Protecting trade secrets: how organizations can meet the challenge of taking “reasonable steps”

By John Hull, Queen Mary Intellectual Property Research Institute, London, United Kingdom

Trade secrets are widely used by businesses across the economy to protect their know-how and other commercially valuable information and thereby promote competitiveness and innovation. Amid their growing use and commercial value, what practical steps can businesses take to protect their trade secrets?

A report by Forrester Consulting published in 2010 entitled The value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk, suggested that “…enterprises in highly knowledge-intensive industries like manufacturing, information services, professional, scientific and technical services and transportation accrue between 70% and 80% of their information portfolio from trade secrets.” The significance of trade secrets is also borne out in other studies, including the European Commission’s Study on trade secrets and confidential business information in the internal market (see parts 4.1 and 4.2). These studies suggest that businesses, irrespective of size, consider secrecy to be as, if not more, important than patents and other forms of intellectual property (IP).

Small and medium-sized enterprises (SMEs), in particular, are more likely to rely on trade secrets to protect their innovations for a variety of reasons. In a nutshell, trade secrets have no subject matter limitations; they require no time consuming or expensive procedures; they ensure a seamless relationship between practical and legal protections and they are an immediate complement to contracts and security measures.

Moreover, many of the most commercially valuable trade secrets do not relate to patentable subject matter. The most highly valued trade secrets tend to reside in information about commercial bids and contracts, customer or supplier lists and financial information and planning.

Policymakers seek to enhance trade secret protection

Given the commercial value of trade secrets – and their vulnerability to threat, particularly by insiders – their misappropriation is of growing concern in many countries. For example, trade secret litigation in courts in the United States has increased significantly in recent years, where perceived threats to confidential information have led to the adoption of the Economic Espionage Act in 1996, and more recently to the Defend Trade Secrets Act (2016), which introduces a federal dimension to related state laws.

The picture is similar in other countries. A European Commission Study on trade secrets and confidential business information in the internal market, published ahead of the EU Trade Secrets Directive (EU 2016/943), highlighted the concerns of businesses faced with misappropriation from external and internal sources. The study revealed that in the preceding 10 years, 20 percent of businesses surveyed had experienced at least one attempted misappropriation of confidential information, and nearly 40 percent of them perceived that the threat of such misappropriation had increased.

In light of their importance to firms across the economy, how can policymakers increase trade secret protection? The EU has responded by making it easier to obtain remedies against infringers, the assumption being that, secure in the knowledge that processes exist to preserve and protect commercially valuable information, businesses will be more disposed to engage in cross border deals within the EU.

One important and practical issue that emerges from the definition of a trade secret in the EU Directive relates to the “reasonable steps” that a business must take to protect its information.

Under the EU Directive (Article 2 (1)), and in line with the definition of the Agreement on Trade Related Aspects of Intellectual Property Rights (TRIPS), a trade secret:

“(i) must not….be generally known among or readily accessible to persons…that normally deal with the kind of information in question;

(ii) must have commercial value because it is secret; and

(iii) must be subject to reasonable steps under the circumstances to keep it secret.”

Accordingly, information may be secret because it is inaccessible, but may not fulfill the definition’s requirements because the holder has not taken “reasonable steps” to protect it. In practical terms, then, what steps can companies take to meet the “reasonable steps” requirement?

The test set out in the EU Directive is a proportionate one, insofar as it refers to steps “…under the circumstances…”. This suggests that a large pharmaceutical company is expected to take more robust protective steps than, say, a medium-sized business. Moreover, what may be considered reasonable in one country may not be viewed in the same way in another country – particularly if the issue is tested in court.

The value of trade secrets to businesses, large and small, and operating in all sectors, is clear. However, unlike other IP rights, trade secrets lose their value if revealed to competitors or made public.

The “reasonable steps” referred to in the EU Directive are plainly aimed at countering the threat to trade secrets, whether from internal or external sources. While the following practical steps will likely satisfy the Directive’s requirements, businesses operating outside the European context can also benefit from adopting such protective measures to better safeguard their most valuable assets.

Practical steps to counter internal and external threats

Identification

Trade secrets differ from other IP rights. In contrast to a portfolio of registered or unregistered rights – for example, a catalogue of published works – a trade secret portfolio is, as described by Mark Halligan and Richard Weyand in Trade Secret Asset Management (2006), “an intangible and inchoate cloud of information stored on paper, computer drives and in the minds of employees.”

Defining what constitutes a secret may be difficult but is critical if a court is asked to grant an injunction to stop an infringer from misusing the information it safeguards. A defendant is entitled to know precisely what he or she cannot use, and the court will expect the claimant to define what it claims to own and to have protected.

Blockchain technology may offer one possible solution to the problem of categorizing and defining secrets. Uploading evidence to a secure storage site can provide a time seal and proof of storage.

Protected information technology systems

The cyber threat to computer systems (malware, ransomware, etc.) is well documented. Organizations must have security measures – encryption, password controls, virus protection – in place and the steps taken need to align with the level of perceived risk to and value of the information concerned.

