The level of resources that a business should invest in developing a trade secrets program is a function of many factors.
In previous articles, What You Need to Know about Keeping Trade Secrets and Copyrights, Trade Secrets, and the Saga of the Beelzebub Cake I’ve touched on the critical requirement that the owner of a trade secret must take “reasonable measures” to keep that trade secret, well, secret. I have also discussed some issues to consider in developing a trade secrets program. Here, we discuss in more detail ten points to consider in developing a trade secrets program.
The ten points to consider in developing a trade secrets program are:
- Understand When You have a Trade Secret.
This may seem obvious, but it is almost the most critical part of any program, which is to know what information, if it were disclosed to a competitor, could harm your company. At the outset, owners should assess their businesses to identify what information affords them competitive advantages. Then, each item of information identified needs to be assessed concerning whether it can be protected in whole or in part. For example, trade secrets rooted in the way a product functions might be extremely hard to protect if the product is commercially available and can be reverse engineered, which underscores an important point: For trade secrets owners to enforce their rights in a trade secret against a third party, that third party needs to have misappropriated the secret by unlawful means, i.e., theft via espionage or by way of breaching a legal duty to keep the sensitive information secret. It is fair game to crack a trade secret if it resides in a product that can be purchased commercially. Reverse engineering such a product to ascertain its trade secret would not, itself, be considered misappropriation.
2. Separate Trade Secrets from Non-Trade Secrets.
Once owners have identified what trade secrets their businesses have, they need to segregate the trade secrets from non-sensitive information. This may entail physically separating out trade secret materials and keeping them, on or off the premises, under lock and key. Separating out trade secrets material also may entail segregating computer files so that one needs special credentials to access them.
Whether it is safer for a company to hold such files in the cloud depends very much on whether the business has the wherewithal to create its own safeguards, but, even so, placing trade secrets in the cloud entails some potential risks. For example, cloud providers generally require access to cloud-stored information, which would seem to undermine securing trade secrets from public disclosure. As such, before they store their trade secrets in the cloud, business owners should carefully review the policies, procedures, and agreements associated with a cloud provider; find out if the provider can take extra security measures, like encrypting the stored information and/or requiring multiple phase authentication before information can be accessed, etc.
The point is that storing trade secrets in the cloud can add an extra layer of risk of disclosure as the information is potentially accessible by anyone with an internet connection. Indeed, one commentator cautioned that employees of a cloud provider statistically have posed a greater risk of unauthorized access than third party hackers. Underscoring all these considerations is that parking trade secrets in the cloud does not in and of itself guarantee that a court will find that reasonable measures to protect against disclosure have been taken; it will be necessary to confirm that the cloud provider has, itself, taken reasonable measures.
3. Hard Copy Documents Containing Trade Secrets Should be Identified.
While segregating electronic files containing trade secrets is critical to a trade secrets program, it is also critical to make sure that hard-copy documents containing trade secrets are appropriately marked as being “Confidential” and segregated from other documents. Trade Secrets documentation needs to be carefully managed to ensure that stray copies of documents are not accessible to unauthorized parties and that wastepaper containing trade secrets information is being held in a protected facility or destroyed. One commentator has recommended that paper waste containing trade secrets information should be discarded into lockable bin and that the business regularly shred documents that contain sensitive information.
4. Non-Disclosure Agreements.
To the extent trade secrets need to be disclosed to third parties, the latter must be required, as a condition to disclosure, to execute non-disclosure agreements, which would, among other things, restrict further disclosure of the information to others, and control the manner and extent to which such information can be used.
5. Employment Manuals and Employment Contracts.
In addition to trying to ensure that third party vendors and customer are legally precluded from inappropriately using trade secrets by employing non-disclosure agreements, business owners also need to be concerned about their employees, contractors, and even fellow owners.
For rank-and-file employees, not subject to an employment agreement, prohibitions against the disclosure of confidential information, including trade secrets, should be contained in an Employment Manual or in a separate Confidentiality Agreement that all employees must sign as a precondition to their employment.
