The trade secret laws of most countries – including the recent U.S. federal Defend Trade Secrets Act – contain the same requirement: in order to enforce its rights, a trade secret owner has to show that it has made “reasonable efforts” to protect its information from loss. In other words, before judges get involved in your dispute, they want to know what you’ve done to help yourself.
But what’s “reasonable?” The laws don’t tell us. Like the “reasonable person” standard in negligence, courts are supposed to decide each case in the context of its unique facts. That said, looking back at several decades of decisions, we can get a good sense of the principles at work, and also how they may be shifting as the business environment becomes more digital and more global.
The good news is that the standard is flexible, taking into account the value of the information, the risk of loss or contamination, and the cost (in money and effort) of measures to reduce those risks. For most businesses, this means simply taking a close look at what drives your competitive advantage, and then applying ordinary risk management analysis to define the broad outlines of a protection plan. In practical terms, this can lead to a variety of specific actions, including the basic ones you find on a lot of checklists with items like confidentiality agreements, IT system access controls, staff rules and training, and facilities security.
So if you’re following one of those checklists, you should be fine, right? Not necessarily. Although judges historically have been forgiving of less-than-robust security measures, they now seem to be paying much closer attention to this issue, and have even thrown out claims without trial where the trade secret owner has been sloppy in its practices.
The best known of the early cases was decided in 1970. DuPont had been building a new chemical processing plant when the construction manager noticed a low-flying plane making several passes over the site. It turned out that a competitor had hired the plane to take aerial photographs of the layout of the facility, which would reveal information about the secret process that DuPont intended to use. Forced to defend its actions in court, the competitor argued that it was just taking a look at what was in plain view. The judge thought that was preposterous, calling the surveillance a “schoolboy’s trick,” explaining that DuPont didn’t have to pitch a tent over the construction site in order to protect its secrets, and that the competitor was guilty of misappropriation by “unfair means.”
So the DuPont case taught that judges will not be too demanding when it comes to the amount of self-help that they expect from trade secret owners. However, in a 1999 case a federal judge granted summary judgment to a defendant in part because the confidentiality legend on the plaintiff’s secret document was deemed not large enough. This result aligns with my personal experience, indicating that today’s courts – and federal courts in particular – are more skeptical and less forgiving than they used to be on this subject.
Context is everything, and circumstances change with time. The expectation of privacy from the skies is less settled today, with Google Earth and other satellite imagery readily available, not to mention the thousands of privately owned drones. The same point applies with even greater force when it comes to computer system security. With the proliferation and increasing sophistication of hacker networks, the risk profile for most businesses has changed dramatically in the last several years. Just ask Target, Sony, Anthem, and J.P. Morgan.
Naturally, as the risks increase, the market responds with tools and systems to prevent cyber attacks, or at least discover them early and frame an appropriate response. And government agencies, most notably the National Institute of Standards and Technology, have suggested frameworks for managing cybersecurity risks. It’s not hard to imagine that these voluntary processes may over time be interpreted by courts as best practices, and even as minimum standards of conduct.
Bottom line: what constitutes “reasonable” efforts is dynamic, and expectations may be increasing, so pay attention. Of course, there’s more to self-help than just preparing for litigation. Don’t confuse the minimum requirement to get into court with the practical goal to prevent loss and contamination of your most valuable assets. To keep your information secure and clean, you should think beyond “reasonable” efforts.
I was giving a talk recently when a senior executive asked me, “If we have the time and resources to focus on just one thing to improve our information security, what would you suggest?” I didn’t hesitate: “Train your workforce.”
As we know from multiple studies, the biggest threat to information assets comes from “insiders,” which means (mostly) your employees. It’s not that you have a team packed with spies; but employees notoriously misunderstand their confidentiality obligations. In a recent survey of software engineers, 55% reported that they thought it was acceptable for them to take their work product with them when leaving the company – and that they intended to do it!
But not understanding the rules is only a fraction of the problem. The main challenge lies in a negligent attitude, a mental fog of inattention that can lead to mistakes.
