Remote workers could be exposing their employers to contractual violations and legal disputes if they are not correctly handling sensitive information.
For the automotive industry, particularly within the automaker-supplier relationship, trade secrets often comprise the highest-risk information.
Trade secrets are defined by the Canadian Intellectual Property Office as “any valuable business information that derives its value from the secrecy.” This can include a formula, process, technology, design or other asset that is not or cannot be legally protected through other methods such as acquiring patents.
When a company-owned trade secret is exposed, the lost value is unrecoverable. This becomes especially complex when one company’s employee exposes a trade secret belonging to a third party — for example, an employee of a Tier 1 supplier inadvertently makes an automaker’s trade secret public knowledge — which can put that employer at risk of a legal battle over breach of contract.
“There can be legal obligations pursuant to those contracts ... if appropriate steps aren’t taken to ensure that those [trade secrets] are properly protected,” said Lyndsay Wasser, co-chair of the privacy and data protection group and the cybersecurity group based in the Toronto office of multiservice law firm McMillan LLP.
Employees must be trained on how to verify that data is encrypted whenever being transmitted or stored, and must also understand that sensitive data should never be downloaded to personal devices such as smartphones or personal computers, said Wasser.
“Typically, we would want that information to be maintained within the company’s networking systems,” he said. “That can be difficult if employees are using personal devices to work from home where the company wasn’t able to provide company-issued laptops and other technology.”
Ensuring that employees understand the distinction between secured networks and unsecured personal email accounts or other cloud-based apps, particularly those not approved by their employer, is critical.
“We’re starting to see [automakers] getting very prescriptive on where you can place documents,” John Heaton, a Toronto-based partner in the cybersecurity advisory services practice of accounting firm KPMG, said in a webinar on cybersecurity hosted by the Automotive Parts Manufacturers’ Association on May 7.
“The German [automakers] in particular have a very specific set of rules you have to follow and encryption that’s required. ... If you’re using a [cloudbased] solution, there may not be any encryption of that data.”
Companies should also ensure that their secure networks require login using multi-factor authentication, such as a password in combination with a code sent to a smartphone, to validate employee identity.
“Multi-factor authentication provides that extra level of security in case the password itself is not strong or has been previously compromised,” Wasser said.
While the current working environment places an emphasis on technology, Wasser said companies should not overlook the low-tech risks of working outside of a centralized office such as leaving printouts exposed on home workstations or in municipal recycling bins.
“It is advisable to limit hard copies as much as possible because many individuals don’t have the appropriate facilities to ensure that information is properly protected in a home environment in terms of locked cabinets or shredding facilities,” Wasser said. “Organizations ... should have procedures and rules in place for employees handling information in that form.”