Home » Topics » Cybersecurity » How tech companies can protect their secrets

How tech companies can protect their secrets

by Editor's Choice

Trade Secrets and confidential information are more valuable to businesses now than ever before; market competition is fierce and tech start-ups are appearing all over the world. In addition, an increase in employee mobility has amplified the risk of sensitive information being transferred to competitors. Consequently, the protection of information, such as brand identity, business models and customer information, remains fundamental to the preservation of a successful business. With co-working arrangements and mobile employees commonplace in the tech sector, employers need to make sure they have appropriate measures in place to safeguard their intellectual property.

The EU Trade Secrets Directive (2016/943) is a significant legislative step towards increased security for companies looking to protect against the unlawful acquisition, disclosure and use of their trade secrets. It seeks to harmonise the approach to trade secrets across member states, and provide a common standard of protection for businesses. Implemented in the UK on 9 June 2018, the Regulations operate broadly in line with current UK law on breach of confidence, but with a few key amendments.

>See also: Corporate espionage costing business

What is a “trade secret”?

The Directive defines “trade secret” as information which:

  • Is secret (not generally known or readily accessible to persons within the circles linked to the information in question);
  • Has commercial value because it is secret;
  • Has been subject to reasonable steps to keep it secret by a person who is lawfully in control of that information.

Whilst, in practical terms, this may not be very different to existing UK law, the express requirement for businesses to show that they have taken steps to keep the information confidential is potentially significant; and makes it more important than ever that companies adopt a rigorous approach to protecting confidential information.

Dealing properly with confidential information not only makes it inherently less likely that it will be stolen or misused in the first place, but will also help show the court that the information was in fact a trade secret. So, what can companies do?

>See also: Cyber espionage and ransomware attacks are on the increase – Verizon

Know your secrets

Every company should know and keep under review exactly what information is confidential and valuable in its business. This could range from a secret recipe or highly confidential algorithm to pricing information and customer lists.

Safe storage

Once identified, the information should be stored and used in a way which maintains its confidentiality as far as possible. For example, do all the employees need to be able to access the full customer list? Is sensitive pricing information kept on a server that can be accessed by all employees? Are pitches and proposals sent to clients covered by non-disclosure arrangements? Are sensitive documents password protected? Given the dramatic increase in cyber attacks in recent years, can certain documents be kept ring-fenced from systems which are accessible to hackers?

>See also: The promise of storage and IT infrastructure in 2018

Provide clear guidance to employees

Employer confidential information and trade secrets are vulnerable when employees move from one business to another. It goes without saying that employers must not encourage new, overzealous employees to bring confidential information with them to their new job and it is also advisable to ask them to confirm in writing that they have not done so.

Similarly, once recruits have entered the business, employers should ensure that their employment contracts contain well-drafted confidentiality provisions, which apply both during and after employment. It should be made clear to employees what information is regarded as confidential to the company and they should only have access to the information they need for their role. Co-working and hot-desk environments present particular risks, as do situations where employees are working away from the office, on public transport or on public Wi-Fi networks. If employees work from home, there should be a clear policy as to how they access the systems they require; and emailing documents to personal accounts should be forbidden. If possible, IT systems should log who accesses documents, from where; and in some circumstances, it can be helpful to include tell-tale harmless “fake” entries in databases, so that copying can be proved if necessary.

>See also: How to create the perfect insider threat programme

Good leavers

Employers must also take care to manage the employee termination/exit process in a way that reduces the chance of deliberate breaches by employees. As well as handling the process professionally and fairly, this should involve: reaffirming confidentiality obligations and restrictive covenants (by reference to specific clients if necessary), and reminding them that breaches will be taken seriously.

If it is necessary and proportionate to check an employee’s sent items for evidence of misconduct, employers should ensure that a well drafted IT “Acceptable Use”/“Email Monitoring” policy is in place to warn employees this is a possibility and mitigate the risk of a GDPR breach or employee “privacy” claim.

Employers should also make sure that restrictive covenants are well-drafted, and reviewed regularly to ensure they are appropriate for the employee’s role as they progress through the business.

>See also: Three types of BYOD risk and what to do about them

Rapid response

But even in the most well-organised businesses things can go wrong, so it is equally important that companies are ready to act quickly and decisively if an incident arises. Understanding what information has been taken as soon as possible is key, not just to evaluate the potential commercial risks to the business, but also to ascertain whether any personal data has been taken, which might give rise to an obligation under the GDPR to notify the Information Commissioner’s Office (which must be done within 72 hours). In appropriate cases, injunctions and court orders can be a powerful tool in containing any breach, and minimising damage; and reputational risks or related publicity may also need to be promptly and decisively managed.

In summary then, whilst the Trade Secrets Directive does not introduce a radical overhaul to the protection of confidential information in the UK, it definitely serves as a timely reminder that confidential information is an increasingly valuable asset, and almost every business could do more to protect itself.

Written by Tom Lingard, partner, and Hannah Ford, partner, at Stevens & Bolton LLP

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com

Related Topics

Information Security

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise