©2017. Published in Landslide, Vol. 9, No. 4, March/April 2017, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.
In the past year, the passage of the Defend Trade Secrets Act in the United States and the Trade Secrets Directive in the European Union, coupled with the perceived uncertainty surrounding patent procurement and enforcement, have increased the attractiveness of trade secrets as tools to protect intellectual property. Yet, at the same time, increased awareness and sensitivity to cybersecurity risks have also prompted trade secret owners and their counsel to revisit the way their most valuable intangible assets—almost all kept in digital format now—are protected from the physical and virtual threats faced on a daily basis across the globe. With this in mind, it should come as no surprise that determining the adequate amount and type of resources to dedicate to trade secret protection has become a critical focus of many companies.
That determination depends heavily on the level of risk that a company can tolerate. In assessing the risk, understanding what a trade secret is (and what it is not) is a necessary first step in determining the amount of resources a company should dedicate to trade secret protection. While the actual definition of what constitutes a trade secret may vary by jurisdiction, the term generally refers to information that derives independent economic value—actual or potential—from not being generally known to other persons or being ascertainable by proper means by other persons, and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.1 This definition begs the question—what are “reasonable efforts” to maintain secrecy?
The answer has become somewhat of a moving target in light of new technologies for disseminating information to larger audiences and the ability to make information accessible from remote locations.2 Proof of “reasonable efforts,” however, is a frequent focal point in most trade secret misappropriation cases and one that trade secret owners are expected to address readily from the outset of the case.3 Courts have denied trade secret protection where the trade secret owner failed to take reasonable precautions to preserve secrecy.4 Failing to have written confidentiality agreements or nondisclosure agreements with key employees (or third parties), forgetting to mark information confidential or proprietary, or neglecting to remind employees that certain information is confidential could lead a court to readily grant summary judgment in favor of the alleged misappropriating party.5 Thus, implementing appropriate measures to safeguard trade secrets is not merely a good business practice to maintain a competitive edge; it is a critical requirement to prevail in a trade secret misappropriation action.
This article explores some of the steps that trade secret owners should consider to ensure their trade secrets are adequately protected in today’s market in an era of digitalization, global markets, and mobile workers.
Step 1: Enlist the Right People
Protection of trade secrets must be done in an organized, methodical fashion. Thus, having decided that protecting trade secrets is important, the company must develop a trade secret protection program. An effective program will take into account the realities of the company by formulating procedures that can be followed consistently and that anticipate—or at least attempt to—as many potential sources for threats as possible. Thus, having a team that is deeply knowledgeable about both the inner workings of all parts of the company and the marketplace in which the company operates is key to a robust trade secret protection program. The ideal team is cross-functional and includes at least representatives from the information technology, human resources, training, records management, security, technical, and legal departments. Allowing for input from different parts of the company avoids operational silos and forces employees to share information and work across departmental lines. Moreover, because any confidential information that provides a company with a competitive edge can qualify for protection, trade secrets do, in fact, touch all parts of the company.
This team has a number of duties that include, among other things, crafting and continually updating trade secret protection policies, assisting in keeping an inventory of trade secrets, controlling the use of confidentiality/nondisclosure agreements, training employees on protecting confidential information, and monitoring steps taken to maintain secrecy of the company’s confidential information. In addition, the team has a security function, i.e., the team will become the first line of response in the event of a breach. Because of the light speed at which information is being generated and communicated today, a fast and accurate response to a breach is crucial to minimize the harm to the company. By having a core team familiar with the company’s policy and relevant procedures for trade secret protection, the trade secret owner enhances the chances that the team can quickly jump into action to protect the company in the event a problem arises.
