While a business can protect its copyrights, patents, trademarks and tradenames by registration or a filing with the appropriate governmental agency, the protection of a trade secret is entirely up to the company that has developed it. Unless a business is vigorous in maintaining the confidentiality of its trade secrets, both the legal protections given trade secrets by statute and the practical advantages that the sensitive information gives the business will be lost.
A trade secret can be a formula, a process, a unique way of conducting a business, a carefully culled customer list or other confidential material that potentially could damage a business should it fall into the hands of a competitor. Put another way, a trade secret is information, processes, or practices that provide the business with a competitive advantage, are generally unknown outside of the employer’s business, and required the time, talent, and effort of the employer to develop.
Protection of a trade secret requires that procedures be instituted and systematically utilized to prevent the unauthorized disclosure of information. The courts generally require that a business take reasonable steps to keep a trade secret confidential before granting protection to the owner. As discussed below, reasonable steps include confidentiality or nor-disclosure agreements in employment contracts and employee handbooks, limitations on access to critical information, theft prevention strategies, restrictions on placement of company information on personal devices or cloud storage, exit interviews with employees, recovery of confidential information, and post-employment agreements restricting use of the sensitive information.
State and Federal Laws Protecting Trade Secrets
Trade secrets are protected under both state and federal laws. While there is some disparity in definitions and practices, all laws provide a level of protection to businesses by prohibiting the theft of valuable confidential and proprietary information. The primary trade secrets protection statutes include:
1. The Uniform Trade Secrets Act which has been enacted in most states. Its purpose is to maintain a standard of commercial ethics while encouraging creative activities of businesses. It also provides for a civil cause of action for misappropriation of a trade secret and authorizes a court to issue injunctive relief.
2. The Federal Economic Espionage Act that makes it a crime to steal trade secrets from an employer. Additionally, the Attorney General is authorized to seek injunctive relief to protect employers whose trade secrets have been stolen.
3. The Federal Computer Fraud and Abuse Act which specifies both criminal and civil remedies for both the theft of trade secrets and the malicious destruction of computer information and systems.
Informing Employees of Non-Disclosure Requirements
From the outset, it is important for a business’s employees to understand their obligation to protect sensitive company information. To the extent that the company utilizes employment contracts with its employees, the agreement should include restrictive covenants expressly prohibiting the unauthorized disclosure of confidential information to any third party. Further, as part of the hiring process, new employees should be expressly informed of restrictions on the use of company information and a separate document should be signed in which they acknowledge this requirement. Additionally, the employee’s handbook must include a section prohibiting such disclosures and also permit the company to access and evaluate all computer hard drives and other company-assigned electronic information storage devices without violating the privacy rights of employees. The company should also issue periodic reminders to employees that they must not disclose information they acquire during the course of employment.
Limitations on Access to Sensitive Information
Famously, the Coca-Cola Company keeps the formula for its best known product locked in a vault that only two key employees (who may not travel together on the same airplane) have access to; and no-one else is permitted access to the vault without the specific approval of the Board of Directors. While this might seem extreme, it has successfully kept the company’s most valuable trade secret confidential for nearly 125 years.
Limitations on access to sensitive information are a crucial element of an effective plan protecting a trade secret. Obviously, the more people that know the secret the less likely it is to remain confidential. Only those with a need to know should be allowed access to the information. If an employee needs access to only a portion of the confidential information, then that is all he or she should be given.
Theft Prevention Strategies
To the extent practical, physical barriers should be imposed that prevent both wrongful and inadvertent access to the information—whether this is a locked desk or filing cabinet, a secure vault or a room with limited access. If the information is stored on a computer system, the data should be encrypted and access to it limited. For example, access to a company’s financial information system should be limited to those that need access to that information in order to perform their jobs. If an off-site data storage facility is used either as a back-up for a computer system or for archival purposes, access to the facility and data must be similarly limited. The company should also consider maintaining detailed logs identifying the individual accessing the information and when it was accessed.
As a matter of course, when an employee who had access to confidential or proprietary information leaves the company, all access rights to the company’s computer systems and facilities must be immediately terminated. Further, all company provided computers and other devices such as smart phones and tablets, should be secured by the company and stored. For portable devices, they should be powered down and the batteries removed.
If the business provides computers and other devices to its employees, it should prohibit installation of non-company approved programs. Further, only an IT systems administrator should be allowed to modify or add to the programming. The company as a matter of policy should prohibit the inclusion of confidential information on portable devices unless password protected and encrypted.
Detecting a theft is often difficult until it becomes apparent that a competitor is using the company’s confidential information. One of the most effective means of detecting misuse of confidential information prior to its distribution to competitors is audits of employees. Such audits can be either random or volumetric audits of employees that have access to confidential or proprietary information. As the name implies, in a random audit the subject is chosen randomly. A volumetric audit selects individuals when their level of activity with respect to particular types of information exceeds organizational norms.
A “red flag” that might alert a business to possible misuse of information is the exit interview. For example, if in an exit interview a departing employee covered by a restrictive covenant, reveals that either he or she is going to work for a competitor or, even more telling, refuses to disclose the identity of the new employer, suspicions are not unwarranted.
If the company has a reasonable basis for suspecting wrongdoing by a former employee, a forensic computer expert should be immediately retained to copy and evaluate data on a hard drive or other device provided by the company to the employee. The expert may be able to recover files and emails that have been deleted and the employee’s internet activity. It may also be possible to determine if any external device was connected to the computer and information transferred to the device. Similarly, cell phones are a ready source of information for the forensic expert in that they usually have a memory chip (SIM card) that contain a large amount of data.
Post-Employment Agreements and Notices
A well-crafted post-employment agreement will usually contain prohibitions on the use of confidential or proprietary information in perpetuity. Additionally, they may restrict solicitation of the company’s current employees or customers and under limited circumstances, may limit the right to open a competing business within a specified time-period and geographic area. With respect to non-compete agreements, the law varies from state to state and the business would be well advised to consult with a qualified attorney before inclusion of such a provision in a post-employment agreement.
Taking reasonable steps to protect a company’s trade secrets is not an easy task. Consequently, a well thought out plan implemented by management is essential. It must be consistently and regularly monitored both to prevent the misuse and illegal dissemination of confidential information and to demonstrate to a court that the company has employed reasonable means to maintain the confidentiality of the information.
W. Gary Kurtz, J.D. is the founder of the Law Offices of W. Gary Kurtz located in Westlake Village, California. Mr. Kurtz, in addition to being an attorney, is licensed as a California real estate broker and as a property and casualty insurance broker-agent. The focus of the firm’s practice is business law, business litigation, real estate law, intellectual property, entertainment law and insurance law. Other articles discussing various aspects of these areas of law are posted at www.wgarykurtzlaw.com. He can be reached at (805) 449-8765 or at firstname.lastname@example.org.