As more companies offer hybrid or fully remote work environments, the effort to protect trade secrets will grow as a concern.

Since March 2020, legions of employees have been working from home with nearly unfettered access to company information. Some of that information may be regarded as trade secrets. Much has been written about the general cybersecurity threat remote work creates, but the exposure of trade secrets and other strategic company information poses an equally serious threat.

The issues in this area are complex, but a recent decision by the U.S. District Court for the Eastern District of Pennsylvania has shed some light on the matter.

In M3 USA Corporation v. Karie Hart, et al, M3, a health care market research firm, alleged that Karie Hart, a former employee who was working remotely, accessed proprietary information on its bidding process, including billing rates, and that the information constituted protected trade secrets. She was accused of taking trade secrets with her when she was hired by Atlas Primary Inc., a competing firm based in Atlanta.

M3, based in Pennsylvania, also asserted that Hart, a New Jersey resident, turned in her resignation on July 30, 2020, yet continued using her M3 login credentials and company-issued laptop to access information on projects, bidding, and pricing for four days thereafter, and took that information to Atlas—a violation of her confidentiality agreement.

The District Court ruled in M3’s favor, upholding some, but not all, of the company’s assertions. The court observed that while it could not exercise general personal jurisdiction over Hart because of her New Jersey residency, it could exercise jurisdiction over Hart and Atlas for misappropriation of M3’s trade secrets. Acknowledging that its decision was “a close call,” the court ordered Hart and Atlas to pay more than $308,000 in attorney’s fees and other costs.

So, why was it a “close call”? Part of it is due to the fact that trade secrets historically had been protected by state statute. In 2016, however, trade secret protection was bolstered by the Obama administration with the Federal Defend Trade Secrets Act of 2016 (DTSA). The DTSA allows federal causes of action over misappropriation of trade secrets related to products and services used in, or intended for use in, interstate or foreign commerce. The act defines trade secrets as follows:

"All forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if (A) the owner thereof has taken reasonable measures to keep such information secret; and (B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information."

Most companies have some measures in place to protect trade secrets, but many had not been fully stress-tested until COVID-19 forced businesses across the country to close offices and allow staff to work from home. Now, as both employers and employees embrace fully remote and hybrid work arrangements, those without robust protections in place face significant risk of trade secret loss.

The following are protective measures that can be employed to help protect intellectual property and preserve the propriety of business practices:

• Inventory all trade secrets and identify existing protections and any gaps in those protections.
• Design and implement policies on the use of confidential and trade-secret information by employees when using a home or public Wi-Fi network.
• Design and implement policies on employee use of personal email and messaging services to transmit confidential and trade-secret information.
• Design and implement policies on what can be retained on personal devices, such as mobile phones, tablets, personal computers, flash drives, external hard drives, file-sharing sites, and cloud-storage sites.
• Maintain access controls that guard access to internal electronic systems and physical locations where trade-secret information is retained and stored.
• Assess the security of videoconferencing and other communication platforms, and enforce protocols to enhance their security.
• Design and implement policies regarding information that can be printed or otherwise disseminated outside of the office.
• Incorporate a return of confidential data and trade-secret information into the separation process, including mandating that company-specific data and information be deleted from employee’s personal devices.
• Remind departing employees of agreed-to employment policies for the protection of trade secrets.
• Consistently review and enforce employment agreement provisions for the protection of trade secrets.
• Train employees on their role in protecting trade secrets and confidential information, including policies and rationales for those policies.

Just as trade secrets may be unique to each business, the policies for protecting those secrets should be similarly customized. Measures that may be applicable to one business may not be applicable to another. All businesses, though, will benefit from taking appropriate safeguards.

David Duffus, CPA, ABV, CFF, is a partner on the forensic accounting and commercial damages team at HKA Global Inc. in Pittsburgh, Pennsylvania. You can reach David at DavidDuffus@hka.com.

Reprinted with permission from the Pennsylvania CPA Journal, a publication of the Pennsylvania Institute of Certified Public Accountants.

This article appears in the summer 2022 issue of the Washington CPA magazine. Read more here.