Cybersecurity is a hot button for all businesses these days. However, in the flurry of new privacy regulations and the focus on protection of consumer data, many businesses are not paying enough attention to how they could – and should – be using cybersecurity protocols to protect valuable trade secrets.

Trade secret protections apply broadly to business, financial and technical information, so long as: (1) the information is not generally known or ascertainable outside the owner’s organization and control; (2) the owner derives independent economic value or business advantage from the information not being known; and (3) the owner makes reasonable efforts to preserve its secrecy.  The unauthorized disclosure of trade secrets can lead to loss of strategic advantage over competitors and harm to your company’s finances and reputation. Failing to adequately protect trade secrets could also result in losing a misappropriation case against a bad actor.

Trade secret rights are secured and maintained solely by “reasonable efforts” to preserve their secrecy, which must be both internal (i.e., with employees) and external (i.e. with third party vendors).  While appropriate steps to protect trade secrets include offline actions like using non-disclosure agreements or physically locking confidential information away, courts are also now considering the adequacy of cybersecurity measures when they analyze reasonable efforts.

So, in the trade secret world, what is a reasonable “cyber” effort?  Like cybersecurity technology, case law on this issue is continuously evolving.  However, if you possess any trade secret information that is stored or communicated electronically, we recommend, at a minimum, the following:

  1. Ensure you have appropriate access protections in place. Trade secret information should be password protected and stored on a secure server.  Review your firewalls, encryption procedures, anti-virus software and the like.  Stay current with software patches and consider encryption for data at rest as well as for data in motion.  Access credentials should require multi-factor authentication.
  2. Limit the people who have access to your electronic information (think “least rights” access). Consider limiting electronic access to those specific employees or agents who actually need the information.  The more people who have access to trade secrets (and the ability to share it with just the click of a mouse), the higher your risk of breach or misappropriation.
  3. Train your employees and agents on appropriate use of your electronic systems. For example, remind them not share their passwords with anyone (even co-workers) and educate them on using company devices (like laptops and smartphones) correctly when they are offsite.  Consider how your employees connect to your system when working remotely (i.e. require them to only use password protected Wi-Fi networks, and not public Wi-Fi).  Think about limiting or prohibiting use of USB ports or other portable drives on company computers.  Teach your employees how to recognize phishing attempts.
  4. If you allow employees to access your systems from personal devices, consider an appropriate “BYOD” (bring your own device) policy and technology to secure the work environment on those devices.
  5. Restrict departing employees’ access to electronically stored information. Following termination, disable access to IT systems, change passwords, and make sure company-owned devices are returned.
  6. Ensure that you are monitoring and improving your cybersecurity efforts periodically. Consult experts about the latest developments in technology.  Conduct regular training about appropriate use of electronic systems and advise your employees of the risks of failure to follow protocol.
  7. Revisit confidentiality agreements with third parties and consider whether they reflect cybersecurity protocols.

Once your “crown jewels” are exposed, you cannot “recapture” them.  Be smart, be secure and be prepared.

I am sure you have read about the latest breach this time, hitting Facebook.  Facebook confirmed that the access codes for 50 million accounts were compromised.  Facebook is still investigating the impact of the breach, and has not yet reported whether any personal information was gathered or misused from those accounts.

For those of you that use Facebook, err on the side of caution and assume your information was compromised.  If you have not already done so, change your login credentials for your Facebook account.  If you use the same credentials for other accounts (which you should not do), then those account credentials should be changed, too.  If you link your Facebook account to other social media accounts, you should check those accounts and change the credentials on those accounts, too.

I noted in a prior post that birthdays should not be posted on LinkedIn.  Similarly, such personally identifiable data points should not be posted on your Facebook or other social media accounts.

While Facebook may be a wonderful way to stay in touch with friends and family, living out loud online puts you at risk.

Do not feel compelled to share future plans for travel, or other personal data/information, on social media. Be smart and be safe!

I recently had a death in the family. One of the things we addressed while making arrangements was to freeze the credit of my stepfather. I would like to say, as a cyber attorney, that this was my idea, but I confess in mourning the loss of a wonderful man, I was thinking like a daughter and not like an attorney. The credit freeze was one of the services the funeral home offered.

Sadly, this is one of the more important things that a family should do after losing a loved one. Criminals comb obituaries to find homes they can break into, and identities they can steal. Freezing the credit of a lost loved one does not impede the settlement of the estate, and ensures that a grieving family does not have the added heartache of a stolen identity and stolen assets. Consideration should also be given to social media profiles and accounts, along with credit cards. While it is a unfortunate statement about our society that a family in mourning must address such matters, it is essential that this be undertaken quickly.

NJCCIC shared today that as of 9/21/18, Equifax, Experian and TransUnion will be required to offer free credit freezes. NJCCIC further reported that “[a]s part of the new Economic Growth, Regulatory Relief and Consumer Protection Act, parents will also be able to request free credit freezes for children under the age of 16 and free crediting monitoring services will be offered to all active duty military personnel.” More information is available on the Federal Trade Commission Consumer Information blog.

Keep in mind, however, that if you are in the process of buying or financing a major purchase (car or home), or undertaking any other venture for which a third party would look to run a credit check, you will need to allow for those parties to access your credit report. Further, if you do freeze your credit, and then misplace your access credentials with the particular credit agency, it is not a small undertaking to prove you are really you to unfreeze your credit. And, of course, be careful how you select your access credentials, respond to security questions, and keep credentials in a secure location.