote Employees to Work Only on Company-Issued Computers. There is no question that allowing employees to do work from home on their own laptops, saves companies on the costs of purchasing, maintaining, and upgrading the equipment. However, those savings can be easily dwarfed by legal costs should an employer want to examine an employee’s personal computer for evidence of trade secrets theft. When an employee uses a company-owned laptop, the company can easily retrieve it from the employee upon request. However, when an employee uses his or her personal device, the company’s road to retrieval of its data from that device becomes much thornier (and much more expensive).
5. Have A Remote-Wipe or Lock-Out Measures. This is a no-brainer and is a must for every company that allows employees to work remotely. A company’s IT department should be able to quickly terminate any remote employee’s access to proprietary information. It should also be able to wipe the company’s confidential information from the employees’ devices, when appropriate.
6. Control Access to Confidential Information. Not every remote employee needs to access every software program or every database that a company has. Determine which employees need access to what types of programs or data, and keep track of that information as part of their personnel file. When such employees are terminated, the company should have a clear idea of what they had access to and what they could have potentially taken with them. This is especially important for employees who have non-compete or non-solicitation agreements.
7. Monitor What Accounts, Programs, or Devices Are Used by Remote Employees. Whether a company is using a cloud-based sharing system, VPN, or is allowing its employees to log into particular databases online, somebody at the company should monitor the use and flag any suspicious activity. The level and frequency of monitoring will depend on the size of the business, the type of the confidential data, and the manner in which such data is kept.
8. Set Up Red Flag Alerts, if Possible. A company should work with its IT department and software vendors to determine if they can set up alerts that would notify the company when somebody downloads or copies an unusually large amount of data, prints an unusually large number of documents, or deletes a large amount of information from the company’s system.
9. Have A System in Place for When You Need to Recover Company-Issued Computers. Figure out ahead of time whether, upon a remote employee’s termination, the company will be sending somebody to their house to collect company equipment or will be requiring them to return the equipment themselves. Whatever the system is, getting company equipment quickly after an employee’s termination, should be a priority.
10. Plan Ahead Before Terminating a Remote Employee. There is a reason why a fired employee is usually walked out of the office right away. Being upset about getting fired may cause some employees to destroy company property or take it with them as a way of payback to the employer. This is even a bigger concern for remote employees, as there is a time gap between them receiving a termination notice and a company being able to get its equipment back. Therefore, it is crucial for a company to be able to terminate remote employees’ access to sensitive information swiftly, instruct them clearly on how to return the company’s equipment, and follow-up with enforcement if an employee fails to follow the instructions.
Some of the above measures are cheap and easy to implement (e.g., written policies). Others, require assistance of an IT person or a department or a purchase of a costly monitoring software. It is up to each company to determine whether the confidential information that their remote employees work with justifies the cost of implementing the above measures. However, every company that has employees that work from home, should at least analyze its weak spots with respect to its proprietary information, and determine how it can reduce the potential of data and trade secrets theft by remote workers.
Leiza Dolghih is the founder of Dolghih Law Group PLLC. She is board certified in labor and employment law and has 16+ years of experience in commercial and employment litigation, including trade secrets and non-compete disputes. You can contact her directly at firstname.lastname@example.org or (214) 531-2403.