Trade Secret Protection: What are Reasonable Steps?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/trade-secret-protection-what-are-19033/

Regional and national laws are increasingly focusing on the specific steps
that companies should take to protect trade secrets. In the 1996 World
Trade Organization (WTO) Trade-Related Aspects of Intellectual Property
Rights (TRIPs) Agreement, and in many countries’ laws, the definition of a
trade secret includes the requirement that the owner or other controller
undertake “reasonable steps” or “reasonable efforts” to protect the secrecy
of its information. A “reasonable steps” requirement is also included in
the draft EU Directive on the Protection of Undisclosed Know-How and
Business Information (Trade Secrets) which, if adopted, would become part
of the national legislation in all 28 EU member countries. New legislation
proposed at the national level in the U.S. likewise has contained similar
requirements.

In addition to implementing “reasonable steps” to prevent trade secret
theft and misuse, taking such steps can also have crucial legal
significance. Where the legal definition of trade secrets includes a
“reasonable steps” or similar requirement, a court can find that a
company’s information is not in fact a trade secret at all if such steps
are not taken. Failing to take adequate precautions to protect such
information thus can preclude a company from getting any legal redress if
the worst happens and an unauthorized disclosure or use of the information
does take place. Case in point: the failure of the MBL (USA) Corporation to
inform employees “what, if anything, [the company] considered confidential”
was one of the key failures that led the court to dismiss MBL’s case
against its former employee.

What exactly are “reasonable efforts”? A new whitepaper by the Center for
Responsible Enterprise And Trade (CREATe.org) offers insights into the
evolving legal landscape, cases and recommendations for an effective trade
secret protection plan. Here are some key takeaways:

- Make sure agreements and policies are in place – and procedures as well.
Many companies rely on nondisclosure and other agreements with employees
and third parties – and the courts have looked favorably on these as
evidence of “reasonable steps.” However, corporate policies – and equally
important, procedures to ensure policies are being followed – are also
critical. Companies that adopted procedures to implement key aspects of
trade secret protection often prevail in lawsuits. These include procedures
such as marking sensitive documents as confidential; segregating
confidential information or processes into discrete parts so no single
employee or vendor has full control; and conducting exit interviews that
include the return of confidential information.
- Identify, assess and manage risks. To protect trade secrets, you first
need to identify, classify and assess potential risks to confidential
technical and business information. Courts have reviewed whether material
is included in a trade secret registry and if reasonable efforts have been
made to keep the information confidential.
- Put an information protection team in place. Trade secrets – which
include information that ranges from customer lists and financial data to
product prototypes, source code and unique know-how – often reside in many
different parts of an organization. Putting together a cross-functional
team headed by someone with overall control helps to ensure that adequate
protections are in place throughout the organization, and provides the
foundation for effective response in the event of trade secret
misappropriation.
- Extend physical and network security to address trade secret protection.
New government regulations are increasingly insisting upon robust security
systems for protecting trade secrets. Courts look at such measures as well.
In Japan, courts determining the adequacy of secrecy measures have
insisted, among other actions, that a company must “implement physical and
electronic access restrictions” in order to be protected by Japan’s unfair
competition rules protecting trade secrets.

It is important to note, however, that many IT and physical systems aren’t
designed with protection of trade secrets or other particular intellectual
property in mind. Companies need to take steps to ensure that their
valuable trade secrets are identified and that security systems are
designed with a specific objective to make them secure – through access
control, technical measures, physical restrictions, monitoring and other
actions. For example when the U.S. government attempted to prosecute a
former computer programmer who had worked on the investment bank Goldman
Sachs’s proprietary high-frequency trading platform, the trial court noted
with approval the multiple electronic-security systems that Goldman had in
place to protect such information. These included maintaining a firewall,
monitoring employee use of internet sites, blocking access to certain
websites, implementing pop-up banners that advised employees logging in to
their computers of acceptable and prohibited uses, restricting access to
firm computers, and restricting use of USB flash drives to only a few
employees with administrative access.

- Engage employees and third parties. In addition to agreements, companies
need to inform and educate staff and third parties such as suppliers and
other business partners about what is considered confidential and their
role in protecting trade secrets.
- Monitor and take corrective actions. Courts have looked favorably on
companies that have approached trade secret protection in a systematic
rather than an ad hoc fashion. Putting business processes in place and
measuring and improving these over time offer companies a robust way to
protect confidential information. In a case involving Aetna, the court
looked favorably on the firm’s practice of employees signing nondisclosure
agreements annually rather than just when starting. It is a good example of
building employee awareness and monitoring to ensure that agreements are in
place.

Courts have also examined the corrective actions that companies have taken
against breaches. For example, the Pre-Paid Legal Services company found
that its practice of taking corrective actions against trade secret
breaches – sending cease and desist letters and entering into agreed
injunctions against former employees who had misappropriated trade secrets
– was helpful in winning its case against former employees and contractors
who had used the company’s employee contact, performance and other
confidential information to recruit other Pre-Paid staff.

Trade secrets are critical to virtually every modern company. To help
mitigate the loss of proprietary and confidential information, and meet the
“reasonable steps” requirement, it is vital for companies to put systems in
place that embed trade secret protection in an ongoing and systematic way
across an enterprise.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!