Physical controls

Most organizations have access controls in place. Again, the level of security applicable to visitors and to employees will depend on the risk to the organization. A recent news report in the UK’s Sunday Telegraph suggested that some UK businesses are planning to “microchip their employees” (by inserting a biometric chip under the skin) to create automatic access controls and thereby protect sensitive areas of the business. Whether such an extreme measure is proportionate to the business risk is a matter for debate.

Documentary security

Much confidential information is recorded and transferred within an organization and beyond in documentary form. Marking hard or soft copy documents as “confidential” is an elementary but important step which companies should not ignore. It demonstrates that the company has drawn attention to the need to conceal the information concerned.

An enforcement policy

To resort to enforcing rights against someone who has misappropriated or disclosed trade secrets suggests that reasonable efforts have failed. This is not entirely justified. There is always the risk of misuse or disclosure by a determined or malicious infringer despite the best efforts of the rights owner.

Having an enforcement policy in place and using it successfully are two different things, since litigation has cost and risk implications. However, by pursuing infringers, the organization sends a message that it will take action to preserve and protect its valuable rights.

Steps to mitigate internal threats to trade secrets

Much empirical evidence confirms that the main threat to business secrets is internal. For example, a 2010 survey of European employees by Iron Mountain disclosed that 66 percent of respondents had taken, or would take, information they had helped to create. Customer data is the most popular type of information targeted for removal. Seventy-two percent of them believed the information would help in a new job. However, employers must bear some responsibility for this picture. Only 57 percent of employers surveyed said that information was clearly identified as confidential and 34 percent of them admitted they were not aware of company data protection policies.

Steps that organizations can take to mitigate internal threat

Contract of employment

Having a written contract of employment with provisions to protect trade secrets is an essential protective measure. A standard contract will suffice for many employees, but those responsible for creating confidential subject matter, or with access to sensitive information, will need more specific contractual clauses that reflect the potential threat they pose to the business.

Some legal systems (including the UK) permit the introduction of provisions, or restrictive covenants, which restrict an ex-employee’s ability to work in the same field of business, geographical area or for specific competitors for a period of time. Such restrictions insulate the ex-employer from the inevitable risk of any misuse of their secrets by an employee that leaves an organization to set up their own business or to work for a competitor. Use of restrictive covenants will reflect local restrictions on their use, the level of risk to the organization and the risk and cost of enforcement. 

Confidentiality policies

Businesses often have separate policies for the creation and ownership of IP (including the observance and use of IP rights belonging to others) and confidentiality. A general policy on confidentiality is a sound business practice that demonstrates that the company has made its employees aware of the importance of compliance.

Employment procedures

Effective communication with anyone engaged in an organization’s work is as important as contractual clauses and policies. For example, an employer can use an induction interview to familiarize new employees with business procedures. Training on the importance of confidentiality is crucial. A record of employee participation in such programs also ensures they cannot later claim to be unaware of the company’s approach to confidentiality. In a similar vein, an exit interview is an opportunity for the employer to remind the outgoing employee of their obligation to respect the confidentiality of any information to which they may have had access during the period of their employment. The overall intention of such procedures is to create a culture of confidentiality in the workplace to remind employees of the value the business attaches to its assets.

Surveillance of employee activities

Evidence shows that employees intent on removing their employer’s confidential information (unwisely) do so by downloading soft copies to a portable device or by emailing it to a personal email address. Employers are entitled, within the scope of national data protection laws, to monitor their employees’ use of workplace electronic systems. Data Loss Prevention software is an increasingly popular monitoring tool. It detects unusual data flows or access to information and can identify a potential data breach at an early stage, thereby making it possible to confront the offending employee with evidence of their infringing action before they leave.

Steps to mitigate external threats to trade secrets

Contracts

Most contracts with third parties contain confidentiality provisions, which all too often contain “standard boilerplate” language. These clauses deserve closer consideration and need to be aligned with the risk posed by the third party’s access to business secrets.

Non-disclosure agreements – the most ubiquitous of commercial agreements – also need to be carefully drafted in line with the perceived risk of disclosing the information they cover.

Due diligence

Trade secrets are a uniquely fragile asset. Once disclosed (or made “accessible”) their value disappears or falls dramatically. That is why a thorough background check on the trustworthiness and reliability of a prospective commercial partner and the level of risk it poses to the organization is so important. Moreover, such steps will likely be considered “reasonable” within the framework of the EU Trade Secrets Directive.

The value of trade secrets to businesses, large and small, and operating in all sectors, is clear. However, unlike other IP rights, trade secrets lose their value if revealed to competitors or made public. The “reasonable steps” required under the TRIPS Agreement and now of the EU Trade Secrets Directive should not be viewed simply as legal hurdles to jump. By implementing the steps outlined above, businesses can satisfy the test and, perhaps more importantly, they can better protect some of their most valuable assets.