Bring Your Own Device… But Beware

About the authors: Partner Thomas Hubert and associate Joshua Wood are both with the Jones Walker law firm in New Orleans. They are contributors to the recently launched Trade Secret Insider, which chronicles legal insights on trade secrets, non-competes, computer fraud and confidential data theft. This article was originally posted on tradesecretsinsider.com.

————————————————————————————————————————————–

Image courtesy of Trade Secret Insider.

Image courtesy of Trade Secret Insider.

Over the last decade, smart phones, laptops, and tablets have become essential components for a successful business model. Many business leaders correlate increased mobile connectivity with increased productivity. In theory, remote access to company data allows employees to efficiently work anytime, anywhere. “Bring Your Own Device” (BYOD) policies have emerged as one of the most popular options for providing employees with access to these new technologies.

But companies should consider the potential perils associated with increased accessibility to corporate data through an employee’s personal device. And—particularly—trade secret theft if the employee plans to resign for employment with a competitor or to start a competing business. Companies must be concerned about what employees are doing on personal devices that are likely less monitored than company-owned devices and that may be synced with various cloud storage networks or data-sharing services.

Consider this scenario. Before resigning, an employee had access to and downloaded confidential documents on several personal devices, like a tablet, phone, or even a computer. She has also stored customer contacts on these devices.  All the data—the contacts, emails, documents, etc.—remain on these personal devices when she resigns to work for a competitor. The confidential information is now in a competitor’s hands. Or consider a slightly different scenario, where the employee intentionally uses these personal devices to download and steal the company’s confidential information right before resigning to work for this competitor.

So what should a company do?

Companies must counterbalance the benefits of increased mobility with the risks of the increased potential for trade secret theft. A major problem, though, is detecting what former employees have retained or intentionally put on their personal devices. Trade secret theft, if detected, should result in claims for trade secret theft under the applicable state version of the Uniform Trade Secrets Act (UTSA).

However, those statutes only protect confidential information. The UTSA defines “confidential information” as information that “derives independent economic value … from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and is the subject of efforts that are reason under the circumstances to maintain its secrecy.” BYOD policies therefore pose a danger in litigation—they could tend to show that the company failed to take reasonable steps to keep information confidential.

At a minimum, BYOD policies should include the following acknowledgments:

  • The company owns all company-related data stored on personal devices;
  • The employee must return and/or delete all company-related data stored on personal devices on the date of resignation or termination;
  • The company has instituted these measures to protect the confidentiality of its information; and
  • The employee must show and/or certify that these steps were taken during off-boarding.

Additionally, there are steps that companies can take to assist with the detection problem. Specifically, they should consider investing in software applications that allow the company to scrub company data from the devices when the employee resigns or is terminated. Though the appropriate level of security varies, companies can increase their data control and monitoring abilities by deleting their confidential information from employee devices at any given time.

Finally, companies should treat BYOD policies as partnerships. It’s an opportunity to educate employees on the importance of trade secrets and the need to keep them secret. Combined with concomitant policies on using and accessing confidential information, BYOD policies can help create a company culture where protecting trade secrets is a known company goal. No policy will alleviate all risks but, in the long run, effective communication of expectations will decrease the likelihood of trade secret theft and place companies in a better position to prosecute trade secret theft cases—if necessary.

Ultimately, companies must balance the benefits associated with allowing employees to use personal devices for accessing company information against the risks to data security. Increased mobility and BYOD policies offer unparalleled benefits. But the risks must be considered and adequately addressed to keep company information protected. Precautionary efforts will produce invaluable long-term dividends.