This post first appeared on Risk Management Magazine. Read the original article.
A company’s trade secrets are often among its most valuable intellectual property. As a result, companies will often go to great lengths to legally protect their trade secrets.
For example, in the autonomous vehicle market, Uber, Tesla and WeRide have all been engaged in high-profile trade secret litigation in the past few years. Apple and Qualcomm recently agreed to settle their years-long legal dispute that included allegations that Apple gave trade secrets about Qualcomm’s chips to Intel. Qualcomm will reportedly receive at least $4.5 billion from Apple as part of the settlement, which also resulted in a sizeable increase in Qualcomm’s stock value and Intel’s exit from the 5G chip market.
High-profile legal battles aside, trade secret theft is a persistent problem. The Commission on the Theft of American Intellectual Property estimated that every year trade secret theft results in losses of over $300 billion and may prevent up to 2.1 million American jobs from being created.
The Reality of Trade Secret Protection
A recent Bloomberg survey provided a snapshot of how companies of varying sizes allocate responsibility for trade secret theft protection, measures they currently have in place and their perception of the risk. It also shed light on current attitudes toward the importance of trade secret investigations and identified opportunities for improvement. Read more about trade secret protection from the June issue of Risk Management.
Despite their impact on the American economy, trade secrets are not memorialized with an official document from the government like other types of intellectual property such as patents, copyrights and trademarks. Rather, trade secrets are defined by what information a company chooses to protect. For this reason, taking reasonable steps to maintain the secrecy of information is critical to protecting trade secrets.
The U.S. Defend Trade Secrets Act defines a “trade secret” as: “all forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or however stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if—(a) the owner thereof has taken reasonable measures to keep such information secret; and (b) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information.”
State law adoptions of the Uniform Trade Secrets Act have similar definitions. Thus, information does not qualify as a trade secret subject to protection under the law unless its owner takes “reasonable measures to keep such information secret.” Without appropriate, reasonable measures to maintain the secrecy of its information, a company may have confidential information, but it does not have “trade secrets” subject to enforcement through litigation.
The best time to evaluate the sufficiency of measures to protect trade secrets is before the need for litigation arises, since by that point, the trade secrets in question have already been lost. An evaluation of trade secret protections should consider several key areas:
Employee and Third-Party Relationships
Employees are the single biggest risk for misappropriation of trade secrets. Although this is sometimes due to a bad actor who intentionally takes trade secrets from their employer, there are many ways in which trade secret information can be lost due to the action of employees who have good motivations, or even no motivations at all. For example, a key employee may leave one company and go to work for another. Even if he takes no tangible information with him and tells the new employer nothing about his old employer, he still knows that information and may use it when developing competing products. Another employee may prioritize efficiency or output, believing that those goals are of greater importance to the company, at the expense of protecting trade secret confidentiality. Exacerbating these concerns is the fact that employees often do not understand what information the company considers to be a trade secret.
Evaluation of the “reasonable measures” taken to protect trade secret information from employee-based threats should include:
- Employee agreements. Every employee who may have any access to trade secret information should sign non-disclosure agreements. Non-competition agreements should be considered where appropriate and where the law enforces them.
- Employee hiring/termination. Onboarding for new employees should include a discussion of expectations of confidentiality and initial training on what information the company considers to be a trade secret or confidential. Exit procedures should include a reiteration of confidentiality expectations. For key employees, exit procedures should include an evaluation of the new employer and, if appropriate, an analysis of whether the employee engaged in suspicious behavior prior to leaving.
- Employee training. Employees should be trained on the company’s expectations and procedures for confidentiality not only when hired, but also periodically throughout their employment. This should include training on what information constitutes a trade secret or confidential information.
- Access to information. Companies should evaluate who needs access to trade secret information and limit access only to those individuals.
- Company culture. Consider whether the company culture generally fosters respect for confidential information—both information belonging to the company and information belonging to its competitors.
Companies should also consider all third parties with access to their trade secret information, including vendors, customers, contractors and temporary employees. Generally speaking, anyone who does not have a critical need to know a company’s trade secrets should not be given access to them. There may be times, however, when it is necessary to allow access for business purposes. In those situations, access should be no broader than absolutely required, and anyone who is provided access should sign a non-disclosure agreement.
Electronic and Physical Security
Electronic security is complex and requires its own expert technicians who can monitor what information is leaving the system and scan for suspicious activity. In addition, there are a number of basic considerations that companies should include when evaluating electronic security. If employees are permitted to access company information on mobile devices or from home computers, additional safeguards are necessary, including encryption, password protection with a short lock-out window and remote wiping capability. Companies should also require employees to have strong passwords and change them frequently, and train employees not only on how to spot phishing schemes and other scams, but why electronic security measures—and compliance with them—are critical.
Companies also need to consider who can physically access their facilities and specific locations within them. For some companies, physical security rivals that of Fort Knox, while for others, security begins and ends with whether the doors are locked. Perhaps more than any other aspect of protection, the reasonableness of a company’s physical security measures depends heavily on the size of the company. At a minimum, someone should not be able to walk in off the street and access a company’s trade secret information. Yet, surprisingly often, that is possible. Doors are left unlocked, security systems are not turned on, and employees are too polite to question visitors roaming the halls.
Companies should consider where their trade secret information physically lives, whether in a filing cabinet, on a server, on a factory floor, on a whiteboard in a conference room, on a flash drive or in a laboratory. Are the factory doors left open to allow a breeze? Is the laboratory open to anyone who has access to the building? Is the next great idea on a whiteboard visible through a ground-floor window? Are copies of confidential documents in the dumpster outside? The key is to figure out how someone can physically access confidential information and take steps to prevent it.
For companies with operations outside the United States, different laws and, in turn, different strategies may apply. A number of countries have trade secret laws similar to those in the United States, including the European Union, Taiwan and South Korea, but many other countries have very different frameworks for protection and enforcement.
For example, India does not have statutory trade secret protections, making the issue an entirely judicial undertaking. Such protection focuses on the relationship between the parties, making contractual agreements more critical for protection of trade secrets there. In fact, due to its “outdated and insufficient trade secrets legal framework,” India remains on the Office of the United States Trade Representative’s (USTR) “Priority Watch List” as outlined in the 2019 edition of its Special 301 Report. The annual report identifies trading partners that do not adequately or effectively protect and enforce intellectual property rights or otherwise deny market access to U.S. innovators and creators that rely on protection of their IP rights.
In China, the legal framework for protection of trade secrets has advanced considerably in recent decades, and the country now has statutory protection of trade secrets. Enforcement remains a practical difficulty, however, making effective prevention of misappropriation—always the key goal—even more critical. As a result, the USTR still considers Chinese protection of trade secrets “inadequate” and the country remains on the Priority Watch List. Other countries on this list include Algeria, Argentina, Chile, Indonesia, Kuwait, Russia, Saudi Arabia, Ukraine and Venezuela (see sidebar).
In general, companies should consult with counsel regarding the laws of any country in which they have operations (or in which they disclose trade secrets) to consider how the local laws and practices impact their trade secret protection measures.
Protecting trade secrets is not one-size-fits-all. The cornerstone is “reasonable measures.” Each company needs to evaluate the reasonableness of its measures to protect trade secret information given its particular situation—what is reasonable for an international Fortune 100 company is not going to be reasonable for a family-owned company with 25 employees. Therefore, all companies can benefit from conducting an analysis of their trade secret protections and consulting with IP counsel to evaluate the sufficiency of these protections before the need for litigation arises.