Do Your Home Work: Keeping Trade Secrets Safe While Working Remotely
by James Pooley (April 2020)
If while you’re reading this you are stuck at home or some other location trying to work remotely, give some thought to 18th century self-proclaimed alchemist Johann Friedrich Böttger. As a young and ambitious man living near Dresden, he was convinced that he could actually make gold from base metals, and when King Augustus the Strong (who was apparently in need of more gold) heard about his audacious claim, he had Böttger taken into “protective custody,” which turned out to be a dungeon in his castle. Böttger was to set up a lab and stay at it until he could produce the real stuff.
Unsurprisingly, Böttger produced only a lot of foul smells and the occasional small explosion, and over the next two years, earning his freedom seemed increasingly remote. In fact, he feared for his life. But the king decided instead to appoint a real scientist, Ehrenfried Tschirnhaus, to oversee Böttger’s work. Tschirnhaus was not interested in gold, but rather something that at the time was equally valuable, because it had to be imported from China: white porcelain. Böttger didn’t care about such frivolities, but he was not in a position to resist acting as a lab assistant. Eventually Tschirnhaus cracked the code for porcelain, but suddenly died. Böttger got his hands on the formula, went to the king with the good news, and that’s how Böttger came to fame and wealth as the “inventor” of Dresden china. #dumbluck
Böttger of course got a much nicer lab in the castle, with doors he was free to use. But perhaps because he had learned how much more productive one could be when imprisoned, he famously had his own employees chained to their desks and, in an early form of social distancing, prohibited them from contact with others, lest the secrets be lost. This worked for several years until one of them escaped to Vienna with the formula, which is why you can afford nice china dishware today.
Trade Secrets, Lockdowns and Photocopiers
One more history lesson about working outside an office. This one takes us to Venice, where the ancient Roman secrets of glassmaking had been rediscovered and perfected in the 13th century. If you have heard of the beautiful, multicolored Murano glass, that’s because the Venetian government in 1291 forced all the glassblowers to relocate to that neighboring island, ostensibly to prevent their furnaces from sparking a destructive fire in the then-wooden city. The real motivation was apparently to get better control over the craftsmen and their secrets, by putting them in one place and forbidding them from leaving, on pain of death. Now, there’s a serious lockdown. But the glassblowers were able to form a guild among the families and control both the secrets and their prices. So working from home turned out to be a pretty good thing.
Now fast forward to the 1970s, when I first got involved with trade secret management. Business had long before dispensed with life-threatening measures to protect secrets, but the process was fairly straightforward, because everything was on paper and there were no networks. The greatest threat to information security was the photocopier, and taking work home was seen (by the employer at least) as a good thing. Not everyone behaved, and there were plenty of lawsuits, but security was simpler.
Can We Depend on Our Sense of Control?
We now enjoy networks with more or less infinite bandwidth, spread all over the planet, and supercomputers (that is, phones and tablets) in the hands of millions of employees. We have been able to produce way more valuable information much faster, but the digital world we work in also makes that data more vulnerable than ever. Thankfully, advances in technology have also made it possible for us to keep track of electronic information, both at rest and in transit, and so our sense of control around the security of trade secrets has not degraded that much. Unfortunately, people still sometimes do stupid things with data, just like they did with paper, and so the challenge of modern business has as much to do with managing behavior as with harnessing software.
And that’s the everyday challenge when most of the workforce comes into the office. But working from home increasingly is a hallmark of the digital age. We do it because we can, and it’s more convenient. And we do it because of the demands of employers, customers or clients for 24/7 availability. This means that we have to depend even more on our networks to get things done and the tools to track what we’re doing. But particularly as more people choose to, or have to, work from home, the issues around managing their behavior become more complex.
Our Love/Hate Relationship with Security
Security is a conundrum, a trade-off, a paradox. A kind of permanent tension exists between what we know is good for us and what we find more convenient. Remember the days before you had to recall passwords and PINs? Now consider two-factor authentication. Yes, it makes it really, really certain that it is you when you have to wait (after putting in your password) for a code to come to your phone. But should we have to endure that every time we want access to a file? Now, consider the use of Virtual Private Networks, or VPNs. Using these company-owned networks while at home allows us to communicate securely by using end-to-end encryption. But they’re usually slower than our personal WiFi, so when we need to send a lot of messages or move a lot of documents around, well ….
So working at home requires being very careful, and in normal times companies can usually manage those who need to be engaged remotely. But what about now, when almost everyone is doing it? And what about later, when we return to normal, but find out that normal includes new habits about when and where we can do our jobs? How can companies respond to the present needs, as well as prepare for the future?
A Pandemic Response and Post-Crisis Plan
First, focus on the basics. Review with your IT team how existing procedures and controls can operate in the dispersed environment. Companies with a lot of experience implementing mobile device management protocols and tools will mostly just need to increase resources. However, incident (i.e., breach or other security problem) reporting may not be as robust as when most people are operating in controlled surroundings, so you may need to explore how to adjust your systems to take into account those additional vulnerabilities.
Second, reinforce to all staff the importance of protecting confidential information in its various forms. Remind everyone about what kind of information is sensitive, and what your expectations are for hygienic business behavior, particularly their communications with the outside world. Tie this messaging to your existing policies and procedures, emphasizing that this effort is an extension of the company’s focus on protecting its sensitive data, an issue that obviously needs more attention when we are all in remote locations.
Third, provide everyone with sufficient cloud-based data facilities (such as Google Drive or Dropbox) that are easy to use for secure storage and transfer of information with customers, supply chain partners and other outsiders.
Fourth, encourage staff to use company-owned devices and the company’s VPN, and to continue to use company email systems for business matters. Make sure everyone knows that use of home computer systems and WiFi is not secure and that they should especially avoid using it for any sensitive communications. For those who resist (and sometimes the recalcitrant are executives), consider providing personal IT support to enhance the security of their environment.
During this unusual time, employers need to be flexible and understanding. Getting compliance with the full suite of security protocols is harder at a distance. Trade secret management is about balancing value against risk, and then measuring that risk against the cost (including inconvenience) of various measures to reduce it. One of the practical risks is that people won’t follow rules that get in the way of getting the job done, and so you need to be sensitive to their struggle and try to collaborate about finding acceptable solutions.
An essential element of trade secret protection is that the owner has made “reasonable” efforts to keep the information a secret. But as the Uniform Trade Secrets Act tells us, those efforts must be reasonable “under the circumstances.” When circumstances change, as they have recently, we need to recalibrate. In fact, when things return to whatever normal turns out to be, this will be an excellent opportunity for every organization to revisit the way in which it approaches management of its most important information assets.
© 2020 James Pooley