Step 2: Setting the Tone—A Strong Corporate Policy
Establishing a strong corporate policy on trade secrets is another important step in ensuring that a company’s trade secrets are protected. The policy essentially fulfills three general goals. First, it sets forth the general rules, guidelines, principles, and philosophies of the company surrounding trade secret protection. Second, the policy informs employees of the existence of procedures to protect the company’s trade secrets. Finally, the policy informs employees of the affirmative obligation to protect the company’s trade secrets and of the consequences the employee may face if the procedures are not observed. Thus, a strong corporate policy demonstrates both a company’s commitment to protect its trade secrets and the employees’ role in fulfilling that goal.
The existence of a corporate policy on trade secrets also has importance outside the company. Courts have found that failure to have a corporate policy weighs against finding that the measures adopted to keep the confidential information secret were reasonable. For example, in Delcath Systems, Inc. v. Foltz, the court characterized the plaintiff’s efforts to attempt to protect its confidential information as “scant,” in part because the trade secret owner “did not produce any evidence that it had promulgated any company policies or standards regarding trade secrets or confidentiality of company information.”6 In contrast, in Agilent Technologies, Inc. v. Kirkland, the court found that two former employees had misappropriated Agilent’s trade secrets to get a head start in forming a competing company.7 In finding that the plaintiff had protectable trade secrets, the court highlighted the company’s “Standards of Business Conduct,” which provided that “[e]veryday information . . . whether specially labeled or not” could only be used for business purposes, as evidence of the “reasonable measures” undertaken to protect its trade secrets.8 As these cases show, a well-written policy can provide affirmative evidence of a company’s commitment in protecting its trade secrets.
Step 3: Getting into the Woods—Comprehensive Procedures
With the policy in place, employees should receive sufficient guidance on the standards the company has decided to adopt to handle confidential and proprietary information, including trade secrets. These procedures drill down the details necessary to carry out the vision set forth in the policy. Most importantly, having detailed procedures in place increases a company’s chances of persuading a court that it has taken the necessary steps to keep its trade secrets protected.
Know What Needs to Be Protected
As a preliminary matter, understanding what information needs to be secured and where it resides is a key step in developing comprehensive procedures for a robust trade secret protection strategy. After all, without understanding what is owned, it is difficult to determine, and if necessary communicate to a court, what may have been stolen. Although a wide array of noncommercial business information deserves protection under trade secret law, not all confidential information rises to the level of a trade secret.9 The key is for the company to inventory its potential sources of valuable proprietary information and identify the information that provides economic value due to its secrecy, i.e., the information that would hurt the company’s business if competitors had it. From a litigation perspective, courts have denied motions for summary judgment where the trade secret owner has failed to articulate what constitutes the trade secret specifically.10 Thus, knowing what you have is not only an important step for ensuring adequate trade secret protection; it also could be a determinative factor in litigation.
Tools for Protection
Once the information is inventoried, a company should categorize the information and, depending on its value to the business, determine the appropriate security measures needed to protect it. The right “mix” of procedures and the extent to which they are implemented are highly dependent on the specific circumstances, including size of the company, novelty of the technology at issue, sophistication of the company, and importance of the trade secret to the company’s overall business strategy. Examples of appropriate security measures for digital and electronically stored trade secrets are provided below.
Clearly Designate Confidential Information
Communicating the confidentiality of the trade secret can be the first line of protection in a robust program. Companies should therefore label any trade secrets in a manner that communicates their sensitivity using legends like “confidential” and “highly confidential” as appropriate. Moreover, labeling information as confidential could persuade a court that the company believed the information was valuable and that it took appropriate steps to safeguard the information.11
Labeling also serves a notice function. Specifically, it provides notice to employees of what information can or cannot be disclosed to persons outside the company or even within the company. In keeping with this notice function, companies should make sure that all documents, physical or electronic, containing proprietary information are clearly and visibly labeled with the appropriate level of confidentiality. For electronic documents, the labeling may be accomplished through the use of watermarks, confidentiality headers or footers, and confidentiality designations in the file name that can only be modified with permission.
