If a business makes the strategic decision not to go down the path of patenting an invention (two of the major drivers for such a decision being, first, an inability of third parties to reverse engineer the technology, and second, the enormous expense of registration and enforcement), or more broadly has critical information which should not fall into the hands of a competitor, then what does that business need to do to preserve the secrecy or confidentiality in the trade secret?
In the US, the Economic Espionage Act of 1996 18 USC Section 1831 notes that an indicia of a trade secret is that the owner has taken reasonable steps to keep such information secret.
Article 2 of the very new EU Trade Secrets Directive defines a trade secret as information that “has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.”
This can include technical solutions. At the one end is data loss prevention software that monitors inappropriate access and use of confidential information, and notifies delegated gatekeepers in real time when this information is inappropriately sent, copied, forwarded or otherwise exposed. Data Rights Management (DRM) protocols in standard office software is also very helpful, preventing, for example, certain classes of emails from being on-forwarded, bcc’d, or printed. DRM is easy to implement, and offers inexpensive solutions to the protection of trade secrets.
Another practical solution is compartmentalisation. This involves breaking into pieces secret information, and distributing those pieces to specific individuals or operators. Each individual only has access to his or her specific information fragment, thereby minimising the risk that a complete or usable form of the information will be compromised in the event of a security lapse. The classic example of this is the Manhattan Project, the US research and development project that led to the creation of the first nuclear weapons. Aspects of the weapon were designed by teams that had no knowledge of how their parts interacted with other team’s parts.
A more recent concern regarding the protection of trade secrets is in relation to Bring Your Own Device (BYOD) behaviours and policies. This has become common practice amongst many businesses, encouraged by the proliferation of portable devices and the urge to avoid the expense of issuing work-only devices. Under BYOD, an employee can bring his or her own laptop, smartphone, or portable storage device and use it for work instead of relying on company-owned hardware.
BYOD policies can indeed streamline processes and lessen the burden on the firm in terms of hardware procurement and maintenance costs (as well as provide convenience to the employees), it can create a host of security issues. The devices used under BYOD are not within the complete control or protection of a company, particularly when taken outside of the work premises. This makes such devices a viable target for attacks, or simply a possible source of leakage. It also opens the firm up to a host of legal issues due to likelihood of proprietary company trade secrets such as customer information, being stored on employee-owned devices (an issue Hillary Clinton has been wrestling with for some time).
To minimise or remove risks, businesses should consider implementing BYOD policies that incorporate reasonable measures to protect trade secrets. Technology use policies that clearly defines the protocol for the appropriate use and protection of company data by employees should include:
- Identification of trade secrets;
- Best practices and guidelines when it comes to use of external storage devices and cloud based storage applications (especially such as Google Drive or Dropbox, or cloud-based storage which are located outside of the jurisdiction of the business);
- Creation of consent to access, and a contractual curtailment of privacy expectations;
- Establishment of contractual rights of the employer to review and/or purge BYOD devices of data upon an employee’s departure or termination of employment. This applies equally to work-provided devices. In an Australian decision called Actrol Parts Pty Ltd v Coppi (No 3)  VSC 758 (23 December 2015), a departing employee caused his causing his company-issued devices to undergo a factory re-set. The allegation made by the former employer was that this “breached his contract of employment, his confidentiality agreement and certain policies of the company and otherwise behaved inappropriately in causing his company-issued devices to undergo a factory re-set.” But the Court disagreed: “Quite apart from being legally entitled to re-set the devices, the evidence established that Mr Coppi did not do so for any improper reason. The devices contained private information, including photographs and messages, and also applications to which Mr Coppi privately subscribed. I accept his evidence that he saw it to be perfectly natural to re-set the devices because he had resigned, had been placed on leave with pay for the duration of his notice period and had been directed then and there to return the devices to the company. It was not his intention to remove company data, such as emails, from the devices as such data was held independently on Actrol ’s server. It was not established that he removed the data to ensure that inappropriate communications with third parties, such as Totaline [a competitor who employed the departing employee], were not discovered.”;
- Prohibition of usage of personal email accounts for sending work-related emails. This was a particular issue in an Australian decision related to the one above, Actrol Parts Pty Ltd v Coppi (No 2)  VSC 694 (9 December 2015) in which the departing employee sent various documents from his work email account to his home email account. The court noted, “Although Mr Coppi could have sought Actrol’s technical assistance successfully to install the remote access program, he achieved the result of efficiently and conveniently viewing Actrol documents by the means of sending them as attachments to his home email address. All witnesses on this subject – both on Actrol’s side and on Mr Coppi’s side – deposed that this was not contrary to the contract of employment or company policy, even if it was not a management preference. Mr Coppi did not behave improperly or commit any breach of duty in relation to his employment in so doing Actrol has failed to establish that Mr Coppi breached his contract of employment or the confidentiality agreement by sending emails and documents from his Actrol to his home email address when he worked from home. There was nothing improper in him doing so.”;
- A contractual consent to search personal devices periodically and upon departure from employment.
Employers should also consider the following policies to preserve trade secrets, with regard to mobile and portable devices used under BYOD:
- A requirement that employees to protect their own devices using passcodes, and to enable security features that lock the device after a period of inactivity; and
- The implementation of employer-mandated security features that allow the company to purge the device of data remotely, in the event of loss or theft.
Companies should also ensure that an employee does not possess any trade secret or confidential information during an exit interview.
It is important for companies to remember that information will be treated as valid for trade secret protection by a court if it has been subject to certain degrees of protection on the company’s end. Even the perception of confidentiality is important, because then data breaches can be characterised as aberrations to otherwise systemic care and prudence.