USA – PENNSYLVANIA Trends and Developments Contributed by: Leigh Ann Buziak, Kevin Passerini, William Cruse and Timothy (“Timmy”) J. Miller, Blank Rome LLP
tion at issue was subject to “reasonable” measures to keep it secret and protected. When companies make information public, allow it to be accessed without restrictions, or fail to restrict and police the activities of employees handling the data at issue, they risk misappropriation, misuse, and loss of trade secret protection over these valuable business assets. Therefore, in addition to implementing agree - ments with employees that restrict their use or disclo - sure of confidential information and bar engagement in certain post-employment competitive activities, it is essential for companies to (i) adopt practical, mod - ern technological safeguards, policies, software, and practices to monitor and restrict access and exfiltra - tion and (ii) to align information and technology teams (information governance, information technology, data security, etc) with legal and investigative teams. These steps enable a company to streamline pro - cesses that effectively, quickly, and accurately identify and assess data theft and misappropriation when it occurs, and to flag the issue and escalate it to rel - evant stakeholders to ensure appropriate remediation or legal actions are taken. If necessary, an investiga - tion may require retaining outside legal counsel and third-party forensic vendors to ensure that all of the data – in all of the forms that it may have been taken – is ultimately identified, retrieved, and removed from any non-company device or storage application. Ensuring the adoption of such tools for success is essential and may include the following: • providing company-issued devices to employ - ees to control and monitor company information, or implementing employer-controlled “sandbox” programs that protect and manage data on non- company devices; • using device-specific hardware limitations that pre - vent employees from accessing company data or devices with outside USB devices (eg, thumb/flash drives or external hard drives); • imposing restrictions on the use of cloud data storage platforms (eg Box, Google Drive, iCloud, or OneDrive) that are not explicitly associated with the company;
• developing acceptable use policies that outline how company information must be treated; • monitoring data repositories and user activity, including logs of user’s access or downloading activities and the dates, times, devices, and IP addresses associated with such activity; • investing in security programs or systems that automatically trigger a report when employees commit, or attempt, a mass downloading or trans - fer activity involving sensitive databases or data; • maintaining forensically sound images of departing employees’ company-issued devices and back - ups of their IT environments upon separation and before reformatting the devices or reissuing them to other employees; • executing policies and contracts requiring depart - ing employees to return all company devices, data, and other property and to co-operate in any neces - sary forensic remediation, • executing policies and contracts requiring depart - ing employees to provide notice of their contractual obligations to any prospective employer, as well as notice to the company of any prospective employ - ment; and • conducting timely analysis of returned devices and employee emails or accounts to assess the risk of potential exfiltration and evidence of misap - propriation – including contracting with in-house or outside forensic vendors and legal teams as necessary. While the above are only examples, they provide capabilities to protect trade secrets and other sen - sitive, confidential business information and enable companies to assess the availability of legal tools to address any potential misappropriation. And should litigation be necessary, the information yielded from these processes and procedures is likely to promote and expedite litigation success. Executing the information protection strategy: the onus is on the company Inevitably, there will be instances when former employ - ees leave a company and take or retain trade secrets or other sensitive, confidential business information – whether inadvertently or intentionally. In either case, the company needs to be prepared to detect when this has occurred and to address the issue, including scal -
225 CHAMBERS.COM
Powered by FlippingBook