Business relationships with employees and third parties involving trade secrets create potential avenues for the unauthorized disclosure of trade secrets. The motivation behind the disclosure may range from the inadvertent to the calculated. Confidentiality agreements or nondisclosure agreements, therefore, are important tools used to preserve the status of trade secrets.
Confidentiality Agreements with Employees. Because employees create and work with trade secret information on a daily basis, they play a pivotal role in ensuring this information stays protected. As such, companies should require employees to sign confidentiality or nondisclosure agreements as part of their employment agreement. Indeed, one study found that such an agreement is the most important security measure a company could use to protect its trade secrets.12 Confidentiality/nondisclosure agreements should, at a minimum, include an explicit acknowledgment that the employee—by virtue of employment—has access to proprietary information, including trade secrets; that the employer retains all rights over that information; and that the employee will commit to keep the information confidential and to limit its use for the benefit of the company. The confidentiality/nondisclosure agreement should also include a clause acknowledging that any intellectual property developed by the employee during the course of employment is owned by the company and subject to the same confidentiality and protection provisions. A confidentiality/nondisclosure agreement also puts employees on notice that they may face legal consequences if they fail to uphold the agreement. Although damages are limited, a company could pursue a breach of contract claim if an employee breaches a confidentiality/nondisclosure agreement.
Courts have recognized the appropriate use of confidentiality agreements as an important factor in determining if the company was reasonable in protecting its trade secrets. In PatientPoint Network Solutions, LLC v. Contextmedia, Inc., for example, the court denied a temporary injunction against a former employee because the plaintiff failed to show that it kept the purported information “confidential.”13 In so finding, the court noted that the company had not required the employee to sign confidentiality or noncompete agreements until over a year after the employee had joined the company. The court also found that the company’s acceptance of the employee’s revisions to his exit agreement, removing a nondisclosure and noncompete provision, suggested that the information was not valuable to the company, a fact weighing against the company’s likelihood to establish it owned a protected trade secret.14 Interestingly, the court made this finding despite suspicious forensic evidence showing that the former employee had saved information alleged to be a trade secret in multiple flash drives and that the employee had downloaded and accessed that information several times after leaving the company.15 This case thus highlights the importance of requiring executed confidentiality/nondisclosure agreements from all employees.
Confidentiality Agreements with Third Parties. Disclosing a trade secret to a third party who is under no obligation to keep that information secret results in a loss of the company’s intellectual property protection. Therefore, companies must ensure that third parties agree to protect the company’s trade secrets and proprietary information by entering into confidentiality/nondisclosure agreements. A third-party confidentiality/nondisclosure agreement includes many of the same considerations provided above for employee confidentiality agreements. In addition, a third-party confidentiality/nondisclosure agreement should specifically identify the information that is actually going to be disclosed. A provision requiring the third party to seek clarification from the company before disclosure should also be included in the nondisclosure agreement. Third-party confidentiality agreements should also include a provision specifying that the confidential information remains the company’s property during and after the end of the relationship. This is important so that the parties are aware, at the end of the business relationship, who has rights to the confidential information. Similarly, the agreement should also include a provision detailing the return of all paper documents and electronic data at the end of the relationship to ensure the company’s trade secrets remain protected. Finally, a third-party confidentiality/nondisclosure agreement should contain provisions related to payment of attorneys’ fees and choice of law in the event of breach. Having at least these provisions in writing ensures that the parties are in agreement as to their rights and obligations under the contract.
Protections for Electronic Information
Because we now live and work in a digital world, companies now create, exchange, and store information using a vast array of digital and electronic media, such as e-mails, voice recordings, laptop computers, thumb drives, smartphones, etc. The Internet, computers, social media, voicemail, and e-mails have now become common (and essential) tools for business. As such, today’s trade secret procedures must provide standards for managing electronically generated and stored information. Special considerations for protecting electronic information include at least the following measures:
- Restrict Access: Control access to locations where proprietary information is stored, and keep records of any attempt to access sensitive locations without authorization. Logs that record access and activities on servers on which trade secrets exist should be retained indefinitely.
