Information that gives a company a competitive advantage is guarded by trade secrets. Trade secrets can include: a) ideas for new products or marketing approaches; b) business information such as marketing plans, cost and price information, and customer lists; c) “negative know-how,” information learned during research and development about what does not work or does not work well; and d) lists of customers ranked by the profitability of their business.
Transforming information into trade secrets
To protect a trade secret, you do not register it with the government. Simply labeling information as a “trade secret” is insufficient to make it so. You must take “reasonable precautions” to preserve the confidential nature of trade secrets because courts are increasingly determining that a trade secret is a protectable corporate asset. These efforts include securing computer networks and integrating trade secret protection into business operations and processes.
“Reasonable steps” to maintain trade secret confidentiality include but are not limited to: a) creating agreements, policies, procedures, and records to establish and document protection; b) assessing risks to identify and prioritize trade secret vulnerabilities; c) establishing physical and electronic security and confidentiality measures; d) instituting an information protection team; e) establishing due diligence and ongoing management procedures; f) training employees; g) taking corrective action when necessary; and h) monitoring and evaluating the activities of a company.
Nondisclosure agreements may be used as one strategy and effective means of protecting trade secrets (NDAs). Non-disclosure agreements have been upheld by Courts as among an effective way of maintaining the confidentiality of the trade secret.
The lifespan of trade secret protection can be indefinite, as there is no formal statute of limitations. However, once a trade secret is disclosed to the public, trade secret protection is no longer applicable.
Creating agreements, policies, procedures, and records to establish and document protection
Employee and business partner confidentiality and non-disclosure agreements are an excellent first line of defense. Additionally, businesses should implement procedures to ensure that company rules are adhered to and that protections and compliance are documented. Such practices include requiring departing employees to return confidential information, labeling papers as confidential, and denying access to a complete process, formula, or other sensitive information to any single employee or third party. In order for these rules, procedures, and records to qualify as “reasonable steps,” they must be adhered to consistently.
Establishing trade secret physical and cyber security measures
Courts are continually requiring physical and technological security for the protection of intellectual property from businesses. In addition to controlling system access and incorporating private information protection into physical and information technology (IT) security system planning, businesses should continuously evaluate and enhance their systems.
Steps taken by companies to physically protect their trade secret information include a) having a “visitor” protocol; b) maintaining video surveillance on sensitive security areas; c) employing employee ID badges with control access; d) locking restricted areas; e) maintaining after hours security monitoring; f) maintaining logs of facility access; g) keeping an inventory record of all IP documents; h) disposing sensitive information properly; I) briefing and de-briefing employees after overseas travel; j) labeling sensitive papers with watermarks and tracking information; k) establishing a system for reporting suspicious conduct; l) implementing an employee termination strategy; and m) banning the use of recording or photographing devices in locations containing sensitive information.
Steps taken by companies to protect their trade secret information through cyber security measures include a) maintaining computer event logs (dates/times of log in/out, files/networks accessed); b) routinely change password; c) quarantine e-mails sent to large number of employees or company executives; d) ensure traveling employees are provided with laptops that have been wiped clean; e) track and limit all data downloads from company computers; f) require multi-factor authentication for computer access; g) limit remote access to the company’s computer network; h) limit access to unauthorized social media accounts or websites; i) make sure that malware and anti-virus software is up-to-date; j) implement a reporting system for suspicious e-mail; k) mark electronic files with digital fingerprints or watermarks; l) have a plan for responding to cyber-attacks and intrusion attempts; and m) identify computer network trap doors.
Identifying and managing trade secret misappropriation risks
It is difficult to bring a case for trade secret theft without first identifying the proprietary knowledge. Trade secrets should be documented in an internal register as a first step. Next, a risk assessment should be conducted in the event that they are stolen. Which locations are most susceptible to breaches and leaks? Which divisions are most susceptible? Once recognized, businesses should take special precautions to protect these vital places.
Competitors actively recruit employees to disclose company trade secrets; employees utilize company trade secrets to start ventures that complete with their current or former employer. Both of these activities constitute trade secret misappropriation involving company employees.
Employees involved in misappropriation of company trade secrets often exhibit indicative behaviors including a) they’re disgruntled; b) they have poor performance ratings; c) they exhibit “above the rules attitude; d) they routinely goes to executives and by-passes supervisor; e) they maintain unjustified work pattern (nights, weekends); f) they incur numerous security infractions; g) they use copiers, scanners or faxes excessively; h) they chronically express being under recognized at work; i) they have unexplained affluence; j) they have increased e-mail and USB storage/transfers; k) they purge or wipe systems prior to termination; l) they posting sensitive information on social media; m) they speak out against company leadership or company on social media; n) they conduct unexplained network or company database searches; o) they attempt to remotely access company IT assets after being laid off or terminated; and p) they send encrypt e-mails to private or personal accounts.
Third parties, including suppliers, joint venture partners, customers, and distributors can have access to a company’s trade secrets for production, product development, and other partnerships. As these partners represent a possible source of misappropriation, it is essential to implement safeguards to secure sensitive assets.
Establishing due diligence and ongoing management procedures
Non-disclosure agreements with other parties are a reasonable protection measure, but they are not sufficient. Businesses should also incorporate trade secret safeguards as part of their due diligence considerations, undertake continuing evaluations of the mechanisms in place for maintaining the confidentiality of information, and communicate routinely with third parties about their trade secret protection expectations.
Forming an information protection team
When no one in an organization has overall responsibility for protecting trade secrets and other confidential information, problems develop. As a minimum, a point-of-contact for trade secrets must be identified. This individual must be committed to safeguarding the confidentiality of company-internal information. Best practices also call for the formation of a cross-functional team comprised of individuals who can guarantee that trade secret protection regulations are adhered to.
Companies should have a plan for addressing trade secret information breaches that a) defines steps to be executed in the event of IP theft or an intrusion; b) identifies the information that has been stolen; c) determines what portion of the network must be shut down, or sequestered; d) records all security related activity; e) documents who identified the intrusion or theft; f) determines when the theft took place and whether or not it continues; and g) establishes a termination procedure for employees.
Conduct employee and vendor training
Training is required for both employees and third parties so that both groups are aware of what is expected of them while managing sensitive information. Failure to take these easy procedures, which goes beyond ordinary corporate training, has deprived some businesses of legal protection. The training plan should at a minimum a) specify the frequency of training; b) describe the topics or material to be taught; c) identify the delivery method; d) determine whether in-house or outsourced training is used; and e) link completion to employee access.
Make continual improvements
Unfortunately, trade secret protection may only be handled at critical junctures, such as the formation of a joint venture. In reality, such safeguards should be permanent. Monitoring efforts to preserve trade secrets should occur annually, and methods should be modified often to guarantee consistency and compliance. Also, when businesses expand, procedures and policies evolve. Plans for protecting trade secrets should also evolve.