What kind of mistakes am I talking about? The kind that make you slap your forehead in disbelief. The sales manager at a trade show who, excited about closing the deal at hand, lets slip the existence of an unannounced product. The engineer who brags to his friends on Facebook about a patent application he’s just filed. The R&D director who hires someone from his former employer in order to get an “update” on what they’ve been doing since he left. The business development executive who examines potential licenses of technology without walling off company employees who are working in the same area. These are the kind of mistakes that provoke litigation, and they are all preventable.
Good training is the single most cost-effective step you can take to reduce the risk of information loss or contamination. What makes for an effective training program?
Whatever IT systems or management processes you deploy to mitigate the risks to your trade secrets, those systems and processes are operated by people. So the way that they engage is critical to success. Training reinforces their focus and attention.
This is especially important with today’s workforce, a population that has never been more distracted. Think about it: for years now, social media have been silently encouraging people to use their laptops and smartphones to share every last detail of their personal lives. Sharing information is a good thing, and the more the better. When these same people come to work the next morning and connect their mobile devices to the company network, can we really expect them to shift their mindset and suddenly become models of discretion? Remember, a great deal can be revealed in 140 characters.
Here are some principles for designing an effective training program.
First, make the process inclusive. Not just people who you think are most likely to be exposed to confidential information, but everyone in the company should understand the importance of the issue. Even contractors, consultants and interns should be part of the effort. In fact, they may be even more important because they have inherently less loyalty and are more likely soon to be working somewhere else.
Second, make the training interesting. To keep it fresh and positive, consider using specialized vendors or products that can present serious material in a lighthearted but memorable way, rather than relying only on internal managers to conduct classes.
Third, don’t focus exclusively on protecting information from loss or leakage, but also from contamination. This happens most frequently from new employees who think they’re being helpful by passing on what they learned at their last job. So focus on the on-boarding process and train employees to recognize off-limits information.
Finally – and this is the most important principle – be sure that training is not an event but a continuous process. A single orientation video is not enough. Follow up with email tips, stories, and refreshers. And if business conditions worsen and you start to lose employees, this is a time to increase your training effort, not cut back, because the people who remain represent the source of your intellectual capital.
Let me emphasize that last point. Training is not about ticking a box. You are conditioning the attitude of those who are the primary handlers and protectors of your most important and vulnerable assets. Pay attention to that attitude and they will pay attention to your assets.
“The greatest victory is that which requires no battle.”
— Sun Tzu
Recently I got a call from a client who had just received a letter from a competitor, complaining about an executive the client had hired, and threatening to sue. My client was a young company that had never experienced this sort of threat. But they were less worried than they were angry, and viewed the competitor with more scorn than respect. They wanted to know if we could strike first with our own lawsuit and how long it would take to prevail, as they were sure they would.
Indeed, emotions were running very high on both sides, mostly due to assumptions fueled by an absence of information. The former employer suspected that the executive, who had been evasive about his plans during his exit interview, was working on similar projects. The client believed that the threat was made in bad faith to slow them down, and that an aggressive response would force the other company to relent.
Unlike patent cases, trade secret disputes hinge on issues of fault. Emotional themes frequently dominate the background: breach of trust, treachery, revenge, resentment. But emotions shouldn’t drive decision-making. This is particularly important for a defendant, for whom there is usually no upside, since even “winning” is an expensive distraction. So maintaining objectivity and detachment is critical to the defendant’s primary strategic goal: get out and get on.
Happily in this circumstance, we were able to get the parties in front of a skilled mediator, who helped each understand the other’s perspective, correct some mistaken assumptions, and find a way forward that even left the door open for future collaboration. How different things would have been if the sword had been unsheathed . . . .
For more on this topic, please read my white paper, titled "How to Respond to a Claim of Trade Secret Misappropriation".
