One of the biggest challenges the cyber-security field faces today—aside from outright hacking—is the fact that employees’ data is increasingly portable. Data portability can be a major boon for employers. For instance, it may allow an employer to offer its employees the ability to work remotely (something that can improve employees’ work/life balance, or could be a reasonable accommodation for an employee’s disability). However, data portability can also present major risks for an employer, particularly if an employee stands to profit from misuse of that information.
Because the trend of working remotely is not likely to go away any time soon (notwithstanding Marissa Mayer’s ban on working remotely at Yahoo), the question employers must ask themselves is: how to protect trade secret and other sensitive information while still allowing their employees to work remotely?
- Clear Expectations: Employers may want to clearly delineate what information each employee or position has permission to access. The proposed changes to the Computer Fraud and Abuse Act (see below) would crack down on employees who exceed their authority in accessing data, but that does no good if the employee’s authority is not defined. Setting clear parameters for employee access to information and routine monitoring of employee access can help employers keep tabs on exactly who has what.
- Security Infrastructure: Creating a strong security infrastructure will help employers keep their trade secret information safe. Employees should only be given access to data on an “as needed” basis—particularly for sensitive information like trade secrets. Administrative safeguards, such as password protection for sensitive documents, should be implemented to ensure access is only granted to those employees who truly need such access. Logs monitoring access to sensitive data should be maintained and checked regularly for unauthorized access. Similar monitoring of physical systems, such as routers and servers, should be conducted as well.
- Employee Awareness and Training: Train employees regarding permissible uses of sensitive information. Consider implementing a policy restricting employees’ ability to work from personal computers and devices and discourage employees from sending company information to personal email or similar accounts.
- Keep a Watchful Eye: The FBI points out that it might actually be harder for a company to identify an insider threat than an outsider threat. The FBI compiled a list of several factors for managers and security personnel to watch for. For example, managers and security personnel should know that an employee may be motivated to misappropriate trade secrets for a variety of reasons, including: financial need, anger, a desire for thrill, or an inflated ego. Organizational factors such as poor employee training or incorrect labeling of proprietary information may increase an employer’s risk for trade secret theft. Finally, managers and security personnel will want to watch for red-flag behaviors, such as: taking information home without need or authorization, interest in matters outside job duties, remotely accessing the employer’s networks at odd times, enthusiastically working odd hours, and unexplained foreign travel. These behaviors potentially flag employees who plan on leaving with your trade secrets in their possession.
Finally, employers may soon have a new arrow in their quiver. As we’ve reported recently, the Obama Administration has proposed changes to the CFAA that would take a broader view regarding what constitutes “exceeding authorized access” under the statute. Narrow interpretations suggested an individual’s actions had to approach hacking to incur liability. The changes are intended to clarify that an employee who takes information in the course of his or her employment and exploits it for his or her own purpose could be held accountable under the CFAA.
These proposed changes may be welcome news for employers seeking to prevent or minimize trade secret misappropriation, but, as we noted last month, there is a risk that changes to the law could lead to unintended consequences, such as the criminalization of otherwise innocuous personal uses of company computers. We will continue to watch what Congress does (if anything) with the proposal.