Trade secrets and other confidential business information enjoy significant legal protections under US law. Every state has legal safeguards for trade secret information. Nearly every state has adopted a form of the Uniform Trade Secrets Act (New York being the sole holdout that continues to rely on the common law). In 2016, the federal government enacted the Defend Trade Secrets Act (DTSA), which creates a uniform, federal cause of action for trade secret misappropriation.
Under the DTSA, a trade secret is defined broadly:
"All forms and types of financial, business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialised physically, electronically, graphically, photographically, or in writing if –
(A) the owner thereof has taken reasonable measures to keep such information secret; and
(B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, another person who can obtain economic value from the disclosure or use of the information."
|
|
Employees who feel less tied to a company’s corporate mission are more likely to feel empowered to use confidential information for an improper purpose. |
|
|
Notably, there are very few formal requirements for protection of information as a trade secret, as compared to other intellectual property protections. For example, unlike with patent protection, the owner of a trade secret need not register the information with the government and the information does not need to be novel, unique, reduced to practice or non-obvious.
What a trade secret must be, however, is secret. Any secret information that "derives independent economic value … from being not generally known" can qualify.
Trade secrets have proven a particularly effective form of IP protection in some industries because of the inherent flexibility of the law. For example, trade secrets have taken a particular importance in the biotechnology industry in recent years because the scope of scientific information that qualifies for trade secret protection is broader than that which qualifies for patent protection. Most notably, naturally occurring phenomena, like gene sequences, the reaction of a particular reagent in the presence of a disease or other useful naturally occurring phenomena, can be protected as trade secrets in appropriate circumstances, even if such phenomena would not qualify for patent protection (see Association for Molecular Pathology v Myriad Genetics, 2013). For example, in Cedars Sinai Medical Center v Quest Diagnostic (2018), the US District Court for the Central District of California ruled that diagnostic testing technology and related confidential business information about the diagnostic could be protected as trade secrets, even while also suggesting that the diagnostic testing technology may not be patentable.
How to qualify
In order to qualify for trade secret protection, the owner of the trade secret must demonstrate that it took "reasonable measures to keep such information secret." That definition is flexible by design and does not lend itself to categorical rules, but certain guidelines emerge in the case law. For example, some courts have ruled that a mere "industry understanding" that information should be kept confidential will probably not be considered sufficient if the trade secret owner took no other steps to ensure confidentiality (Dryco v ABM Industries, 2009).
Confidentiality agreements are considered the bedrock of any well-managed trade secret protection policy. Companies should require nondisclosure agreements for any employee or third party who is given access to proprietary information. The presence or absence of a confidentiality agreement is often the most important factor in determining whether the owner of the trade secret took "reasonable measures" to protect the confidentiality of the information (First Financial Bank v Bauknecht, 2014). However, the presence of a confidentiality agreement alone is not sufficient to prove the trade secret owner took "reasonable measures" to protect the trade secret (Bison Advisors v Kessler, 2016; "the law is clear that the mere existence of a confidentiality agreement is insufficient to establish that the covered information is a trade secret.")
Other measures, like ensuring that key employees are subject to non-compete agreements (in states that allow such agreements) can be part of a well-developed trade secret protection programme. Of course, traditional measures like restricting access to confidential information to employees with a business reason to know about the information, physically securing the information on site and protecting the information from publication are also considered "traditional" measures that any company should take to protect its trade secrets.
Case law on trade secrets and remote working
The sudden shift to remote working as a result of COVID-19 is decidedly unprecedented in human history, but remote working arrangements have been a part of corporate life for decades. As a result, some court precedent exists in the US to help companies guide their protection of trade secrets as they transition to remote work.
In Computer Associates v Quest Software (2004), the Northern District of Illinois ruled that a company took reasonable measures to protect trade secrets even though it had a remote work policy. In that case, the defendant claimed the plaintiff did not take "reasonable measures" under the circumstances to protect its alleged trade secrets because, among other things, the plaintiff permitted its workforce to work from home.
|
|
Depending on the information, the trade secret owner might consider making the access czar a high-level executive in the company. |
|
|
The Northern District of Illinois ruled that the work-from-home policy showed that the plaintiff's procedures "could have been stronger," but nevertheless ruled that the plaintiff had demonstrated it took sufficiently "reasonable measures" to protect the secrecy of its information. The court relied on the fact that (1) the employees were subject to confidentiality policies set out in employee manuals; (2) employees were reminded of their confidentiality obligations on leaving the company; (3) access to the plaintiff's main facility was limited by the use of key cards; (4) the alleged trade secret was never made available to the plaintiff's customers or the general public; and (5) the defendant was aware of the confidentiality measures and understood they were intended to protect the secrecy of the information. The court therefore overruled the defendant's argument and entered an injunction against its further use of the information.
In another interesting case, the District of Kansas overruled a trade secret defendant's argument that his work-from-home arrangement and his employers' permission to use his personal email account meant that the employer failed to use reasonable measures to protect the secrecy of the information (API Americas v Miller, 2019). In that case, the defendant argued that his employer had permitted him to work from home and that he sent "information, documents, and trade secrets to and from his personal email account 'frequently'; and that [his employer] knew about this arrangement and permitted it." The defendant argued this arrangement showed that the employer failed to take reasonable measures to protect the trade secrets, but the District of Kansas overruled that argument because the defendant had a confidentiality agreement and a non-compete agreement with his employer.
