For those without well-established virtual business practices, the fallout from the COVID-19 disease has been a real wake up call. Most states have enacted state-wide lockdowns and are looking to slow or halt interstate travel altogether. With employees increasingly asked to work from home, it is more important now than ever to ask yourself this uncomfortable question: how might my employees endanger my company’s confidential information? While society will struggle to control the spread of COVID-19, your protective measures to preserve your confidential information need not feel so daunting with the right strategy.
As the name implies, confidential information is only as valuable as it remains, well, confidential. The natural first steps then are to identify: a) what secretive information you have, and b) what level of protection this information deserves. Think of all the personal information (contact names, addresses, preferences, etc.), intellectual property (copyrights, patents, trademarks), and other proprietary information (e.g., business plans, marketing strategies) your company holds. Now consider how this information is currently organized, the level of protection you have over this information, and whether either method could be improved. Do you have a plan for how your employees can preserve the protection of this information from their homes?
Assuming your employees will access this confidential information on their devices from home, there are many things to consider, not the least of which include:
- Which devices employees can use to access the information, and specifically whether devices that contain a USB port should be allowed;
- How employees can connect remotely to the network or server, such as through a virtual private network (VPN) or with two-factor authentication;
- Enabling password protection and automatic screen locks on every device;
- Software considerations such as:
- Programs that identify copying, deleting, downloading, and printing of confidential information;
- Programs that require an email recipient to provide a designated digital signature, which prevents the inadvertent forwarding of email to outside accounts; and
- What antivirus or malware programs are recommended;
- Limiting access of specific information on a need-to-know basis; and
- The ability to lock out an employee from the network and remotely wipe all data from the device.
You might consider designating a company representative or third-party IT company to act as an information czar of sorts. This could be the point person for all questions and concerns about the access and use of your confidential information. He or she could also educate employees in how to spot emails containing malware and warn about specific emails sent – especially those that land in a mailbox that is automatically forwarded to multiple users. This more personable approach to relaying security concerns may also speed up the process for reporting potential breaches if employees know to whom such concerns should be reported. Perhaps this person could even quiz suppliers and vendors who have access to some of this information about what they are doing to protect it. If this person learns that any confidential information was misused, engage the services of a digital forensic expert and secure the data and devices.
Lastly, consider having your employees sign a confidentiality agreement if they have not done so already. This agreement defines the confidential information to which an employee has access and the parameters for its use, including specific prohibitions on its unauthorized disclosure. Non-competition and non-disclosure clauses are also quite common in this type of agreement. Provided that the restrictions in the agreement are no more than is necessary to protect your company’s legitimate business interests, do not impose undue hardship on the employee, and are not injurious to the public, courts will generally be inclined to uphold its enforcement.
With so many employees working from home, companies should be encouraged more than ever to adopt a heightened state of cybersecurity. Consult a trusted attorney to determine what reasonable steps fit best with your company. We would welcome your call.
