At a recent forum in New York, a team of Covington & Burling LLP lawyers addressed the growing concern among companies that their most valuable assets might just walk out the front door on a thumb drive in an employee’s pocket or otherwise be taken by company insiders. Although much of the discussion in this country is focused on securing systems from cyber-attacks, Michael Chertoff (former Secretary of Homeland Security and now Senior Of Counsel at Covington) noted that focusing only on attacks from outside a company is like locking a door but leaving a window open. The threat from insiders is substantial, and addressing this threat involves many disciplines, including employee benefits and executive compensation.
Protecting business critical information is not simple. It involves identifying which information is critical, designating that information confidential, establishing practices, procedures, and policies to maintain confidentiality, and being prepared to address immediately breaches that occur. Each step implicates several areas of the law, including data security, privacy, intellectual property, white collar crime, employment, employee benefits and executive compensation, corporate and securities, insurance coverage, and crisis management. For example, the recent White House initiative to combat trade secret theft identified human resources policies as a key area of focus in developing best practices to protect trade secrets.
To address this threat, a company should develop a comprehensive plan. The Covington team explained at the forum that a comprehensive plan includes limiting access to information, implementing procedures to protect the information, and verifying compliance. At the forum, Richard Shea, Chair of Covington’s Employee Benefits and Executive Compensation practice, noted that a company’s leadership can establish an ethos of compliance, for example, by including trade secret management and protection as part of employees’ job descriptions and performance reviews. Employment contracts and nonqualified compensation arrangements can be drafted to provide incentives to comply with confidentiality obligations, and to penalize breaches of those obligations. In the appropriate circumstances, even tax-qualified retirement and other benefit arrangements can be drafted to include such incentives.
A comprehensive plan also involves preparing for a breach or suspected breach — for example, by checking insurance coverage and identifying in advance the resources to be called upon in the event of a breach. Finally, a comprehensive plan includes a strategy to approach incidents or suspected incidents, by identifying the critical decisions that will need to be made and who will make these decisions, such as whether to pursue litigation, whether to contact law enforcement, and whether to disclose breaches to the SEC and/or customers.
The White House trade secret initiative recognizes that the private sector has a critical role in protecting the nation’s trade secrets. Addressing the threat from insiders is a key component of the protection of trade secrets that logically should include employee benefits and executive compensation practitioners as well as practitioners from numerous other specialties.