As a special feature of our blog –special guest postings by experts, clients, and other professionals –please enjoy this blog entry by Pamela Passman, President and CEO for the Center for Responsible Enterprise and Trade (CREATe.org)
-Robert Milligan, Editor of Trading Secrets
Regional and national laws are increasingly focusing on the specific steps that companies should take to protect trade secrets. In the 1996 World Trade Organization (WTO) Trade-Related Aspects of Intellectual Property Rights (TRIPs) Agreement, and in many countries’ laws, the definition of a trade secret includes the requirement that the owner or other controller undertake “reasonable steps” or “reasonable efforts” to protect the secrecy of its information. A “reasonable steps” requirement is also included in the draft EU Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) which, if adopted, would become part of the national legislation in all 28 EU member countries. New legislation proposed at the national level in the U.S. likewise has contained similar requirements.
In addition to implementing “reasonable steps” to prevent trade secret theft and misuse, taking such steps can also have crucial legal significance. Where the legal definition of trade secrets includes a “reasonable steps” or similar requirement, a court can find that a company’s information is not in fact a trade secret at all if such steps are not taken. Failing to take adequate precautions to protect such information thus can preclude a company from getting any legal redress if the worst happens and an unauthorized disclosure or use of the information does take place. Case in point: the failure of the MBL (USA) Corporation to inform employees “what, if anything, [the company] considered confidential” was one of the key failures that led the court to dismiss MBL’s case against its former employee.
What exactly are “reasonable efforts”? A new whitepaper by the Center for Responsible Enterprise And Trade (CREATe.org) offers insights into the evolving legal landscape, cases and recommendations for an effective trade secret protection plan. Here are some key takeaways:
- Make sure agreements and policies are in place – and procedures as well. Many companies rely on nondisclosure and other agreements with employees and third parties – and the courts have looked favorably on these as evidence of “reasonable steps.” However, corporate policies – and equally important, procedures to ensure policies are being followed – are also critical. Companies that adopted procedures to implement key aspects of trade secret protection often prevail in lawsuits. These include procedures such as marking sensitive documents as confidential; segregating confidential information or processes into discrete parts so no single employee or vendor has full control; and conducting exit interviews that include the return of confidential information.
- Identify, assess and manage risks. To protect trade secrets, you first need to identify, classify and assess potential risks to confidential technical and business information. Courts have reviewed whether material is included in a trade secret registry and if reasonable efforts have been made to keep the information confidential.
- Put an information protection team in place. Trade secrets – which include information that ranges from customer lists and financial data to product prototypes, source code and unique know-how – often reside in many different parts of an organization. Putting together a cross-functional team headed by someone with overall control helps to ensure that adequate protections are in place throughout the organization, and provides the foundation for effective response in the event of trade secret misappropriation.
- Extend physical and network security to address trade secret protection. New government regulations are increasingly insisting upon robust security systems for protecting trade secrets. Courts look at such measures as well. In Japan, courts determining the adequacy of secrecy measures have insisted, among other actions, that a company must “implement physical and electronic access restrictions” in order to be protected by Japan’s unfair competition rules protecting trade secrets.
It is important to note, however, that many IT and physical systems aren’t designed with protection of trade secrets or other particular intellectual property in mind. Companies need to take steps to ensure that their valuable trade secrets are identified and that security systems are designed with a specific objective to make them secure – through access control, technical measures, physical restrictions, monitoring and other actions. For example when the U.S. government attempted to prosecute a former computer programmer who had worked on the investment bank Goldman Sachs’s proprietary high-frequency trading platform, the trial court noted with approval the multiple electronic-security systems that Goldman had in place to protect such information. These included maintaining a firewall, monitoring employee use of internet sites, blocking access to certain websites, implementing pop-up banners that advised employees logging in to their computers of acceptable and prohibited uses, restricting access to firm computers, and restricting use of USB flash drives to only a few employees with administrative access.
- Engage employees and third parties. In addition to agreements, companies need to inform and educate staff and third parties such as suppliers and other business partners about what is considered confidential and their role in protecting trade secrets.
- Monitor and take corrective actions. Courts have looked favorably on companies that have approached trade secret protection in a systematic rather than an ad hoc fashion. Putting business processes in place and measuring and improving these over time offer companies a robust way to protect confidential information. In a case involving Aetna, the court looked favorably on the firm’s practice of employees signing nondisclosure agreements annually rather than just when starting. It is a good example of building employee awareness and monitoring to ensure that agreements are in place.
Courts have also examined the corrective actions that companies have taken against breaches. For example, the Pre-Paid Legal Services company found that its practice of taking corrective actions against trade secret breaches – sending cease and desist letters and entering into agreed injunctions against former employees who had misappropriated trade secrets – was helpful in winning its case against former employees and contractors who had used the company’s employee contact, performance and other confidential information to recruit other Pre-Paid staff.
Trade secrets are critical to virtually every modern company. To help mitigate the loss of proprietary and confidential information, and meet the “reasonable steps” requirement, it is vital for companies to put systems in place that embed trade secret protection in an ongoing and systematic way across an enterprise.
Pamela Passman is President and CEO of the Center for Responsible Enterprise and Trade (CREATe.org), a global nongovernmental organization helping companies prevent corruption and protect intellectual property. Prior to founding CREATe in October 2011, Passman was the Corporate Vice President and Deputy General Counsel, Global Corporate and Regulatory Affairs, Microsoft Corporation.