As the COVID-19 pandemic has rapidly spread across Europe, more and more companies have been forced to implement remote working arrangements for their employees. Logistical difficulties aside, businesses are now facing very real risks associated with information leaks due to human error, use of vulnerable equipment or software, or deliberate external misappropriation of sensitive data (both of the employer and its contractual counterparties). Immediate actions may need to be taken to adapt to this new environment.
In Bulgaria, the Commercial Act imposes a general obligation on authorised officers, sales representatives and proxies to keep confidential the trade secrets of their principals, and the Labour Code provides for a general obligation of loyalty and confidentiality towards the employer. The trade secret protection regime is regulated in more detail by the Trade Secret Protection Act ("TSPA") and the Competition Protection Act ("CPA").
For the CPA to apply, the infringer and the entity whose manufacturing or trade secrets are improperly acquired, used or disclosed, must be competitors. Protection under the CPA is only available where two (or more) legal entities are involved (i.e. it does not apply to natural persons). To trigger an infringement, the acquisition, use or disclosure of a manufacturing or trade secret must be for the purposes of attracting customers and must have an actual detrimental impact, resulting in the termination or breach of a competitor's contracts.
For certain commercial information, know-how or technological information to qualify as a "trade secret" under the TSPA, the person in control of such information must have taken measures to keep it confidential. However, the TSPA does not specify what these measures should be. Since the TSPA has only been in force since April 2019, there is still no established case law on what criteria to apply. It is expected that a different standard will apply to different types of information and businesses, depending on the nature, size, complexity and resources of the business. For more details on the TSPA, please refer to our publication "If you want to keep a secret, you must also hide it from yourself." ― George Orwell, 1984.
In view of the above, the TSPA generally provides better protection to employers against the misappropriation, use or disclosure of trade secrets by employees. The application of the CPA, on the other hand, is a specific hypothesis that requires careful analysis on a case-by-case basis.
Below are some practical tips for companies to consider in order to avoid the misappropriation of sensitive data and the risk that information will lose its "trade secret" status under the TSPA because of a failure to take appropriate steps to protect it.
1. Evaluate and update internal secrecy rules and policies: The starting point should be identifying, categorising and labelling the trade secrets and sensitive information which would be most vulnerable and exposed to inadvertent disclosure or misappropriation. This applies not only to your company information but also to any information provided to you by counterparties which may be a trade secret for them. Only in this way is it possible to outline in enough detail the procedures necessary to protect such data as a matter of priority. If your existing internal policies are not tailored to the risks associated with remote working, take the opportunity to critically evaluate and update them now. If this would be too time-consuming, create and circulate (by email) an info-sheet summarising the key rules for identifying sensitive information and practical recommendations for working with it, including remotely from home.
2. Staff confidentiality obligations: All staff members should be reminded of the confidentiality clauses in their employment or consultancy contracts and be asked to take even greater care of sensitive and proprietary information in the age of COVID-19. Set up internal information security training with a specific focus on IT security and confidential information protection when working remotely from home. Staff should be advised to (i) keep a "clean desk" to prevent others at home from viewing company trade secrets, (ii) set computer screens to lock up after a set period of non-use and require passwords to unlock them, and (iii) avoid having conference/video calls about confidential information in the presence of others in their household.
3. Access restrictions: Make sure that all company network locations where sensitive information is stored are subject to appropriate access restrictions, i.e. information to be accessed (also remotely) only on a need-to-know basis by a limited number of teams/employees. Such locations need to be appropriately secured. Consider requiring two-factor authentication for access. Track access and keep logs. Set up alerts for irregular downloading, copying or transmission of sensitive information. Give instructions to staff on the handling and disposal of any printed materials (i.e. ask employees not to discard them in the household trash but to retain them in secure locations and dispose of them upon returning to the office).
4. Use of company equipment and software: Allow staff members to use only company equipment (laptops and others), secure remote access to company networks and only the company's cloud and document management systems for working at home. Designate authorised software for contacting clients, but also for communication and collaboration among team members. Issue repeat warnings against the use of personal devices or accounts for working tasks (personal email, cloud services or instant messengers) and for transferring company proprietary information. Provide guidance on how to set up password and other protection of home Wi-Fi networks. Security breaches must be reported to the IT team immediately so that damage control can be performed (e.g. remote lock-out and wipe of all company data from a device). Home assistant devices (such as Google Home and Alexa) should be turned off and out of earshot from the employee's workspace where calls about confidential information are being held.
5. Strengthen confidentiality undertakings in contracts with third parties: In the ongoing digitalisation process, greater attention should be paid to confidentiality provisions in contracts with business partners, contractors and consultants, as well as to non-disclosure agreements signed in the process of deal negotiations. We expect to see more elaborate non-disclosure agreements and confidentiality provisions that specify in detail what information will be considered confidential in the relevant business or transaction, how your trade secret should be kept by the other party, but also how your company should protect the trade secrets of its counterparties in order to avoid claims for damages. The TSPA explicitly provides that even if information is lawfully obtained, if it is subsequently disclosed or used in breach of an explicit confidentiality obligation, this would trigger liability. For example, an employer who received confidential information from a counterparty under a confidentiality agreement could be exposed to a claim for damages if the trade secret of the counterparty is improperly disclosed by an employee. In addition to the purely legal consequences, this would lead to serious reputational damage.
When it comes to protecting trade secrets there is no one-size-fits-all approach. Each company must assess what measures are reasonable and appropriate during the COVID-19 pandemic to keep its trade secrets confidential depending on the nature, size, sophistication and resources of the business. It is advisable to consult not only IT security specialists but also legal counsel to assess what steps should be taken to protect trade secrets during this unprecedented crisis.
By Galina Petkova, Attorney at Law, and Stela Pavlova, Associate, Schoenherr