It’s a fact of business life that employees leave to join a competitor or start a competing business, armed with confidential information that is suddenly put at risk. While you want to protect those assets, pulling the trigger on litigation may be premature. Unless you have evidence that you’ve been ripped off, a concise warning letter is a typical and prudent first step.
In its classical form, the warning letter serves as a reminder of the employee’s obligations and as a notice that you are prepared to act. The goal is compliance, and it often works. When you get the usual response with soothing reassurance that your concerns will be respected, the risk of loss is not eliminated, but it is mitigated. The exchange is polite, with each side reserving its options.
But the Defend Trade Secrets Act creating original jurisdiction for trade secret claims, the assumptions behind this common minuet may no longer be valid. If there is going to be litigation, you may want to avoid federal court, and for the same reason your opponent may want to go there. (For more information, check out the article “Be Careful What You Ask For”) So your warning letter needs to be crafted to prevent triggering a preemptive federal declaratory judgment action.
The key is to inquire, not accuse. This helps you stay in control of the process while you become better informed. You can find a sample warning letter below:
To Departing Employee
Dear Mr. Smith,
Since you have recently terminated your employment, we wish to remind you of your obligations to the company that continue after your employment ends. As you know the company possesses a great deal of highly sensitive and confidential business information. This includes customer lists, marketing plans, engineering data, product plans, and the like. During your employment you have been provided, or had access to, such information.
Both the law and the contract you signed when you came to work for the company prohibit any use or disclosure of such information after you leave. For your convenience, we enclose a copy of the agreement you signed. Because you have taken employment with a competitor of the company, it is especially important that you take care not to violate your obligations to keep this information confidential. While we have no reason at this time to believe that you have violated your obligations, it would be helpful to understand from you the steps that you intend to take in your new position to ensure that the confidentiality of our information is respected.
We look forward to your early response to this request.
Very truly yours,
To New Employer
Dear Mr. Jones:
We understand that Mr. John Smith, who until recently was employed by us, has decided to join your company. We draw your attention to the fact that Mr. Smith worked in our Advanced Widgets Department as a Senior Research Engineer. In that capacity, he became quite familiar with all aspects of our de-flanging process, which we consider and treat as confidential.
While he was with us, Mr. Smith signed an Employee Confidentiality and Invention Assignment Agreement, a copy of which we enclose for your reference. As things now stand, we have no reason to believe that any of our trade secrets in this area have been misused, and we expect that Mr. Smith will continue to comply with his obligations. We also trust that your company will not assign Mr. Smith to a position that might risk disclosure or use of this sensitive information.
If you have any questions regarding any of these matters, we will be happy to discuss them with you. For the moment, we ask that you describe what steps you are taking to protect against inadvertent misuse of our trade secrets.
We look forward to your early reply.
Very truly yours,
The new Defend Trade Secrets Act for the first time lets you file your case in federal court. but just because you can do it doesn't necessarily mean you should. Federal court provides a lot of advantages for certain kinds of disputes. But there can be a downside.
The easy decision is in a case that the DTSA was designed for, where some of the actors are in other states or countries. Federal courts give you nationwide service of process and uniform rules of procedure that can streamline litigation. Federal judges, with their experience handling crossborder cases, are better suited to resolving complex issues of personal jurisdiction. And if you find out about a threatened theft of valuable data before it happens, the new ex parte seizure provision of the DTSA can give you a powerful remedy.
But federal court is not for everyone. Its judges are "single-assignment," meaning that they have a case from beginning to end, and therefore also have a motive to end it early if it lacks substance. As a result, federal judges (who by the way are not getting any additional resources from Congress along with their new trade secret jurisdiction) often demand more specificity in pleadings and in trade secret definitions, which can end up looking like patent claims. State courts, in contrast, usually run on a "departmental" system, where early issues are handled by specialist judges, giving close cases a better chance to squeak through to trial, and giving plaintiffs more leeway in describing the subject matter of their claims.