- Protect Mobile Devices: Control who has access to company-owned devices that can access or carry sensitive information. Install software that allows the devices to be wiped clean remotely in the event they are lost or stolen. Require that employees report loss or theft of any devices as soon as possible.
- Limit Copies: Limit the ability to download, copy, or print sensitive information to only certain preapproved employees.
- Strong Passwords: Require strong passwords for the use of various devices that can access the company’s sensitive information, including laptops, faxes, copiers, scanners, iPads, and mobile phones. Require frequent update of those passwords.
- Restrict Use of External Memory Devices: Restriction of the ability and use of external memory devices should also be considered.16
- No Social Media: Explicitly prohibit sharing any proprietary information through social media.
- Use of Personal Devices: If the company allows the use of personal devices for accessing proprietary information, employees must agree to abide by the same or comparable policies on the use and protection of company-owned information.17
- Limit E-mail Attachments: Limit the ability to e-mail attachments to nonbusiness e-mail addresses or external addresses.
Effective procedures, such as the ones identified above, for protecting electronically stored information send strong visible signals to employees that the company is serious about protecting its assets, and also substantiates the company’s claim that it took reasonable measures to protect its trade secrets. In KLA-Tencor Corp. v. Murphy, for example, the court found that the trade secret owner’s measures were reasonable where it restricted access to the company’s computer networks; restricted access to each individual’s computer or laptop; limited access to technical and business information on a need-to-know basis; trained employees on restrictions on usage of confidential information; and maintained a security team that routinely monitored the security of its networks and electronic communications to detect dissemination of company materials and information.18 There is no one-size-fits-all plan for determining the appropriate security measures to put in place. It is important to keep in mind that the “right plan” for the company must be tailored to balance the ability of employees to efficiently perform their duties with providing the layers of protection adequate to safeguard the company’s trade secrets.
Ensuring Employees Are on Board
Because employee mobility has increased substantially in recent years, companies must not only take steps to protect their own proprietary information, they must also ensure their incoming employees do not bring in improperly obtained information that puts the company at risk of misappropriation allegations. Thus, in addition to advising a new employee of the existence of the company’s trade secret policy and related procedures and having him or her sign a confidentiality/nondisclosure agreement, the company should inquire as to whether the new employee retained any physical or electronic confidential documents upon leaving his or her former employment and whether a confidentiality agreement with the previous employer exists. If anything was retained, the company should make the new employee aware that confidential information is not to be brought to the company or used in any way in relationship to the company. If needed, the company should also advise the new employee that it may need to contact the former employer to clarify confidentiality obligations.
Similarly, the company must adopt and consistently follow a standard set of procedures when an employee leaves the company. At a minimum, these procedures should include the return of company-owned devices and documents; deactivation of user-specific accounts; revocation of access privileges by the former employee; removal of the former employee’s name from e-mail group lists, distribution lists, and the company website; and inspection of the former employee’s computer to ensure only company-authorized software remains installed and no signs of misuse are present.19 Of course, all procedures must be undertaken in a manner that follows the company’s document retention and management policies to avoid spoliation allegations, should the company find itself in litigation.
Ultimately, the days where employees spent their working lifetime with the same company are long gone. Today’s businesses, particularly those in the science and technology fields, encounter frequent employee turnover. The recruitment of a new employee and the departure of another create avenues to acquiring and potentially losing highly sensitive information, including trade secrets. Standard procedures that are applied consistently to handle new and departing employees are essential to limit the company’s exposure to litigation over trade secret misappropriation.
A Plan for Detecting and Responding to Threats
Because trade secrets may be misappropriated while in the company’s possession, it is important to proactively monitor the marketplace to detect any theft or breach as soon as possible. The goal, in the event of a potential breach or misappropriation, is to avoid disclosure of the secret or, at a minimum, contain as soon as possible its dissemination to limit the damage to the trade secret owner.
