Six Ways To Keep Trade Secrets Offline

You can be sure that most of your employees are active on social media. For younger ones, in fact, Facebooking, Instagramming, and Tweeting are as natural as breathing. But suppose an employee shared pictures of your product prototype? Posted a draft patent application your company was about to file? Messaged a Dropbox link with confidential information (even if only to a fellow employee) over an insecure connection? Crowdsourced a question about a sensitive issue she was handling for a customer?

Do scenarios like these keep you up at night? They should. Social media and the "sharing" culture it has sparked are very real threats to your organization.The Internet—which spawned social media—has changed the way we work and communicate. That change has profound implications for a trade secret system that relies largely on human trust.

I'm not saying openness is inherently bad. Obviously, a certain amount is needed if we're to collaborate for innovation. Yet there's a dark side to the comfort level that's evolved around all this sharing. Companies need to acknowledge the risks of social media and work to prevent leaks by improving their employees' knowledge and good judgment.

Here are six tips to help you keep your company's sensitive information off social media feeds:

Understand that you're asking employees to go against their "digital instincts." By their very nature, social media platforms encourage users to publicly disclose the minutiae of their lives (usually the more, the better). The so-called Facebook generation is conditioned to casually communicate, swapping files and using the Cloud to store and access photos, music, and more. They are experts at revealing a lot using only 140 characters.

Making sure that social media doesn't become a hole through which your company's secrets leak is an especially challenging task because you're essentially asking employees to check their habits at the door. They'll need to learn to operate based on a different set of standards that often contradict how they deal with information in their private lives.

Put social media policies in writing. Don't assume that a few informal warnings and cautionary tales will keep all your employees from tweeting and posting what they shouldn't. If your company already has general policies about the disclosure of information assets, make sure they become part of the official set of rules that govern employees' use of social media. These policies will reinforce the need to keep personal and work issues separated and not to post about what is going on inside the company.

Larger companies need to have these policies reviewed by legal counsel, since typically broad confidentiality restrictions can violate labor laws that guarantee employees the right to discuss their working conditions. Additionally, companies need to decide if social media business contacts belong to them or to their staff. According to recent court decisions, if this isn't clearly specified in the company's policies, those contacts and the social media account itself can be claimed by the employee when he leaves.

Train, train, and then train some more. In many organizations, after initial orientation, data protection policies are left on the shelf and more or less ignored. That's dangerous, because staff can easily forget about the rules or lose respect for the dangers of noncompliance. Meanwhile, they may be working on collaborative projects, examining acquisition possibilities, receiving development proposals, and more. All of these situations can lead to personal social media connections, where you will be relying on the knowledge and good judgment of your employees to control risks.

You can mitigate much of this risk by creating a quality training program that engages your employees as part of the security defense team. They'll make fewer mistakes themselves on social media (and elsewhere), and they'll also be on the lookout for the mistakes of others. Keep in mind that the best training is continuous, careful, upbeat, and professional, and does not rely on threats. And be sure to include everyone—not just key knowledge workers—in social media security training. That includes contractors, temporary employees, and interns.

Know which devices might represent a risk. The growing popularity of "BYOD" policies means that many of your employees may well be storing sensitive information on the same laptops, smartphones, and tablets they use to scroll through status updates in the evenings. That's cause for concern, because cyberthieves can gain access to these devices' contents and your company's systems through relatively easy-to-hack social media accounts and apps.

In addition to establishing clear policies on social media use and providing continuing training, consider technical mitigation measures. Mobile device management (MDM) tools can remotely configure devices, monitor what's on them, and even erase their data if lost. MDM techniques can also include encryption for data stored on or communicated from the device.

Teach employees to spot social media scams. In addition to using MDM tools, training employees on methods that information thieves often use can help them avoid falling prey to traps on social media. For instance, social media profiles give hackers a lot of information that they can use to compose realistic-looking, customized email phishing messages.

But beyond that, websites themselves can be used directly to fool people into joining a fake group, survey, or event, sometimes using a money coupon as a lure. Other traps involve fake 'like' buttons, browser extensions offered for download, or compelling offers designed to make the viewer want to share them with friends. All of these social network scams are grounded on the idea that we are all so used to rapidly connecting, sharing, and exposing that we'll do it more or less automatically with anything that looks attractive. Teaching employees to think twice before clicking can help secrets stay secret.

Be aware of your official social media presence. While you may not be able to fully control what your employees post on their personal social media accounts, you can certainly keep a close eye on official company Twitter, Facebook, and other social media pages.

Have a safety net of trusted employees monitoring and maintaining your company's presence on social media to stop potentially revealing posts from ever reaching the public eye. Also, regularly change passwords to lock out account thieves who may have successfully procured your company's login information.

Last month Caterpillar was hit with a $74 million jury verdict for trade secret misappropriation in the Eastern District of Illinois. The case was filed by Miller, a UK vendor that supplied Caterpillar with "couplers," a product that allowed quick changes of tools on excavators. After Caterpillar told Miller that it was switching to use a coupler of its own design, Miller sued, claiming that Caterpillar used Miller's confidential information in the development of the product, in violation of their "Supply Agreement."

And it's that agreement that marks the most immediate lesson to be drawn from this case: confidentiality obligations lurk in many contracts that are not called "Nondisclosure Agreement." When we're working on protecting our clients from unwanted information contamination, or just trying to keep track of confidentiality obligations so they can be managed, too often we limit the conversation to NDAs as such. And while those contracts certainly need our attention, we have to remember that similar obligations often are buried in other documents.

So our first task as counsel is to make sure that managers are sensitive to the real issue: obligating the company to keep information secret comes with a very heavy set of risks. It may be helpful to think of this custodial information like a virus, which when properly contained and managed will not cause harm, but which if mishandled can quickly spread through the organization, morphing as it goes in ways that make it hard to recognize, much less extract.

With management having the right understanding of the risk environment, it then becomes a matter of setting up procedures to mitigate the risk by limiting exposure and ensuring that all confidentiality obligations are closely tracked. In practical terms, this usually means creating special protocols as part of contract management, with legal review of the specific undertakings in all agreements. That review should also produce specific advice to the relevant managers about how to avoid misuse of data and how to close down the project properly when it's concluded.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram