What employers should worry about when employees work remotely
It’s not whether they’re working; it’s what they’re doing while working.
Most employers’ main concerns about allowing employees to work remotely come down to one question: How do I know if my employees are really working?
That’s not the right question.
The more important considerations are how to maintain security around confidential information, and what limitations might need to be put into place to ensure a company can fight back if proprietary information is stolen or mishandled by an employee, according to a local employment attorney.
“What I see is the aftermath of what happens when employees have access to information, and the information isn’t protected and happens to be of a confidential or proprietary nature,” said Nikole Canute, an attorney with Mika Meyers Beckett & Jones. “What happens when employees take that information with them or have it saved on home devices … and what happens when litigation then commences.”
She said employers need to think about that potential aftermath and make decisions based on minimizing risk.
“What security measures should you have in place when you have employees working remotely — or whether you want them working remotely at all if they are going to be dealing with highly confidential information that you don’t want taken outside of your company’s network,” Canute said.
She used the example of Coca-Cola Co. and its secret formula: What happens if an employee places that information on a personal device?
“That employee could, in theory, go on Coke’s network and access that formula and then save it to their home device,” she said. “That formula is then outside the control of Coke, and that employee could forward it in an email, save it on a flash drive, have it on their home computer where their spouse or child or someone else goes on and could see it.”
Canute sees plenty of lawsuits focused on this type of breach.
“There is a law in Michigan called the Uniform Trade Secrets Act that says if you are dealing with really valuable, unique information, it’s against civil law for an employee to take that with him, to steal that information. But one thing the employer has to prove is that they took reasonable measures to maintain the confidentiality of the information,” she said.
“If you allow an employee to just have unfettered access and to save that information to different devices or to put it on a flash drive and take it with them wherever they go, that works against you when you try to prove that you took reasonable measures to try and maintain the secrecy of the information.”
She said the best way a company can protect itself when allowing employees to work remotely is to make sure they address the issue of confidential information in employee policies.
“You always want to have a confidentiality policy in place that tells employees that they are not allowed to take your confidential trade secrets or proprietary information,” she said. “And, give employees some idea as to what categories that information falls into: ‘You aren’t allowed to take our formulas, our strategies, our financial documents, information about our customers, information about our vendors, pricing.’ Call it out in the policy and make sure it’s clear.”
Canute said policies should also address the use of the employer’s network and prohibitions such as not allowing employees to save files to a flash drive.
Brandon Fannon, managing director at digital forensics company Axis Discovery, has seen his fair share of companies struggling to figure out how information was taken in the aftermath of a breach. “Many times we are brought in after the fact to try and unravel this spider web of what has happened,” he said.
He said the most common mistake companies make is allowing unfettered network access.
“We don’t see enough restrictions and locking down on the corporate side in most small and medium business environments,” Fannon said. “Usually it takes some sort of litigation or data intellectual property theft to actually get them to pay attention to the proactive side of things.”
He pointed out that USB devices and cloud storage systems are great ways for employees to take information out of the office so they can work anywhere, but both increase companies’ risks.
Fannon said limiting or disabling USB device access is an important step companies should take.
“There are a couple of ways that you can restrict it,” he said. “One, you can lock it down completely. Two, you can lock it down to a point where you are actually issuing thumb drives to employees — and we actually see that as a little bit of a better control because now you know the USB devices that are actually allowed on your network.
“Taking it a step further, there is monitoring software that records what files are copied from a network share or from a computer out to a thumb drive, and either one blocks that completely or at least records the theft.”
More and more companies have instituted “bring your own device” policies, allowing employees to choose the devices they prefer rather than issuing everyone the same type of laptop or tablet. That comes with its own set of risks, including that an employee’s device might not have the most up-to-date virus or security software, putting the company’s information and network at risk.
Fannon said many employers are issuing checklists to dictate what requirements a personal device must meet in order for the employee to use it for work, and he supports that practice.
Finally, Canute said when employees leave the company, a great way to minimize risk is to include a checklist in the exit interview where the employee notes that all confidential files have been removed from personal devices and what personal devices were used for work.
“Have the employee sign that,” she said. “Then you are locking the employee down on what they’ve done with that information and where it still is.”