Any trade secret program should require regular monitoring of the Internet to detect whether unauthorized information has been made public. It is also important to develop robust policies for monitoring a competitor’s activities. Sudden price changes and new product or feature introductions in unusually short development times may be signs of leakage of trade secrets.20
When a potential problem is detected, the trade secret owner’s response must be swift and robust. Plans for responding to breaches or threats should identify key responders and clear communications protocols. Having this information readily available when a breach occurs is vital because critical evidence can be overwritten, altered, or deleted with every passing minute. Reasonable response actions must include taking the necessary steps to avoid further dissemination of the information, while exploring legal avenues for relief. Technically, the company’s security and information technology teams must be enlisted to help locate the source of the breach, recover the information, and secure any additional copies of the information within the company. An established relationship with a forensic data investigator that can take the necessary steps to preserve any evidence of the misappropriation can also be helpful to manage any potential problems. Depending on the case, knowing who to contact in law enforcement is also key for a fast response.
On the legal side, companies should consider having an ongoing relationship with outside counsel that is aware of its trade secret practices and risks faced by the company to enhance the speed and accuracy of the legal response, should the need arise. To assist outside counsel, the company should have a system in place to quickly marshal all the necessary documentation, such as confidentiality/nondisclosure agreements and corporate policies. These documents will help counsel develop potential legal claims the company could assert, including breach of contract, trade secret misappropriation under the Defend Trade Secrets Act or state common law, ex parte seizure under the Defend Trade Secrets Act, breach of fiduciary duty, and unjust enrichment. If the company’s potential threats tend to occur in specific locations outside of the United States, identifying local counsel that can assist quickly can also be helpful.
In this increasingly fast-paced communications world, having passive procedures for protection is not enough. Even when all the steps of the procedures are followed closely, the potential for an intentional or inadvertent exposure of a company’s trade secrets exists. Trade secret owners must take proactive steps by developing a plan that can minimize the harm to the company in short notice and bolster the company’s case should the need for legal relief arise.
New communication and information transferring technologies make it possible for a company to more easily communicate and transfer large amounts of data to carry out its business in the modern age with very few geographic or physical restrictions. With this freedom, the company’s crown jewels can no longer be kept safe by building a strong physical fortress. To respond adequately, trade secret owners must call upon the work of cross-functional teams to design multitiered procedures and strategies that are efficient and effective to respond to today’s threats.
1. Unif. Trade Secrets Act (UTSA) § 1(4) (1985) (adopted in some form by all U.S. states except Massachusetts and New York); Learning Curve Toys, Inc. v. PlayWood Toys, Inc., 342 F.3d 714, 724 (7th Cir. 2003) (noting that the size of the company may impact the court’s determination of whether the security measures are “reasonable” in concluding that a jury’s finding that an oral confidentiality agreement with a third-party vendor constituted reasonable measures to protect the company’s trade secret).
2. PQ Labs, Inc. v. Yang Qi, No. 12-0450, 2014 WL 4954161 (N.D. Cal. Sept. 30, 2014); PatientPoint Network Solutions, LLC v. Contextmedia, Inc., No. 1:14-cv-226, 2014 U.S. Dist. LEXIS 37443 (S.D. Ohio Mar. 21, 2014); Hertz v. Luzenac Grp., 576 F.3d 1103, 1113 (10th Cir. 2009) (“[T]here always are more security precautions that can be taken. Just because there is something else that [the defendant] could have done does not mean that their efforts were unreasonable under the circumstances.”).
3. See, e.g., Rockwell Graphic Sys., Inc. v. DEV Indus., Inc., 925 F.2d 174, 179 (7th Cir. 1991) (“The greater the precautions that [the plaintiff] took to maintain the secrecy of the [information], the lower the probability that [the defendant] obtained [the information] properly and the higher the probability that it obtained [the information] through a wrongful act . . . .”); PatientPoint, 2014 U.S. Dist. LEXIS 37443, at *9; Dicks v. Jensen, 768 A.2d 1279, 1284 (Vt. 2001) (“It would be anomalous for the courts to prohibit the use of information that the rightful owner did not undertake to protect.”).
