Most states have adopted the Uniform Trade Secrets Act, which, in part, defines a “trade secret” as “information, including a formula, pattern, compilation, program, device, method, technique, or process.” Trade secrets can also include research and development efforts, marketing, sales, pricing, profitability information, and customer information. A trade secret need not be unique and can include “known” elements. Under the Uniform Trade Secrets Act, a trade secret is any information that is secret, has commercial value derived from the fact that it is secret, and is the subject of reasonable efforts to be kept secret. Information may be protected, or relief obtained for its misappropriation, if the information maintained value because it was kept secret and if reasonable steps were taken to keep it secret.
Intellectual property, which includes trade secrets, can be a valuable asset. But safeguards and methods of protection remain inadequate even with new enforcement tools through the Defend Trade Secrets Act, which became effective in May 2016. Businesses should perform risk assessments to understand and identify trade secrets, their location, who has access, and who has an interest in their possession and use.
Confidentiality agreements with employees, business partners, and vendors can be lacking by failing to thoroughly identify and properly document trade secrets (and their development); provide uniform procedures and safeguards; address temporal and geographic scopes; and receive implementation and routine, but thorough, follow-up with employees, business partners, and vendors, including training. Confidentiality agreements should be a condition of any new or continued business or employment relationship. When and where such conditions are appropriate, they should define the trade secrets, limit the use of the trade secrets, and provide for monetary and injunctive relief in the event of a breach of the agreement. Similarly, confidentiality provisions should be considered for inclusion in employment manuals. Background checks and review of prospective employees or third parties also complement the process.
Third parties who will be privy to trade secret or proprietary information, such as agents, vendors, customers, or potential customers, should be required to sign nondisclosure agreements. Employees of such third parties should be made aware of the agreements. Also consider the use of other restrictive covenants such as non-compete, non-solicitation, or no-raid agreements.
Although one school of thought has been averse to identifying trade secrets to avoid inadvertent omissions, not doing so can lead to disclaimers of knowledge and intent from persons against whom relief is sought; that employees, for example, do not know what is or is not disclosable. Further, it becomes problematic to control the population with whom trade secrets are shared. Documenting trade secrets and keeping their identification current can mitigate such risks. Inadvertent omissions, if any, need not be a problem where the documentation states that it is not exhaustive. As an alternative to specifically identifying trade secrets, a definition of “confidential information” may be used in employee agreements that is broad and that includes information that qualifies for trade secret protection and a non-exhaustive list of other types of information that qualifies as “confidential information,” with the latter in the “included but not limited to” list, such as “and all other business information of value to the Company.” In any case, any information determined to be confidential and proprietary should be further identified as such by either placing it in a separate location or stamping “confidential and proprietary” on it.
In factoring the scope of dissemination of the trade secret (the population of individuals who need to know), the business should strive to limit the level of disclosure. Should the trade secret be kept within the company—or within a discrete group in the company—or is it necessary for it to be accessible to third parties? Agreements should include as many restrictions to access as possible. Further protections—such as the trade secret owner’s control over storage media for electronically stored information, password access, remote locations, and how any licensee systems are best secured—must be addressed. Potential for incidental unauthorized access, such as through maintenance or delivery or by other staff or persons with facility access, should be considered and addressed. Although courts look at whether reasonable measures were taken to preserve confidentiality, the increasing concern for cybersecurity requires weighing access and security against business needs. By documenting efforts taken to protect the confidentiality of the trade secret, future enforcement is better promoted.
Regular meetings and training for all persons with access, including nonemployees, is essential to preserving confidentiality. Confidentiality and nondisclosure agreements with vendors and independent contractors with training and monitoring should be signed prior to, and not later than, the inception of sharing information. Monitoring employees’ computers and access activities is preventive, and it should be routinely done. Policies and procedures (as well as the identification of trade secrets) should be updated in writing on a regular basis. The goal should be to foster an understanding among employees, temporary personnel, and third parties that any confidential information they receive or create on behalf of the company belongs to the company. For all persons who should no longer have access or possession, such as upon termination of the relationship, documentation should be provided clearly stating the continuing duty to maintain the information as confidential and stating that it should not be used without authorization. At exit interviews, or otherwise at the cessation of any relationship, require the return of all confidential information, including hardware, and all information stored on office or home computers and on mobile devices, including cloud data. Confirm that personal devices are wiped and access is disabled.
Identify the persons in the company who are responsible for implementing and enforcing policies and procedures to preserve confidentiality and who may be contacted for questions.
