In February, less than a week after the New York Times revealed the existence of a massive industrial espionage unit operated by the Chinese military outside Shanghai known as the “Comment Crew,” the Obama administration outlined a new diplomatic strategy for combating the theft of U.S. trade secrets. The extent of the Comment Crew’s operations and the administration’s redoubled diplomatic efforts highlight the economic importance of trade secrets, which are often companies’ most valuable—and vulnerable—form of intellectual property. Indeed, the administration’s report recounts that in just six incidents of Chinese trade secret theft from U.S. companies alone, the total losses exceeded $550 million.
Given the volumes of data now kept in digital storage and the value of companies’ proprietary information, a trade secret thief can easily cause millions of dollars in losses in just a few minutes time. For instance, Yu Xiang Dong, a 10-year Ford Motor Company product engineer, copied 4,000 Ford documents onto an external hard drive before his last day with the company in 2007 and brought them with him to his new job at the Bejing Automotive Company, a Chinese competitor of Ford. Ford valued this loss at $50 million.
Yet, while Chinese industrial espionage may draw headlines, the biggest threats to trade secrets are often home-grown.
Unlike patents, trademarks, and copyrights (which are registered under federal law), trade secrets are generally creatures of state law, and enjoy protection only as long as their owners take reasonable steps to ensure their secrecy. This means that a trade secret will lose its protection if it is made available to company employees without sufficient security restrictions or if it is disclosed to the outside world, whether deliberately or through inattention. Trade secret protection can also be lost through legitimate reverse engineering by competitors.
At the same time, companies have moved the bulk of their information to digital formats, which can be accessed, copied, and transmitted with ease. Thus it is more likely than ever that a company someday will have to go to court to protect its trade secrets against a hacker, an industrial spy, or a departing employee who brings a thumb drive to work on his last day. Whether the company will prevail will turn on its ability to demonstrate the steps it took to protect the trade secret in the first place.
What is a Trade Secret?
A law professor (who works for our firm) once defined what can be protected as a trade secret as: “Virtually anything, so long as it is a secret.” His pithy definition provides a good starting point for understanding the basics of trade secret law, as well as the steps necessary to protect trade secrets against misappropriation.
While the definition of what qualifies as a trade secret varies from state to state, the most widely-accepted definition comes from the Uniform Trade Secrets Act (“UTSA”), which has been adopted by forty-seven states, including North Carolina. (Massachusetts, New York, and Texas have not adopted the UTSA, but instead rely on court decisions to protect trade secrets. According to the UTSA, a trade secret is information that (i) is not generally known or ascertainable outside the owner’s organization, (ii) derives independent economic value (whether actual or potential) from its confidential nature, and (iii) is the subject of reasonable efforts to maintain its confidentiality and secrecy. Unlike patents and copyrights, which eventually expire, trade secret protection can be maintained indefinitely. Perhaps the most famous American trade secret, the Coca-Cola formula, is well into its second century of protection.
Almost any information can derive independent economic value from being kept secret. Thus, one of the principal advantages of trade secret protection is that it can extend to information that otherwise does not qualify for protection under patent or copyright law. Examples of trade secrets include formulas, manufacturing processes, customer lists, recipes, pricing information, and even discount structures. The UTSA recognizes the broad scope of trade secret protection and provides that trade secrets can include “a formula, pattern, program, device, compilation, method, technique, or process,” so long as it provides a commercial advantage by virtue of being kept secret. The advantage need not necessarily be substantial, either. It is enough if the owner has the “opportunity” to obtain an advantage from the secrecy of the information.
Customer lists are a prime example of the benefits of the broad protection that trade secret law provides. A company’s “book of business,” which embodies its customer contacts, and knowledge of its customers’ needs, and understanding of the market, is often one its most valuable assets. However, such information is neither novel nor an invention, and thus cannot be patented. Likewise, only works of authorship—not information itself—can be copyrighted. Thus, a company’s primary protection against the theft of it customer list is trade secret law.
