chevron-down Created with Sketch Beta.

ARTICLE

Do Not Assume Your Usernames and Passwords Are Protected Trade Secrets

Paul Burgin

Summary

  • A growing line of cases have held that usernames and passwords do not qualify as trade secrets because they do not have independent economic value.
  • Despite the growing possibility that a court will conclude usernames and passwords are not in and of themselves trade secrets, it is still important to give its usernames and passwords the utmost protection.
  • One approach an employer may take is to include a strong confidentiality provision in their employment agreement that include usernames and passwords in the definition of “confidential information.”
Do Not Assume Your Usernames and Passwords Are Protected Trade Secrets
dusanpetkovic via Getty Images

When confronted with a potential trade secrets claim or drafting an employment agreement setting forth an employee’s duties to protect trade secrets, one of an attorney’s first considerations must be whether the information at issue is eligible for protection as a trade secret. To be considered a “trade secret” under the federal Defend Trade Secrets Act, for instance, the information must “derive[] independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.” 18 U.S.C. § 1839(3)(B) (emphasis added).

One category of information employers often seek to protect as a trade secret is usernames and passwords. Employers should note, however, that a growing line of cases have held that usernames and passwords do not qualify as trade secrets because they do not have independent economic value. Rather, these cases have concluded that usernames and passwords are “merely the key that guard[s] the presumably valuable information. N. Star Media, LLC v. Winogradsky-Sobel, CV 11-466 PSG (CWX), 2011 WL 13220157, at *a11 (C.D. Cal. May 23, 2011). Because any value in the usernames and passwords is derived from the underlying items or information they are intended to protect, the courts have reasoned that they are mere access mechanisms with no independent value. Bellwether Community Credit Union v. Chipotle Mexican Grill, Inc., 353 F. Supp. 3d 1070, 1086-87 (D. Colo. 2018); see also Mintz v. Mktg. Cohorts, LLC, 18-CV-4159ERKSIL, 2019 WL 3337896, at *6 (E.D.N.Y. July 25, 2019) (quoting State Analysis, Inc. v. Am. Fin. Servs. Ass’n, 621 F. Supp. 2d 309, 321 (E.D. Va. 2009)) (“[B]ecause the economic value of the passwords is not independent of the websites they are used to access, ‘the passwords are not trade secrets’”).

Of course, despite the growing possibility that a court will conclude usernames and passwords are not in and of themselves trade secrets, because they remain the “key” that may safeguard trade secret information, it behooves employers to give its usernames and passwords the utmost protection. Failure to do so may result in a court determining that the information the usernames and passwords were intended to safeguard are not protectable trade secrets because insufficient measures were taken to protect the trade secret from disclosure. One way an employer may accomplish this is by including a strong confidentiality provision in their employment agreement that include usernames and passwords in the definition of “confidential information.” Such a provision will help ensure that usernames and passwords are not disseminated to those without a “need to know,” preventing both improper access to the underlying information and potential loss of their trade secret status should litigation arise.

    Author