With many employees working from home, employers need to update their “work from home” policies and implement additional procedures to protect confidentiality and maintain the integrity of their business.
In March of 2020, the COVID-19 pandemic forced many employers to temporarily abandon their usual office structures and quickly adjust to remote work. Although many have returned to in person work, multiple employers have permanently changed their structures to exclusively remote work. Due to the pandemic, a significant amount of employees have relocated to other states as remote work allowed this type of flexibility. Many businesses gave up their office spaces in order to cut overhead costs as remote work was often shown to be equally as productive. As a sizable amount of individuals continue to work from home, employers must reevaluate and update their policies and procedures to accommodate a more lasting remote work situation. One issue that has been particularly challenging is maintaining confidentiality when working remotely.
While working from home, an employee may leave an important file on a table in a shared household, forward information to their personal email account to print using their home printer, and use unsecure Wi-Fi networks, all which leave company data at risk. Meetings discussing confidential or sensitive business information are being conducted over third-party communication platforms.
When working in the office, these concerns are mitigated because employers can exercise control through overseeing employees, maintaining physical control over documents, domains, files, and electronic devices, and ensuring that employees utilize the employer’s own secure network. Also, meetings with employees or clients are conducted in the privacy of the employer’s office. To account for the loss of direct control over an employee’s workspace, employers need to update their work from home policies and procedures to prevent any confidentiality concerns.
Recommended Policies and Procedures
Remote working policies and procedures should include, but are not limited to:
- Updating employee handbooks to accurately reflect the current remote working policies and procedures.
- Providing remote employees with training on the best practices for remote work security and any procedural safeguards the employer implements. This includes providing periodic refresher courses on the matter.
- Keeping an up-to-date log of all devices that are being used to work remotely to access the employer’s network and confidential information, regardless of personal or company ownership. Devices may include laptops, monitors, desktops, printers, Wi-Fi networks, and external hard drives.
- Ensuring all devices that are being used to work remotely possess all necessary security protections (i.e., anti-virus software, password protection, secure Wi-Fi network).
- Establishing security measures for devices and networks such as multi-level authentication, password strength, and automatic log-off.
- Creating well-documented procedures for handling and protecting confidential and sensitive information, potentially including a minimum necessary use policy.
- Designating certain software, networks, or applications where information or projects can be saved, accessed, or uploaded. Employers should also designate secure means for employee communication on work-related matters.
- Choosing a safe, secure video-conferencing application to conduct all virtual client and staff meetings and enabling all potential security features (i.e., password protected access, different meeting IDs, host control, waiting room feature).
- Ensuring that all participants are permitted to join the meeting by taking attendance prior to the start of the meeting and removing those who are not authorized.
- Prohibiting employees from using certain unsecure programs and applications to communicate with other employees, collaborate on projects, or upload information (i.e., personal email address, unsecure Wi-Fi networks, or consumer cloud storage).
- Requiring all devices used for remote work to always be kept in a secure and private location and only be used by the employee.
- Establishing a secure printing arrangement for work-related documents (i.e., prohibiting the use of public printers but permitting the use of personal printers). Some employers prohibit any printing of sensitive information from home.
- Preparing a disposal procedure for confidential or sensitive business information (i.e., allowing employees to shred or dispose of documents at home or requiring employees to compile all documents which will be shredded and disposed of upon return to the office).
- Requiring employees to shut down and secure their remote workstation at the end of the day.
- Creating a reporting procedure for missing devices or lost confidential information to a designated representative (i.e., Office Manager, Security Department, etc.).
- Designating a procedure for the return of company devices and the wiping of all company data on personal devices upon the termination or resignation of an employee.
Importance of Adopting Policies and Procedures
Recently, in an unpublished opinion, a Delaware chancery court visited the issue of trade secret information discussed over a Zoom meeting in Smash Franchise Partners, LLC v. Kanda Holdings, Inc. (2020). The court found that the company failed to take reasonable steps to protect their trade secrets when they held Zoom meetings without utilizing any of Zoom’s protective features. The company’s Zoom meetings were too open, essentially allowing anyone interested to attend their meetings after a brief introductory call. The company freely gave out their Zoom information, used the same meeting ID for each of its meetings, did not require passcode access, did not utilize the host control or waiting room functions, and failed to conduct roll call at their meetings as per their own company procedure.
The company’s failure to adopt and follow comprehensive procedures to protect the confidentiality and security of their information resulted in adverse consequences for their trade secrets. This case highlights the importance of maintaining work privacy, confidentiality procedures, and what will constitute reasonable efforts in protecting trade secrets in the new normal of teleworking.
Although a large amount of employees are back at work, many others will be working remotely for the foreseeable future. Employers need to be proactive in creating or updating their work from home policies and procedures to mitigate the risk of confidentiality issues and potential security breaches. Adopting and enforcing well-documented remote work procedures will ensure that employees protect confidentiality and continue to maintain the integrity of an employer’s business.