Protecting trade secrets in times of COVID-19: practical recommendations

March 13 was the first anniversary of the entry into force of Act 1/2019, of February 1, on Trade Secrets (“LSE”). On the same day, the government announced the declaration of the state of emergency in response to the coronavirus crisis, involving a lockdown affecting millions of people.

Without knowing the duration and scope of these exceptional circumstances, thousands of companies have been forced to implement remote working, which has highlighted the need to adequately protect their most sensitive and confidential information and knowledge.

Remote working causes greater exposure to company information and the risk that it becomes accessible to unauthorized third parties due to data leaks, theft and security breaches in computer systems (both of the company and the employees), or even provides easy access to this information to those living with the employees.

As explained in previous posts, the LSE defines “trade secret” as any information or knowledge—including technological, scientific, industrial, commercial, organizational and financial—that meets all of the following requirements:

• It is secret in that it is not generally known or readily accessible to people within the circles that normally deal with it (particularly, competitors).
• It has actual or potential commercial value, precisely because it is secret.
• Its owner has taken reasonable steps to keep it secret. 

Therefore, for information or knowledge to be protected under the LSE, not only must it be secret and of value to the company, but the company must also have taken appropriate security measures (whether physical, technical or contractual) to keep that information or knowledge secret.

How can companies ensure the protection of their trade secrets when their employees are working remotely from home? What measures should they take to keep their valuable know-how secret?

The following are some practical recommendations: 

• Coordinate with IT departments to ensure a secure environment for employees that access secret information.
• Restrict remote access to secret information to certain users.
• Where possible, provide employees with the equipment and materials required to work remotely, so they do not use their own personal computers to access company information.
• Check that the networks and equipment provided to employees working remotely have access keys and passwords.
• Consider prohibiting employees from sharing highly sensitive documents by email. Instead, enable them to share documents using secure shared drives for which access rights are limited to authorized staff.  
• Educate employees about malicious mails and other communications designed to infiltrate your company’s network, and remind them to only open or download messages from trusted sources.
• Implement and share user manuals indicating how to act when working from home with all employees working remotely (e.g., recommending printing only when strictly necessary or working from a room where there are no other people).

These measures can vary depending on the company and the type of information. In any event, all companies should classify any internal information considered secret and take appropriate steps to keep it safe regardless of the equipment or location. By adopting these measures and checking their implementation, companies will be better equipped to prove fulfillment of one of the requirements under the LSE and to exercise the rights it confers on trade secret holders. 

Authors: Cristina Albiol and Jean-Yves Teindas