Remote work and hybrid work have become standard features for startups and technology companies looking to attract talent. Yet as employees log into company systems over home networks, access client data on personal devices, and join video calls in public spaces, the confidentiality controls that companies built for the office environment can no longer cover these scenarios. Traditional office security typically relies on physical boundaries — access controls, filing cabinets, centrally managed servers. That architecture assumes employees are working within a physical and network environment that the company controls.
When employees shift to working from home, those controls become difficult to apply as the physical perimeter expands. This article sets out three directions companies can use to systematically strengthen their confidentiality measures, whether they are introducing remote work for the first time or reviewing an existing arrangement.
Recommendation 1: Strengthen Existing Legal Documents
Many employment contracts and work rules were drafted and signed on the assumption that employees would work in an office. They often lack clear provisions covering confidentiality obligations in a remote setting, rules on device use, and authorization for audits. Companies should review and address the following areas:
(1) Define the scope and conditions of confidentiality obligations
Non-disclosure agreements and confidentiality clauses must clearly define what qualifies as confidential information or a trade secret. A catchall phrase such as “all company business information” is not sufficient. Clauses should also spell out specific obligations that apply in a remote setting — for example, requiring employees to be mindful of their surroundings during video calls, to access certain categories of confidential information only over secure networks, and to return or destroy company data on departure as directed.
(2) Obtain employees’ prior consent to future audits
If a company intends to conduct security audits of company-owned devices or of how employees access company information, it should obtain each employee’s consent in advance — whether in the employment contract or the work rules — and specify the scope and method of any such audit.
(3) Update the work rules
Under the Labor Standards Act, companies with thirty or more employees are required to establish work rules. In practice, most companies adopt the government template, but they should add provisions covering device use, data access and transfer, the process for reporting security incidents, and the disciplinary consequences of non-compliance. If the competent authority raises concerns about any added content, one option is to have the work rules authorize a relevant department to issue separate internal guidelines.
Recommendation 2: Implement Technical Controls
Legal documents establish rights and obligations, but they cannot prevent incidents from occurring. Technical controls reduce the frequency and severity of breaches. Companies may wish to consider the following:
(1) Access control: Assign different levels of data access based on department and role. For example, engineers may access technical documentation, but sales staff should not have access to the same technical repositories; engineers on different projects should not be able to access each other’s technical files.
(2) Endpoint controls: Use mobile device management (MDM) or endpoint security software to restrict the use of external storage devices, disable screenshot functions, and prevent the installation of unauthorized applications on company-owned devices.
(3) Anomaly detection: Configure systems to generate alerts when unusual activity is detected — such as an employee downloading large volumes of confidential files in a short period, logins from unusual times or locations, or attempts to access folders outside an employee’s authorized scope. These mechanisms both deter misconduct and provide early warning of a potential breach. Companies should assess which options are appropriate for their situation.
Recommendation 3: Training and Audits
A framework that lacks training, enforcement, auditing, and improvement will not deliver its intended effect. In practice, breaches more commonly originate from employees who inadvertently or carelessly violate the rules than from external intrusion.
Companies should provide security and confidentiality training and retain records for reference. The content need not be elaborate. The key is to ensure employees understand what qualifies as confidential information, what common violations look like, why the controls exist, how to report a security incident, and how the company’s audit process works.
Audits should be conducted on a regular basis. Items to review may include whether access logs show any anomalies, whether any unauthorized software is installed on company devices, whether backup systems are functioning properly, and whether all relevant employees have signed confidentiality agreements. Where deficiencies are identified, the relevant department should be required to propose remediation measures, and follow-up should be tracked.
Conclusion
Remote work has become the norm for many startups and technology companies, and it introduces real challenges for existing information protection frameworks. Without proper planning, technical controls, and ongoing auditing and improvement, companies face not only the risk of trade secret or confidential information leaks, but also the risk that customer, supplier, or employee personal data may be stolen, altered, or disclosed — giving rise to potential liability under the Personal Data Protection Act.
If you are establishing or adjusting your company’s remote work framework, or would like to review whether your current employment contracts, confidentiality agreements, and work rules are adequate for your current working arrangements, we would be happy to assist.