At the time trade secrets are created, the owner should also keep records of financial costs and other valued interests in those secrets. Any increases in income or decreases in expenses resulting from costs in the creation and use of trade secrets should be recorded.
International law and foreign countries’ trade secret laws and cultures require attention. Where applicable, the foregoing factors and processes will assist in maintaining protection overseas, even if enforcement is ultimately sought in the United States.
When acquiring other companies, or their assets, it is advisable to investigate whether the seller or other transferor has followed any of the methods and preserved the protections described above, particularly in the case where trade secrets are included in the cost of the acquisition. Due diligence should include a review of how any trade secrets and their value are documented, as well as the historic and current procedures used to maintain and enforce confidentiality.
An annual or more frequent review by outside counsel can assist to correct errors, update for new developments or business changes, and ensure that all required personnel have enforceable agreements.
The Impact of Social Media on Trade Secrets
The proliferation of social media and mobile devices has led to the unintentional, as well as intentional, disclosure of trade secrets and the movement of proprietary data off the company’s network. Prevention of trade secret misappropriation requires policies and procedures that address the use of social media and mobile devices. Although marketing and sales often use social media, this practice implicates ownership and potential waiver of protection for trade secrets, such as customer lists.
Status updates, posts to Facebook friends with customers, tweets, and email blasts about a new job may or may not be considered solicitation of a former employer’s customers. Even a location check-in could disclose a trade secret or proprietary business plan or strategy. Again, trade secrets should be clearly identified in a social media policy with instruction and values to give notice of what is considered to be confidential. Such a policy should also require deletion of contacts an employee or third party has made while employed or engaged on behalf of the company. Unless employers clearly identify the type of conduct that is intended to be prohibited, they are at risk of not being able to enforce protection.
An advantage of employer-issued devices over bring your own device (BYOD) policies is that the expectation of the user’s privacy is limited. By restricting employer-issued devices to only business purposes, the commingling of business and personal communications is significantly minimized and avoids the BYOD difficulty in identifying what is proprietary to the company and what belongs to the employee. Employer-issued devices permit inspection and monitoring. Because they must be returned at the end of employment—as contrasted with BYOD, which facilitates intentional or unintentional removal of trade secrets and confidential information from company servers—employer-issued devices should be preferable.
Mobile device management (MDM) software and company buy-back policies further reduce risk. Companies should consider prohibiting cloud storage or having a corporate-owned cloud account so usage can be monitored. An MDM program can allow the company to remote-wipe devices upon termination of a relationship. Additional considerations are providing for complete data encryption, control over security settings, and intrusion-detection systems that continuously monitor network traffic.
In designing social media policies, companies should be aware of user privacy rights and state laws with regard to employer access to personal social media accounts.
Enforcing Trade Secrets after Termination of a Relationship
Does the departing person or entity possess trade secrets or proprietary information that can be taken and used? Are there customers, lists of customers, or information about goods and services that can be taken and cause harm if shared with unauthorized people? Does that person have knowledge of internal systems or programs that can be useful to others and harmful to the company?
The Defend Trade Secrets Act provides for federal claims and remedies for the misappropriation of trade secrets. Although it does not preempt state laws, its remedies include the following:
- ex parte seizures in “extraordinary circumstances” to “prevent the propagation or dissemination of the trade secret”
- monetary damages for actual loss and unjust enrichment, or a reasonable royalty in exceptional circumstances that render an injunction inequitable
- exemplary damages up to two times the monetary damages and attorney fees where the conduct was “willful and malicious”
Once the Horse Is Out of the Barn, What Are the Remedies?
Sources of recovery when trade secrets are misappropriated include seeking damages from the takers—former employees, competitors, or both. In addition to consequential damages, is there a value to the noncompetition agreement itself? Was there separate consideration assigned to that agreement in the parties’ agreement? Consider such an assignment in drafting agreements.
Damages can include lost profits, the competitor’s profits caused by acquiring the trade secrets, disgorgement, severance pay, and restitution, such as a refund of the consideration paid for the noncompetition agreement. Restitution is appropriate for the unjust enrichment that would occur if a breaching party were permitted to retain the benefit of its nonperformance. One court held that such a measure may be appropriate where consequential damages, such as lost profits, are speculative and difficult to establish.
In acquiring all or part of a company, it is diligent and prudent to take measures to determine whether you may be inadvertently acquiring any confidential data of a competitor. This includes a review of employees and former employees in the acquiring company’s employ who may have brought such information with them.