Federal judges may be more inclined to transfer venue. And when it comes to substantive issues, the trade secret plaintiff's requirement to demonstrate its "reasonable efforts" to protect its data may get a more skeptical eye. Once a federal judge granted a defense summary judgment because the "confidential" legend on plaintiff's documents was not in a big enough font! So even after the DTSA, trade secret owners need to have an open mind about their strategy in deciding whether, and where, to litigate.
Well, not quite. But $940 million is a lot of money, and that's how much a federal court jury awarded on April 15, 2016 to Epic Systems, a Wisconsin healthcare software company, against the U.S. subsidiary of Tata Consultancy, part of the Tata Group headquartered in India. There may be a lot of lessons to come out of this case - and we don't know if the jury's award will be reduced - but what I want to talk about today is inspired by that verdict: how is it that trade secret damages can be so large?
Of course, every case rests on a unique set of facts, and trade secret disputes typically involve allegations of treachery and deceit that can turn a jury's head. But at a time when proving damages in patent cases feels restricted by issues like extraterritoriality and the entire market value rule, it seems that trade secret verdicts keep going up. In a quick search of awards in the past five years, I've found eight (including the Epic case) of more than $25 million, and three of those were in the hundreds of millions.
What is it about trade secret damage law that allows such seemingly generous results? Mainly it's because trade secrets are grounded in tort principles, where the primary objective is to make the plaintiff whole, and where doubts are resolved against the wrongdoer.
Setting aside willfulness for the moment (while we await the Supreme Court's rulings in Halo and Stryker), patent law tries to calculate the rent due for no-fault infringement. Trade secret law, in contrast, tries to return the plaintiff to where it should have been but for the defendant's wrongful behavior. The difference makes trade secret damages harder to predict.
This past week the US Congress passed the Defend Trade Secrets Act (DTSA), less than two weeks after the European Parliament voted through the EU Trade Secrets Directive. What might at first seem like an extraordinary coincidence in fact has a lot to do with pressure applied by industry on both sides of the Atlantic to improve the remedies that are available for theft of trade secrets.
Businesses are relying increasingly on secrecy as the preferred way to protect their innovations, as well as the massive amount of analytics, financial and customer data that drive competitive advantage. But this valuable information is also vulnerable, not just to hacking and other kinds of espionage, but also to careless behaviour by employees and business partners. Having access to robust and predictable legal remedies is important.
Those aren’t available in Europe, the Commission found in a 2013 report. That concern led to its proposal for the EU Trade Secrets Directive, an attempt at minimum harmonisation.
Meanwhile, in the US, where thanks to broad discovery rights and a (mostly) uniform set of state laws, trade secret protection has been viewed as relatively powerful, business called for amendment of the federal Economic Espionage Act – which provides only criminal remedies – to include an option for companies to bring their private trade secret disputes to federal court as well. (Up to now, they have been able to do that only in cases where there is “complete diversity” of citizenship among the parties, an unusual occurrence in trade secret cases, or where there is another federal claim – such as patent infringement – pending based on closely related facts.)
Introduced only nine months ago, the DTSA enjoyed unusually bipartisan political support, buoyed by enthusiastic intervention from industry groups. In fact, the only organised opposition came from a group of law professors who were worried that provisions for seizure of infringing property could lead to a new class of “trade secret trolls” terrorising unsuspecting companies. After a Senate hearing last December, at which I was called to rebut the professors’ arguments, work began on a set of amendments that were all accepted by the end of January. On 4 April, the Senate voted unanimously to accept the legislation, and the House followed suit on 27 April. President Obama is expected to sign it soon.
The DTSA adds a private right of action to the existing federal criminal law, using the same standards expressed in the Uniform Trade Secrets Act, which is the basis for almost all US state laws, and was also the pattern for Article 39 of TRIPS. As a result, it can now be said that the US has fully complied with its TRIPS obligations, since it has a single national law covering the subject. However, the new federal law will not displace existing state statutes. Instead, it will be used optionally for trade secret disputes where the federal courts provide a distinct advantage: cases with
interstate or foreign actors, where attorneys can initiate discovery anywhere in the country, and where judicial experience is needed to handle complex jurisdictional issues.
