A company performed a routine review of a former sales employee’s laptop months after his departure. Through that process, the company realized that the laptop contained a folder into which the former employee had placed copies of company records, including a file that contained a company secret worth millions. Further investigation revealed that the employee had dragged that folder onto a thumb drive weeks before departing the company. So why did a sales employee have access to that information? How was he allowed to copy files onto his desktop and then a portable storage device? What can a company do about it?
Unlike patents, trademarks and copyrights, no independent, third party process exists for registering and protecting trade secrets. Also unlike patents, trademarks and copyrights, trade secret protection is largely provided by state, not federal, law (other than some federal criminal laws). Indeed, the only mechanism that exists to validate a claimed trade secret is through litigation. At that point, the company faces the prospect of a court sanctioned disclosure of a trade secret to the public if a court determines that the company failed to protect the information before litigation. So how does a company protect itself from such an outcome?
First, consider the cost of not protecting trade secrets. A 2014 report co-authored by PriceWaterhouseCoopers and the Center for Responsible Enterprise and Trade estimated that, regardless of the metric used to gauge loss, billions of dollars are lost annually due to trade secret theft. In light of such figures, owners of trade secrets do well to avoid two common mistakes: (1) over-designating information as trade secrets; or (2) not identifying and protecting valuable information that should be protected. Either approach carries risk. The risk associated with not identifying/protecting is obvious. Over-designating can weaken an attempt to protect information that legitimately constitutes trade secrets and should be protected. In one situation, a company asserted that a departed employee’s entire list of Outlook contacts constituted the company’s proprietary information and sued for recovery of that information. Yet, the content of the contacts included personal friends, family members, colleagues, etc. That kind of overreach weakened efforts to protect other information that could have been protected.
So what can and should be protected? Put another way, what is a trade secret? Forty-seven states (along with the District of Columbia, Puerto Rico and the U.S. Virgin Islands) have adopted a version of the Uniform Trade Secrets Act (“UTSA”), which defines a “trade secret” as “information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” While that lengthy definition seems straight forward, nuances emerge when it is applied to specific information. When the question is posed “is this information a trade secret?” the answer is the ever-frustrating “it depends.”
So where does that leave a company? The prudent approach is the have on-going, comprehensive policies and procedures to identify and guard trade secrets. Think of it as an insurance policy in the event a court is asked to determine whether the company took “reasonable” efforts to protect the information. But that requires a willingness to implement “reasonable” measures and the right leadership (or corporate culture). Easier said than done, but stay tuned for some ideas on how to do that . . .