When used, employment contracts should also contain prohibitions against the disclosure of confidential information. Often such contracts, in addition to containing confidentiality provisions, will contain non-compete and non-solicitation provisions. It should be noted that the enforceability of non-competes and non-solicitation provisions can vary from state to state, but, generally, if enforcement relates to protecting against the threatened or actual misappropriation of a trade secret, such restrictive covenants are more likely to be found valid.
6. Employees Need to be Made Aware of the Policies Surrounding Trade Secret Protection.
A trade secrets program is only as good as the people who are knowledgeable about it and take it seriously. This means that businesses need to ensure that employees working with trade secrets understand the protocols governing segregation of trade secrets materials and their access. A notification system should be in place to notify staff concerning policy changes and the business should regularly conduct educational sessions to make sure that staff understands both the import of the trade secrets in question and the procedures entailed in protecting them. The by-word here is for business owners to be proactive and not wait until an unauthorized disclosure has occurred before a program in support of trade secrets education is implemented.
7. Regulate Access to Trade Secrets.
Putting policies and procedures in place to regulate access to trade secrets is in many respects the central feature of a trade secrets program because all the legal impediments in the world will not stop a bad actor from stealing trade secrets if they are given the opportunity to do so. As such, it is not only important to lock up trade secrets or password protect them, but to limit the number of people who have access to them and to have a system in place to keep track of who had access and when. On this point, it may be more secure to restrict access to physical documentation to only a few critical, executive personnel, while allowing broader access to electronically held information concerning which there is a way of tracking access. Greater security may be achieved if a separate computer network, not accessible through the general network, can also be established to ensure that only authorized persons can access trade secrets information. The point for the business should be to be able, at any time, to identify who has had access to trade secrets information and be able to follow up with them concerning the reasons for access.
8. Limit Access to Parts of the Businesses Where Trade Secret Information is Held.
This may seem obvious, but visitors to a business should not be able to wander about the facility free from supervision. Visitors should always be accompanied by a representative of the business, and not be allowed to venture into areas of the business where sensitive information is being kept. Indeed, if possible, persons not specifically authorized to access an area of the business holding sensitive information should be physically barred from doing so.
9. Regular Audits.
It is not only important to implement a trade secrets program, but to try to assess its effectiveness. One way of doing this is by regularly auditing the program to ensure (a) that there has been an accurate accounting of what the business’s trade secrets are, (b) where the information is being stored, (c) who has had access to the information and for what purpose, (d) that disclosing trade secrets to third parties has involved securing non-disclosure agreements and that non-disclosure agreements are readily accessible and updated as circumstances change, (e) that employment manuals and other policies and procedures are updated to reflect changes in protocols, (f) that procedures are in place to make sure that employees leaving the organization are subject to restrictions concerning their potential future use of confidential information, and (g) that the business has procedures in place to combat cyber hacking, such as (i) making sure the business has updated software capable of identifying and neutralizing malware and viruses, (ii) making sure that employees are educated concerning cyber-hygiene such as employing passwords of at least 6 digits in length and regularly changing up passwords to reduce the risk of hacking, not responding to emails or downloading files from unidentified sources, etc. As previously discussed, should sensitive information be stored in the cloud, the policies and contracts governing the cloud provider’s responsibility to safeguard the cloud environment should be regularly reviewed.
10. Have Contingency Plans in Place to Address Safeguard Failures.
No matter how diligent a business may be in safeguarding and policing its trade secrets, bad things can happen, so there should be a contingency plan in place should safeguards fail. For example, if an internal audit reveals that a former employee of the businesses had unauthorized access to trade secret information and is now working for a competitor, the business should have the ability immediately to determine if the employee executed a confidentiality agreement and to have attorneys at the ready to initiate legal proceedings as may be required. While it is beyond the scope of this article to discuss in any detail methods of combatting cyber-security threats, it is sufficient to state that developing ways of combatting such threats and mitigating the damage caused by hacking is an area of concern obviously very much implicating the effort to protect sensitive information, including trade secrets.
One size does not fit all in this area. The level of resources that a business should invest in developing a trade secrets program is a function of many factors, such as the size and resources of the business, and whether the trade secret information in question is critical to the business, important, or not that important. Regardless, since trade secrets can comprise a valuable part of a business’s assets their protection should not be ignored.