State courts in the US, even though having similar substantive laws on trade secret protection, apply local procedural rules that can vary enormously, impacting multi-state cases where speed matters. This is why industry was so supportive of the legislation: instead of having to go to various county courts with unpredictable local customs, they can take advantage of a single nationwide system and set of rules.
The DTSA also provides an ex parte seizure when the trade secret holder has advance warning that someone is about to destroy a stolen secret or leave the jurisdiction. This provision has been quite controversial; however, applications have to be so well supported, and the penalties for a mistaken application are so severe, that most believe the remedy will not be invoked often and will be allowed only in obviously deserving cases.
Two other aspects of the DTSA deserve special comment. First, although US law has always allowed courts to issue orders against a “threatened” misappropriation, concern was raised whether this standard language might allow a federal court to stop a departing employee from taking a similar job with a competitor. This so-called “inevitable disclosure doctrine” has provoked fear – not always rational – that courts might be able to bar competitive employment merely based on how much sensitive data the employee knows. The DTSA’s solution to this mobility issue was to prohibit any order that is based only on what the person knows, requiring instead that it be based substantially on the employee’s behaviour that indicates untrustworthiness.
A second significant feature of the DTSA is its grant of immunity to employee whistleblowers reporting suspected wrongdoing. Existing law in the US is sparse and unreliable, based on a highly contextual backward look at the facts to determine whether the employee’s action may have been justified. Unsurprisingly, under these circumstances, the risks of coming forward are too great, and studies show that many who might otherwise have reported significant wrongdoing have remained silent. Of course, the employer has legitimate interests at stake as well, since the claim may turn out to be wrong, or the employee’s disclosure may be broader than necessary. The DTSA resolves this tension by providing clear immunity, but only for disclosures made in confidence to law enforcement, or as part of a court filing under seal. In this way, the information can be provided without fear of retributive litigation, while the relevant authorities can maintain the integrity of the secrets while they determine whether there is a basis to proceed.
The DTSA will improve the efficiency of, but will not revolutionise, trade secret disputes in the US. As already noted, there will be a certain class of cases brought in federal court because they involve foreign actors or witnesses spread across the country. Strictly local cases – where the chef leaves a restaurant with the secret recipes and moves down the street – will still be handled in state courts. That’s in part because the DTSA requires that the information in controversy be related to a product or service in “interstate commerce”, the minimal jurisdictional requirement for federal courts to act. And it’s in part because local cases will be brought by local lawyers who are familiar with their local courts.
Although some lawyers will want to use federal courts for trade secret cases just because they handle patent matters and are more comfortable there, that may not be the smartest tactical move. Federal judges take their cases on “single assignment”, meaning that they are in charge of all issues from beginning to end. They are therefore more likely to view the case skeptically than state court judges, who typically have a “departmental” system and are sometimes seen as waving through weak cases so that they can be taken care of by a different judge at trial. In addition, federal judges are usually more demanding of a plaintiff’s identification of its trade secrets. So we may not see a general rush toward filing in federal court.
What of the EU Trade Secrets Directive? Also driven by industry concerns over the need for harmonisation, the EU effort starts from a much lower base of harmony than has existed in US states. Indeed, the Commission’s report found a disturbing level of inconsistency among the 28 national regimes. So by establishing common definitions, some common remedies and an approach for protecting secrets during litigation, the directive represents a major step forward.
But measured by the expectations and needs of customers, there is quite a distance left to travel. For cultural and political reasons, the directive does not deal with criminal remedies and so there remains an uneven regime for enforcement in the most egregious cases of information theft. More importantly perhaps for business, there has been no progress on addressing the fundamental problem of pursuing trade secret cases in civil law systems: the lack of discovery. Say what you will about the excesses of US civil discovery in general; the trade secret plaintiff, facing losses from behaviours that only the defendants can know, is always disadvantaged at the outset of a dispute by asymmetric access to information about what happened. Without discovery to set the balance right, there will always be a significant number of legitimate cases that cannot be pursued.
