Is It Safe? Is It Secret? Protecting Business Information

By Joan M. Swartz

Privacy concerns are at an all-time high. As members of the public, we are constantly bombarded with tales and woes of identity theft and the pervasive and seemingly easy access of our personal data to determined hackers and criminals for illicit uses. The implications of these pressures for business are enormous. Today every business that gathers any personal information regarding its customers, whether online, at a store counter, or on the telephone, holds valuable information that another party may want for legitimate or illegitimate purposes. Protecting customer information from third-party disclosure is one challenge most businesses face in today’s highly competitive environment.

Of equal concern to every business is the protection of its own proprietary information (intellectual property that is not otherwise entitled to copyright, trademark, or patent protection under either common law or federal and state statutes affording such protections to written and original works). As technology advances, so do the risks of inadvertent disclosure and deliberate misuse of that information. Not so long ago, raw data was laboriously fed on punch cards into room-sized computers and stored on bulky tapes, payroll information and employee files were kept in the safe, and few had access to the company records. Today’s sleek but powerful laptops can hold millions of bytes of information, and most company information is digitalized on various interconnected networks. Accessing the electronic data can be as easy as inserting a flash drive and clicking a few keys. Even data "secured" by passwords and firewalls may be child’s play for a determined hacker.

Advising businesses how to meet security vulnerabilities is challenging because the technologies change rapidly, and one day’s advance might easily become the means to tomorrow’s hack. Scott McNealy, the founder of Sun Microsystems, recently summed up technology’s inherent vulnerabilities: "You have zero privacy anyway. . . . Get over it."

Protecting Customer Data

Despite the wealth of information to the contrary, it’s clear that businesses and individuals still entertain a high expectation of privacy-even in the face of everyday examples that almost everyone wants to know more about everyone else. Many retail stores cannot even begin a transaction without entering the customer’s name or zip code first. "Market research" has become an accepted-if annoying-intrusion into daily life, as businesses attempt to understand and predict the marketplace. Credit cards and debit transfers reveal customers’ significant financial patterns on a regular basis. And failure to adequately protect data can result in significant risks for both individuals and companies.

Customers of T.J. Maxx, Marshalls, HomeGoods, and A.J. Wright recently filed a class action lawsuit in the U.S. District Court for the District of Massachusetts on behalf of all customers for loss of credit card data and personal information including driver’s license and Social Security Numbers (Buckley et al. v. TJX Companies, Inc., Case No. 1:07-cv-10209-RWZ (pending) (Court File No. 06-000382-073, Court for the District of Massachusetts)). The complaint charges that parent company TJX was negligent for failing to maintain adequate security for customer credit and debit card data accessed by a hacker-potentially affecting "hundreds of thousands of people" who bought or returned something at any of the parent company’s stores during a period of several years. Also significant is that the company did not disclose knowledge of the breach for more than a month, allegedly to avoid discouraging customers during the busy December holiday season.

Most circuit courts recognize "the constitutional right of privacy in confidential information" covering financial disclosures and generally respect an individual’s expectation of privacy as it pertains to personal financial information. See Denius v. Dunlap, 209 F.3d 944, 956 (7th Cir. 2000), and Plante v. Gonzalez, 575 F.2d 1119 (5th Cir. 1978).

Any business that gathers or maintains personal information regarding its customers is potentially at risk and must take steps to protect the data. Thus, adopting a privacy policy regarding the reasons it gathers confidential information and how the data will be used is essential. The policy ensures customers that the business will protect their personal information from unnecessary and unintended disclosure, which in turn encourages customer participation in providing personal information the business can use. The policy should be in written form and posted in plain view on the company’s website, as well as made available in writing at the place of business. Policies and procedures for handling customers’ personal information must also be developed in furtherance of the policy and should include limiting access to only essential staff, encrypting sensitive data, and implementing security measures to prevent accidental disclosure. Equally important, the company must communicate the privacy policy throughout the organization and train staff to zealously manage and protect personal data.

Requests for Customer Data

Hackers are not the only outside forces attempting to gain confidential customer data and information from businesses. The case law is instructive on the varied claims for customer information business owners face. Notably, in the following two cases, a governmental authority attempted to compel production of confidential customer information from a business, which the businesses opposed to protect their own and their customers’ interests. A review of the cases is instructive about how the courts deal with these claims.

A small bookstore, the Tattered Cover in Thornton, Colorado, received a subpoena for information pertaining to sales to a customer who was the subject of a drug investigation. Police argued that the records were necessary to lead them to the resident/operator of a mobile home-cum-methamphetamine lab at which two books had been found: Advanced Techniques of Clandestine Psychedelic and Amphetamine Manufacture and The Construction and Operation of Clandestine Drug Laboratories. Because the trailer also contained an envelope from the Tattered Cover bearing an invoice number but no name, and officers believed they needed additional evidence before they arrested the man living in the trailer/lab, the police considered the subpoena to the bookstore to be essential.

On April 8, 2002, the Colorado Supreme Court ruled in Tattered Cover, Inc. v. City of Thornton, 44 P.3d 1044 (Colo. 2002), that police could not force the bookstore to divulge the names of individuals who purchased books detailing the manufacture of illegal drugs. In a unanimous decision, the state high court ruled that the First Amendment and the Colorado constitution guarantee the "fundamental right to purchase books anonymously, free from governmental interference." The decision overturned a lower court ruling ordering the Tattered Cover to provide sales records to a Denver-area drug task force.

