Eight steps to secure trade secrets
By Pamela Passman, President and CEO, Center for Responsible Enterprise And Trade (CREATe.org), Washington DC, USA, and former Corporate Vice President and Deputy General Counsel, Global Corporate and Regulatory Affairs, Microsoft Corporation
International cyberattacks with the intent to steal intellectual property (IP) continue to dominate the news, leaving many firms scrambling to shore up their computer networks to thwart such hacks.
However, the greatest threat may be already within a company. In more than 85 percent of the trade secret lawsuits in state and federal courts of the United States, the alleged misappropriator was either an employee or a business partner. That is the startling finding of A Statistical Analysis of Trade Secret Litigation in Federal Courts , which is believed to be the first statistical study on the subject.
How do you secure company trade secrets from both external threats and potential thieves already inside the company?
Increasingly, the courts are saying that firms need to take “reasonable steps” to protect confidential corporate assets, and these efforts include not only securing computer networks but also embedding trade secret protection into business operations and processes.
Determining the extent of “reasonable steps” can be challenging since governments have been vague about the term’s definition. Laws and legislation also continue to evolve. However, research into court cases reveals the key elements of an effective trade secret protection plan.
Protecting corporate crown jewels
The Statistical Analysis of Trade Secret Litigation in Federal Courts found that confidentiality agreements with employees and business partners were the most important factors when courts decided companies had taken reasonable measures to protect trade secrets. However, winning suits reveal that companies can and should take a number of additional steps to build a case for legal redress in the event that their corporate crown jewels are compromised.
The eight categories of a comprehensive protection plan include:
- creating agreements, policies, procedures and records to establish and document protection;
- establishing physical and electronic security and confidentiality measures;
- assessing risks to identify and prioritize trade secret vulnerabilities;
- establishing due diligence and ongoing third-party management procedures;
- instituting an information protection team;
- training and capacity building with employees and third parties;
- monitoring and measuring corporate efforts;
- taking corrective actions and continually improving policies and procedures.
1. Implement business procedures to augment non-disclosure agreements
As the study confirmed, confidentiality and non-disclosure agreements with employees and business partners constitute a great first line of defense and have won praise from the courts. In addition, the courts have said a company’s overall corporate policy is important for maintaining confidentiality as evidence that it protects trade secrets.
Companies should also develop procedures to make sure corporate policies are followed, and that protections and compliance are documented. The implementation of specific procedures to support aspects of company confidentiality policies are often cited favorably in cases. Such procedures range from asking employees to return confidential information when leaving a company to marking documents as confidential, or not letting any single employee or third party have access to a full process, formula or other type of sensitive information.
Policies, procedures and records also need to be followed consistently to qualify as “reasonable steps”. For example, when the PatientPoint health information service brought a legal action to prevent a terminated employee from using competitive, sponsor and other information that he had access to during his employment, the court found that PatientPoint had not asked for a non-disclosure agreement until a year after he started working. In addition, the company did not demand that he return his laptop and confidential information until six months after he left.
2. Control physical and electronic access
Most companies know that physical and electronic security is very important for protecting intellectual property, and courts are increasingly requiring it. For example, Japanese courts have found that a company must “implement physical and electronic access restrictions” in order for information to be deemed “kept secret” and thus protected by Japan’s unfair competition rules for trade secrets.
Companies should also incorporate confidential information protection into physical and information technology (IT) security system planning as well as restricting system access, and should regularly assess and improve their systems.
3. Identify, assess and take steps to manage risks
It is difficult to make a case supporting trade secret theft without first identifying the information deemed to be confidential. As a first step, trade secrets should be documented in an internal registry. Next, an assessment of the risks should be made in the event that they are stolen. Which areas are most at risk of breaches and leaks? Which departments are most vulnerable? Once identified, companies should take additional measures to secure those critical areas.
Companies that have included particular material in a trade secret registry have been determined by courts as making “reasonable efforts” to maintain that confidentiality. In a classic case from 1991, electronics firm Texas Instruments (TI) prevailed in a case against two former researchers who had copied all of its computer directories and then left to join a competitor. In convicting the ex-employees, the court cited TI’s trade secret registry, among a long list of other “reasonable efforts” that TI had taken, as evidence that TI’s technology and software was protectable.
4. Create supply chain procedures and plans
Third parties, including those in joint ventures, suppliers, distributors and even customers, can have access to a company’s trade secrets for manufacturing, product development or other collaborations. As these partners are a potential source of misappropriation, it is vital to have processes in place to protect confidential assets.
Third-party non-disclosure agreements can be considered a reasonable protection effort but agreements are not enough. Companies should also include trade secret protection as part of their due diligence criteria, conduct ongoing reviews of processes in place for keeping information confidential and regularly communicate with third parties about expectations around trade secret protection.
5. Conduct employee and vendor training
Training is essential for employees and third parties so both groups know what is expected of them when handling such information. Failure to take these simple steps – which can fall outside basic corporate training – has resulted in some companies not gaining the protection of the law. While several companies have won theft cases against former employees based upon their corporate training procedures, the courts found that the MBL (USA) Corporation failed to inform employees “what, if anything, [the company] considered confidential,” which was a key fact that led the court to dismiss MBL’s case against its former employee.
6. Assemble a trade secret SWAT team
Problems arise when no one within a company has overall responsibility for protecting trade secrets and other confidential information. Courts have not looked favorably on companies that have not put a person or group in charge of trade secret protection. Best practices also point to establishing a cross-functional team with representation from those who can ensure that trade secret protection policies are being followed.
When a former employee of a bookkeeping company was charged with violating trade secrets by using its client lists, the case was dismissed when it turned out the public also had access to client names. The names had been left on the company’s reception desk, on employee desks, on computers to which another company in the building had access, on computers where the passwords were left on the desk or shouted across the room, and in areas where the public and janitorial staff could see them. No one appeared responsible for protecting this information.
7. Make continual improvements
Unfortunately, trade secret protection might only be addressed at key milestones such as a new joint venture. In reality, such protections should be ongoing. Efforts to protect trade secrets should be monitored annually and procedures updated often to maintain consistency and ensure compliance.
Also, as companies grow, procedures and policies change. Trade secret protection plans should also evolve. In trade secret breach cases, the courts have examined corrective actions as criteria to determine whether the company has taken “reasonable steps” to protect its trade secrets. Additional leading practices for corrective actions and improvements include developing a rapid response plan, root-cause analyses of issues, and tracking.
8. Make trade secret protection a priority
Today, cyber threats, the digitization of information, complex supply chains and movement of employees between companies and continents put a company’s valuable trade secrets at increased risk.
To protect critical business information, companies need to boost security and, importantly, put systems in place to ensure trade secret protection. This approach helps companies both mitigate risks and also meet the “reasonable steps” requirement in the event that trade secrets are compromised. Not doing so can risk a company’s revenues, reputation and competitive edge.