Worse still may be the exceptions provided in the Directive. Unlike the DTSA, whistleblowers are free to disclose confidential information not just to government but also to media, so long as it is in the public interest. And the catchall exception for “protecting a legitimate interest” under national or EU law seems a yawning loophole that even the CJEU may not be able to constrain adequately.
The EU Trade Secrets Directive is a very good start on harmonising standards in this critical area. But for the time being, if your clients need extremely reliable civil remedies they are probably well advised to find ways to bring their cases in the US.
Back in 1974, when a lot of people thought that trade secret law couldn't survive alongside a patent system that encouraged public disclosure, the Supreme Court in the Kewanee case patted us on the head and said, "don't worry," assuring us that anyone with a patentable invention would be crazy to elect secrecy instead. Patents were exclusionary and "strong" while secrets were "weak." And for a number of years after the Federal Circuit was formed it seemed that patents kept getting stronger all the time, while the risks of secrecy (what if my competitor gets a patent on this?) were pretty obvious.
How times have changed. The courts have been shrinking the universe of what can be patented (business methods, software, therapies), the bars to patenting (obviousness, indefiniteness), and the enforceability of patents (injunctions, damages, fee-shifting). And Congress, through the America Invents Act, has made it easier and cheaper to challenge patents without going to court, establishing the Patent Trial and Appeal Board, which some have referred to as "patent death squads." While patents seem under attack, trade secrets are basking in a new level of attention from industry, reinforced by provisions of the AIA that virtually eliminate the old risks of protecting innovation by secrecy.
So does this mean that we should abandon patenting as a strategy? Not at all. Good patents remain strong, not only in protecting novel inventions from theft, but also in building recognized value, enabling financing and collaborations. Yes, our calculus needs to change, particularly in some technologies. But it was never an either/or situation anyway. The question of patenting or secrecy is less like arriving at an intersection than it is like eating at a buffet: you get to have something of everything that you like.
Hardly a week goes by without seeing a post or article by some well-meaning lawyer who insists that the first step in protecting your trade secrets is to know what you have, therefore you need to do an "inventory." That's only half right: knowing what you own is critical, but you don't have to create a detailed list, as if you were ticking off the contents of a hardware store. In fact, you shouldn't do that.
First, you don't have to. The legal standard is "reasonable efforts," and judges are generally understanding and flexible about the quality of a trade secret owner's efforts. And from a management point of view, making prudent decisions requires only that you assign a risk profile to categories of data, not to individual records.
Second, it's dangerous. Getting too granular risks counting the leaves on the trees, and passing over what makes the forest vulnerable (or valuable). You will end up wasting time and probably abandoning the project. Or worse, you'll miss some important things altogether.
Instead of counting all the leaves in your forest, start by pulling together an interdepartmental team and talking about what drives your competitive advantage, and identify your key vulnerabilities. You'll probably be surprised - and certainly will be better informed - by the different perspectives brought to the meeting.
With this grounding, you will be in a good position to begin designing an approach that will work for your unique organization. And don't worry, the categorization and labeling will come!
You can be sure that most of your employees are active on social media. For younger ones, in fact, Facebooking, Instagramming, and Tweeting are as natural as breathing. But suppose an employee shared pictures of your product prototype? Posted a draft patent application your company was about to file? Messaged a Dropbox link with confidential information (even if only to a fellow employee) over an insecure connection? Crowdsourced a question about a sensitive issue she was handling for a customer?
Do scenarios like these keep you up at night? They should. Social media and the "sharing" culture it has sparked are very real threats to your organization.The Internet—which spawned social media—has changed the way we work and communicate. That change has profound implications for a trade secret system that relies largely on human trust.