In pointing out that police already had sufficient evidence to link the occupant to the trailer/meth lab, the court wrote: "We hold that the city has failed to demonstrate that its need for this evidence is sufficiently compelling to outweigh the harmful effects of the search warrant." The court pointed out that only in rare instances, where police can show the evidence cannot be obtained in any other way, should search warrants for customer sales records be authorized.

In another case illustrating a different attack on the privacy of customer information, Lubin v. Agora Inc., 882 A.2d 833 (Md. Ct. App. 2005), Maryland’s court of appeals recently denied the state securities commissioner the right to subpoena the publisher of an Internet newsletter for its list of current and potential subscribers. The commissioner issued subpoenas based on a customer complaint that indicated the publisher of an Internet newsletter was acting as an investment adviser without proper state registration. The subpoenas sought electronic data from the publisher such as subscriber lists, marketing lists, and documents identifying subscribers and nonsubscrib-ers solicited in an e-mail campaign. The circuit court in Baltimore County enforced the subpoenas, but the court of appeals reversed, relying in large part upon the well-accepted First Amendment precedent that "the government has no greater right to inquire into an individual’s choice of reading materials than it does to inquire into an individual’s choice of associates." It found that the commissioner had failed to show a sufficient nexus between the investigation into the defendant’s activities and the demand for the subscriber lists.

The courts in both cases applied balancing tests that compared the government’s right to information against the individual’s expectations of privacy. Both cases demonstrate that protecting customer information from disclosure can go beyond enacting an in-house policy and protecting the information internally. Companies must anticipate potential demands from outside the organization, including regulators and law enforcement. Internet service providers (ISPs) have experienced similar requests from the government in the name of national security, as in Doe v. Ashcroft, No. 04 Civ. 2614 (NV) 2994 W.L. 2185571, at 41 (E.D.N.Y. Sept. 28, 2004), which struck down portions of the Patriot Act allowing the FBI to compel ISPs and telephone companies to produce customer records in connection with terrorism investigations.

Protecting Business Data

Protecting a business’s proprietary information from disclosure is a multifaceted issue, given that the business must protect disclosure from within and outside. Employees who leave the company-particularly where ill will is involved-and outside consultants and vendors can be a common source of problems.

The first step for a business is to evaluate the information it must protect. If a business seeks to protect trade secrets, it must develop an internal protocol to ensure secrecy. The protocol must include written confirmations from employees, consultants, and vendors that certain information is secret. The protocol should also protect from accidental disclosure to third parties and to employees who do not work with these types of information. A written policy agreed to and signed by all employees is a must, but protection cannot stop there. In addition, a confidentiality agreement prior to transactions where a business must disclose confidential financial information to potential buyers, lenders, financial institutions, and the like is essential.

Proprietary Information/Trade Secrets

The 1979 Uniform Trade Secrets Act was created to determine whether a given work is a trade secret; it has since been adopted in a number of states. A trade secret is generally defined as any formula, pattern, device, or compilation of information that is used in one’s business and provides an opportunity to obtain an advantage over competitors who do not know or use it. The subject matter of a trade secret must be secret, so that except by the use of improper means, there would be difficulty in acquiring the information. The act specifies two criteria for making the decision: (1) independent economic value, actual or potential, must derive from the information’s not being generally known or readily accessible through proper channels by others who can gain economically from its disclosure or use; and (2) the information must be the subject of efforts that are "reasonable under the circumstances" to maintain its secrecy. See Uniform Trade Secrets Act, § 1(4) (1979).

Courts have considered various factors in determining whether given information is a trade secret, among them the following:
  • The extent to which the information is known by individuals other than the business owners;
  • The extent to which it is known by employees and others involved in the business;
  • The extent and measures taken by the owner to guard the secrecy of the information;
  • The value of the information to the owner and its competitors;
  • The amount of effort or money expended by the owner in developing the information; and
  • The ease or difficulty with which the information could be properly acquired and duplicated by others.


An owner can lose protection of the "secret" when it is disclosed to the relevant public or when the owner does not take reasonable efforts under the circumstances to maintain secrecy. The question of what are "reasonable measures under the circumstances" depends on the specific circumstances surrounding the use of the secret. Some of the actions that have been held by courts to be "reasonable measures" include the following agreements and procedures:
  • Nondisclosure agreement with employees;
  • Noncompetition agreement with employees;
  • Physical security of billings and computer system;
  • Use of passwords to eliminate access and encryption of software and data to render them unintelligible without necessary decryption code;
  • Revealing secret information on a need-to-know basis only;
  • Employee education as to what is secret and the proper scope of use of such information;
  • Proprietary legends on all software and documents containing trade secrets;
  • Debriefing of all employees before they leave the company and reminding them of their access to corporate trade secrets and of their continued obligation not to use or disclose that information;
  • Use of a termination agreement for employees leaving the company, acknowledging that the departing employee understands the continuing duty not to disclose the secret information; and
  • Maintaining a central secure location for all confidential materials in a log in which the location of each copy of proprietary materials is recorded.


Protection also can be lost if a third party not under a contractual prohibition independently discovers the secret or if the secret is reproduced by reverse engineering. Litigation regarding trade secrets generally involves this question of whether reasonable measures were taken to protect a trade secret.

 

Joan M. Swartz practices business law in St. Louis, Missouri. She may be reached at jms@jmsllc.com.

Back to Top

< /