Challenges in protection
Even before remote working took over our lives, the threat of trade secret misappropriation took various forms. Departing employees are a frequent source of claims of trade secret misappropriation. Another common fact pattern involves a failed business partnership or a vendor relationship. In each of these instances, the owner shares trade secret or confidential business information with its employee, business partner or vendor, usually for a legitimate business purpose. Then, the once-trusted employee, partner or vendor misuses the information to promote his own interests, leading to a litigation. While rarer, other cases involve claims of "true" corporate espionage, such as taking photographs of a manufacturing plant from a surveillance aeroplane (E I du Pont deNemours v Christopher, 1970).
The work-from-home era has abruptly amplified some of those old threats and introduced new ones.
Employee isolation can lead to dissatisfaction and lower morale. Employees who feel less tied to a company's corporate mission are more likely to feel empowered to use confidential information for an improper purpose. Managers may find it more difficult to engage with their teams and monitor employee behaviour. This situation results in an increased risk of misappropriation by a disaffected employee.
Confidential information may now be easier to access and less restricted. Businesses are finding that the old ways of restricting the use of certain information may no longer work when their entire workforce is remote. As just one example, the common practice of keeping a single physical copy of a customer list or other confidential information under lock and key with a "sign out" system is no longer feasible. While there may be technological means to achieve a functionally equivalent result, those methods are more complicated to implement.
Photographing a screen has been a common method of unauthorised and generally untraceable copying of sensitive information. In a conference room, such behaviour would be obvious, but the same cannot be said for a video chat or a teleconference.
Roommates, spouses and children are suddenly a part of our work life. Anyone who has participated in a video conference in 2020 is suddenly well-acquainted with their colleagues' cohabitants. Even a robust trade secret protection programme designed before the transition to remote working may not account for the possible inadvertent sharing of information with curious cohabitants.
Remote working also necessarily means that artifacts of work life start to make their way out of the employer's systems. For example, personal computers or email addresses used to access company information may store copies of that information by default. Printed copies of employer information can also linger in employees' homes as a result of their remote work.
Updating policies
Some of the challenges of protecting trade secrets and confidential information are new, and some existing challenges are magnified in the era of widespread working from home. However, trade secret law is intentionally adaptable, and updating a trade secret protection policy to account for the new work-from-home reality can strengthen a trade secret owners' position in the event it has to file a claim. One silver lining of the transition to remote working is that in-house counsel tasked with managing a company's IP can use the transition as an opportunity to update and strengthen existing trade secret protection policies. The following are a few steps that may be appropriate to implement now:
Review relevant confidentiality agreements. Any employee, vendor or potential business partner who has access to confidential information should be subject to a nondisclosure agreement. Those agreements should be stored in appropriate personnel files and with the legal department's contract management system. Many states also permit employers to use noncompetition agreements with key employees to protect confidential business information. Employee confidentiality obligations should also be outlined in offer letters and employee handbooks.
Implement new remote work agreements. Remote work agreements spell out an employer's expectations for remote employees. Well-crafted remote work agreements will include a host of human resources issues beyond the scope of this article, but with respect to trade secret protection, a remote work agreement will reiterate the employee's confidentiality obligations, set expectations with respect to home working environments, reiterate the importance of safeguarding information from curious cohabitants, and reiterate acceptable network-use policies.
Double down on training. Confidential information policies are only as good as the employees who implement them. Implement a regular schedule of trainings on the business importance of maintaining confidentiality. Training can tend to reduce the number of incidents of trade secret misappropriation. In the event of misappropriation, frequent trainings are good evidence of a trade secret owner's "reasonable measures" to protect the information.
Leverage IT resources. Some IT departments are scrambling to catch up with hundreds or thousands of employees who are remotely logging into systems simultaneously for the first time. IP professionals should ensure that proper protections are being maintained in the scramble to keep workers productive. Most basically, remote access should only be permitted through secure VPN with dual factor authentication. For particularly sensitive information, employers can implement individualised watermarking, access logging and other electronic security features.
Appoint an access czar. It can be difficult to create a one-size-fits-all policy for access to confidential information. Instead of trying to think through every possible outcome in advance, a company can appoint an executive to make case-by-case decisions for access. Depending on the information, the trade secret owner might consider making the access czar a high-level executive in the company.
Do not skip exit interviews. Well-managed programmes for protection of confidential information already include employee exit programmes. Those may include exit interviews of employees in which the employer sits with an employee and documents the return of all company property (physical and intellectual). In the remote work world, it is no longer possible to sit with a departing employee on their last day. But this process, including the documentation that the employer asked for the return of all company property, is an important step in ensuring that information does not leave the company and to support a later claim of misappropriation (if necessary).
Update (or create) guidelines for vendors and partners. Not all companies will go to the trouble to ensure that their systems are safe. Trade secret owners often must share secret information with third parties like vendors or business partners. Not only should that information be subject to appropriate confidentiality agreements, but the trade secret owner should also consider requiring the vendor take certain specific measures (like the ones outlined here) as a condition of receipt of the information.
Document your efforts. Trade secret protections are reliant on filing lawsuits against infringers. When the time comes to show that a company took "reasonable measures" under the circumstances, trade secret owners will want to have strong evidence of the steps they took. Policies should be written down, employee confidentiality trainings should include written materials, employee access logs should be preserved, and decisions about remote access to confidential information by individual employees should be noted (with reasoning).