The key to trade secret protection is secrecy. While a customer list may be very valuable, that value would quickly evaporate if the list were disclosed to competitors. Accordingly, whether information qualifies as a trade secret turns on the efforts its owner takes to keep it secret.
The UTSA requires that, in order for proprietary information to qualify as a trade secret, the owner must undertake efforts that are “reasonable under the circumstances” to maintain its secrecy. The precautions that are “reasonable under the circumstances,” however, are often more extensive than companies first imagine. They include marking documents as “secret” or “confidential,” keeping the information under lock and key, sharing the information on only a “need-to-know” basis, encrypting data files, and requiring employees working with the information sign written confidentiality agreements. By contrast, keeping the company’s customer contacts on a shared network drive that is open to all employees simply will not do. Trade secrets require ongoing maintenance to ensure their protection: as long as reasonable precautions are taken, trade secret protection can be maintained, but if the owner lets its guard down the information can slip into the public domain.
Best Practices for Protecting Trade Secrets
The administration’s strategy outlines a series of widely-accepted best practices for maintaining and protecting trade secrets, which coincide with the advice we have generally given clients regarding their trade secrets for years.
- Inventory company data to identify information that should be protected as trade secret, where it is located, and with whom it needs to be shared.
- Be aware that proprietary information may take many forms, including e-mail, outlook contacts, pricing lists, etc.
Adopt Physical Security Measures
- Mark documents containing trade secret information as “confidential” or “secret.”
- Lock cabinets and offices where trade secret information is kept.
- Require ID badges or other security for entry into restricted areas.
- Distribute trade secret information only to those employees who need to use it to do their jobs; restrict the access of employees who do not need access.
- Create an effective “barricade” around research and development so that information is not widely-distrusted or easily accessed.
- Restrict employees’ access to computer files that are unrelated to their work.
Protect Electronic Data
- Use stringent information security policies, such as data encryption and multi-factor authentication measures.
- Require employees working remotely to utilize secure connection platforms, such as remote desktop software, so that they will not have to download company information to their personal devices.
- Monitor company networks to identify and react quickly in the event of cyber- attacks.
- Prohibit employees from downloading company information to personal devices or sending such information through personal e-mail.
Require Non-Disclosure Agreements
- Have employees, vendors, and potential business partners enter into non-disclosure agreements that protect proprietary company information and ensure that the information remains secret.
- Develop Robust Procedures for Handling Departing Employees
- Ensure that departing employees return all company property, such as documents, thumb drives, and smart phones.
- Implement human resource polices geared toward the protection of trade secrets, such as training on the protection of trade secrets, handbook provisions regarding trade secrets that are signed and acknowledged by employees, exit interviews that stress ongoing confidentiality agreements, and social networking policies that prohibit posting company information to the web.
Remedies in the Event of a Breach
Companies must be prepared to take swift legal action in the event their trade secrets are stolen. Companies’ primary remedies for trade secret theft arise under state law, the UTSA in most states. While the Economic Espionage Act, a federal law, criminalizes the theft of trade secrets under certain circumstances, prosecutions under EEA are rare and the act does not create a private right of action for owners of trade secrets.
The UTSA, however, provides victims of trade secret theft with a number of powerful remedies for “misappropriation” of trade secrets, including the right to recover actual (out-of-pocket) and punitive damages as well as attorneys’ fees. The most important remedy, however, is the ability to obtain injunctions--court orders prohibiting the use or disclosure of a misappropriated trade secret, sometimes at the very outset of the case. These remedies, when coupled with specialized procedures such as expedited discovery, allow companies to quickly and effectively react to the theft of their trade secrets. For example, if a departing employee tries to take a trade secret to a competitor, the injured company may be able to stop the whole thing in its tracks by getting a preliminary injunction against both the employee and the new employer within a couple of weeks of the departure.
By developing a proactive and ongoing strategy to protect their trade secrets now, companies will not only position themselves to react quickly in the event of a breach, but will reduce the risk of ever having to do so in the first place. This is one area where the saying “an ounce of prevention is worth a pound of cure” certainly rings true.