I'm not saying openness is inherently bad. Obviously, a certain amount is needed if we're to collaborate for innovation. Yet there's a dark side to the comfort level that's evolved around all this sharing. Companies need to acknowledge the risks of social media and work to prevent leaks by improving their employees' knowledge and good judgment.
Here are six tips to help you keep your company's sensitive information off social media feeds:
Understand that you're asking employees to go against their "digital instincts." By their very nature, social media platforms encourage users to publicly disclose the minutiae of their lives (usually the more, the better). The so-called Facebook generation is conditioned to casually communicate, swapping files and using the Cloud to store and access photos, music, and more. They are experts at revealing a lot using only 140 characters.
Making sure that social media doesn't become a hole through which your company's secrets leak is an especially challenging task because you're essentially asking employees to check their habits at the door. They'll need to learn to operate based on a different set of standards that often contradict how they deal with information in their private lives.
Put social media policies in writing. Don't assume that a few informal warnings and cautionary tales will keep all your employees from tweeting and posting what they shouldn't. If your company already has general policies about the disclosure of information assets, make sure they become part of the official set of rules that govern employees' use of social media. These policies will reinforce the need to keep personal and work issues separated and not to post about what is going on inside the company.
Larger companies need to have these policies reviewed by legal counsel, since typically broad confidentiality restrictions can violate labor laws that guarantee employees the right to discuss their working conditions. Additionally, companies need to decide if social media business contacts belong to them or to their staff. According to recent court decisions, if this isn't clearly specified in the company's policies, those contacts and the social media account itself can be claimed by the employee when he leaves.
Train, train, and then train some more. In many organizations, after initial orientation, data protection policies are left on the shelf and more or less ignored. That's dangerous, because staff can easily forget about the rules or lose respect for the dangers of noncompliance. Meanwhile, they may be working on collaborative projects, examining acquisition possibilities, receiving development proposals, and more. All of these situations can lead to personal social media connections, where you will be relying on the knowledge and good judgment of your employees to control risks.
You can mitigate much of this risk by creating a quality training program that engages your employees as part of the security defense team. They'll make fewer mistakes themselves on social media (and elsewhere), and they'll also be on the lookout for the mistakes of others. Keep in mind that the best training is continuous, careful, upbeat, and professional, and does not rely on threats. And be sure to include everyone—not just key knowledge workers—in social media security training. That includes contractors, temporary employees, and interns.
Know which devices might represent a risk. The growing popularity of "BYOD" policies means that many of your employees may well be storing sensitive information on the same laptops, smartphones, and tablets they use to scroll through status updates in the evenings. That's cause for concern, because cyberthieves can gain access to these devices' contents and your company's systems through relatively easy-to-hack social media accounts and apps.
In addition to establishing clear policies on social media use and providing continuing training, consider technical mitigation measures. Mobile device management (MDM) tools can remotely configure devices, monitor what's on them, and even erase their data if lost. MDM techniques can also include encryption for data stored on or communicated from the device.
Teach employees to spot social media scams. In addition to using MDM tools, training employees on methods that information thieves often use can help them avoid falling prey to traps on social media. For instance, social media profiles give hackers a lot of information that they can use to compose realistic-looking, customized email phishing messages.
But beyond that, websites themselves can be used directly to fool people into joining a fake group, survey, or event, sometimes using a money coupon as a lure. Other traps involve fake 'like' buttons, browser extensions offered for download, or compelling offers designed to make the viewer want to share them with friends. All of these social network scams are grounded on the idea that we are all so used to rapidly connecting, sharing, and exposing that we'll do it more or less automatically with anything that looks attractive. Teaching employees to think twice before clicking can help secrets stay secret.
Be aware of your official social media presence. While you may not be able to fully control what your employees post on their personal social media accounts, you can certainly keep a close eye on official company Twitter, Facebook, and other social media pages.
Have a safety net of trusted employees monitoring and maintaining your company's presence on social media to stop potentially revealing posts from ever reaching the public eye. Also, regularly change passwords to lock out account thieves who may have successfully procured your company's login information.