4. See, e.g., nClosures Inc. v. Block & Co., Inc., 770 F.3d 598, 602 (7th Cir. 2014); R.C. Olmstead, Inc., v. CU Interface, LLC, 606 F.3d 262, 276 (6th Cir. 2010) (affirming lower court decision granting summary judgment against trade secret owner because, in part, it admitted that its agreement with a third party receiving the user interface claimed to be a trade secret did not contain any confidentiality provisions preventing others from viewing the interface); Nationwide Mut. Ins. Co. v. Mortensen, 606 F.3d 22, 29 (2d Cir. 2010).
5. Fail-Safe, LLC v. A.O. Smith Corp., 674 F.3d 889, 894 (7th Cir. 2012).
6. No. FSTCV064009802S, 2007 Conn. Super. LEXIS 101, at *4–5, *16 (Jan. 12, 2007) (denying injunction because the plaintiff failed to establish that there was any misappropriation).
7. No. 3512-cv-VCS, 2010 WL 610725, at *2 (Del. Ch. Feb. 18, 2010) (unpublished).
8. Id. at *3.
9. Trade secrets can include all types of information but generally fall into the following categories: (1) technical information (product-related information, research and development information, manufacturing-related information); and (2) business information (pricing, income, market research, customer lists). See, e.g., Sys. Dev. Servs., Inc. v. Haarmann, 907 N.E.2d 63, 75 (Ill. App. Ct. 2009) (holding that client lists did not deserve protection as a trade secret because the “customer information [was] readily available to competitors through normal competitive means”); Hayes-Albion v. Kuberski, 364 N.W.2d 609, 614–15 (Mich. 1984) (distinguishing confidential information from trade secret information).
10. KLA-Tencor Corp. v. Murphy, 717 F. Supp. 2d 895, 899 (N.D. Cal. 2010).
11. See, e.g., Fox Sports Net N., LLC v. Minn. Twins P’ship, 319 F.3d 329, 336 (8th Cir. 2003) (denying trade secret status to agreements that were not marked confidential).
12. David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 45 Gonz. L. Rev. 291 (2009); see also David S. Almeling et al., A Statistical Analysis of Trade Secret Litigation in Federal Courts, 46 Gonz. L. Rev. 57 (2010).
13. No. 1:14-cv-226, 2014 U.S. Dist. LEXIS 37443, at *27 (S.D. Ohio Mar. 21, 2014).
14. Id. at *23–24.
15. Id. at *9–11.
16. See, e.g., United States v. Hanjuan Jin, 833 F. Supp. 2d 977, 1000 (N.D. Ill. 2012), aff’d, 733 F.3d 718 (7th Cir. 2013) (listing computer security measures that the trade secret owner failed to take, including “disabl[ing] all USB ports, selectively enabl[ing] the USB ports with third party software, or monitor[ing] USB traffic with software”).
17. See Bring Your Own Device, White House: Digital Gov’t (Aug. 23, 2012), https://www.whitehouse.gov/digitalgov/bring-your-own-device#sample2.
18. 717 F. Supp. 2d 895, 899 (N.D. Cal. 2010).
19. Complaint, Atl. Marine Constr. Co. v. McGrath, No. 2:15-cv-508 (E.D. Va. Nov. 24, 2015), ECF No. 1 (alleging trade secret misappropriation after a former employee used a software tool he had installed on a company-owned laptop before leaving the company to remotely access his former employer’s network post-termination to download various trade secrets).
20. Fleetwood Packaging v. Hein, No. 1:14-cv-09670, 2015 WL 6164957, at *5 (N.D. Ill. Oct. 20, 2015) (relying on forensic reports of the defendant’s computer to show that the defendant had connected various external devices to extract the allegedly misappropriated trade secrets).