Stephanie Wallcraft, Automotive News Canada
September 14, 2020
Remote workers could be exposing their employers to contractual violations and legal disputes if they are not correctly handling sensitive information.
For the automotive industry, particularly within the automaker-supplier relationship, trade secrets often comprise the highest-risk information.
Trade secrets are defined by the Canadian Intellectual Property Office as “any valuable business information that derives its value from the secrecy.” This can include a formula, process, technology, design or other asset that is not or cannot be legally protected through other methods such as acquiring patents.
When a company-owned trade secret is exposed, the lost value is unrecoverable. This becomes especially complex when one company’s employee exposes a trade secret belonging to a third party — for example, an employee of a Tier 1 supplier inadvertently makes an automaker’s trade secret public knowledge — which can put that employer at risk of a legal battle over breach of contract.
“There can be legal obligations pursuant to those contracts … if appropriate steps aren’t taken to ensure that those [trade secrets] are properly protected,” said Lyndsay Wasser, co-chair of the privacy and data protection group and the cybersecurity group based in the Toronto office of multiservice law firm McMillan LLP.
Employees must be trained on how to verify that data is encrypted whenever being transmitted or stored, and must also understand that sensitive data should never be downloaded to personal devices such as smartphones or personal computers, said Wasser.
“Typically, we would want that information to be maintained within the company’s networking systems,” he said. “That can be difficult if employees are using personal devices to work from home where the company wasn’t able to provide company-issued laptops and other technology.”
Ensuring that employees understand the distinction between secured networks and unsecured personal email accounts or other cloud-based apps, particularly those not approved by their employer, is critical.
“We’re starting to see [automakers] getting very prescriptive on where you can place documents,” John Heaton, a Toronto-based partner in the cybersecurity advisory services practice of accounting firm KPMG, said in a webinar on cybersecurity hosted by the Automotive Parts Manufacturers’ Association on May 7.
“The German [automakers] in particular have a very specific set of rules you have to follow and encryption that’s required. … If you’re using a [cloudbased] solution, there may not be any encryption of that data.”