The prevalence of data breaches cannot be ignored. New data breaches continue to occur one after an- other. In the first half of 2015 alone there were reports of large scale data breaches involving multi- ple companies in the healthcare industry, the United States Office of Personnel Management (OPM), the IRS, a telecommunications provider, an online con- sole gaming provider, and a transportation company.i Organizations face a monumental task of safeguarding confidential data, as the concept of a safe perimeter around private networks continues to erode and adversaries become ever more sophisticated. While efforts and failures to secure data have received a large amount of press, most of it has been focused on breaches relating to infor- mation about people—whether financial or medical.iii This is primarily because most of the laws that relate to liability for data breaches in the U.S. deal with identifiable information relating to individuals.iv In addition, the thought of peoples’ private information being stolen or disclosed in- vokes a strong emotional reaction from the public that a breach of other business data does not.
Nevertheless, companies should be equally con- cerned about the breach of non-personal business data, such as their trade secrets, and establish prop- er safeguards to mitigate the attendant risks. The Uniform Trade Secret Act identifies a trade secret as follows:v
- “Trade secret” means information, including a formula, pattern, compilation, program, device, method, technique, or process, that:
- derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by other persons who can obtain economic value from its disclosure or use, and
- is the subject of efforts that are reasonable un- der the circumstances to maintain its secrecy.
As this definition shows, to qualify as trade secrets, two primary requirements must be met; 1) the in- formation derives value by being kept confidential, and 2) the company must take reasonable steps to maintain the secrecy of the information. Unlike other types of IP protection such as patents and copyrights, which protect information after it is made public, trade secret law protects valuable in- formation that the company endeavors to keep secret. The remedies available to organizations that comply with these trade secret requirements include criminal punishments in the event of theft, as well as injunctions to prevent the information from being used improperly-such as in the importation of a competing product.vii
Securing Trade Secrets
The trade secret definition counsels that even if business data is valuable if kept secret, it does not qualify as a trade secret unless the organization takes efforts that are reasonable under the circum- stances to maintain the secrecy of the data.viii Companies should therefore consider trade secrets law requirements at the outset of the process of designing or updating their information security programs.
The following suggestions, which are consistent with implementing a cybersecurity framework such as the NIST Cybersecurity Framework,ix can help insure that trade secrets are identified and appropri- ately protected:
- Prioritize Objectives and Define Scope of Assets: In this step, the organization should con- sider the role of trade secrets in the organization or business line. Here, business objectives and how those objectives are supported by trade secrets should be specifically considered along with all other data assets.
- Orient: This step involves establishing an overall organizational risk approach including identifying threats and vulnerabilities to the systems related to the trade secrets and other data. The risks of loss of business value of trade secrets should be considered in conjunction with risks associated with loss of other types of data such as personal financial information.
- Risk Assessment: The unique aspects of trade secrets should be considered in conducting the risk assessment. The analysis should consider the possible post-breach protections, discussed below, which may mitigate the harm caused by the disclo- sure as long as reasonable steps were taken to avoid the breach.
- Implementation: An organization must prioritize the action plan that is intended to address gaps between the current cybersecurity profile of the organization and the target profile. The preceding suggestions will help to prioritize the action plan to insure the actions taken to secure the trade secrets are deemed reasonable as required to pre- serve the trade secret status.
Preparing for a Breach
Ideally, of course, a company that takes reasonable steps to secure its trade secrets would not have to worry about a data breach and be confident that its information is 100% secure. Sadly, this is not the world we live in. Organizations are being assailed by all levels of attacks including advanced persis- tent threats sponsored by nation states.x In view of the fact that those securing a network have to be successful 100% of the time, while those trying to breach it only have to be successful once, the deck is stacked against perfect security. Therefore, an organization must consider not just how to take rea- sonable measure to secure trade secrets, but it must tailor its incident response plan in the event that trade secrets are misappropriated despite its reason- able efforts to secure them.
Incident response plans should include measures to preserve information to identify the source of breaches. This information can assist in both criminal and civil proceedings against those responsible. As previously mentioned, there are criminalxii penalties for theft of trade secrets in the U.S. Criminal prosecutions may help provide a deterrent and could potentially stop a trade secret from being disseminated if the perpetrator was caught prior to disclosing the trade secret. Unfortunately, recent statistics suggest only 18% of breaches originate in the U.S. where the perpetrators would be subject to prosecution domestically.xiii International prosecution is possible but much more complex for obvious reasons.xiv In most cases, therefore, the entity re- sponsible for the breach will not be subject to prosecution and, if the trade secrets are disseminat- ed, prosecution of an individual may not provide the organization much recompense.xv Civil actions are similarly limited due to inability to reach many for- eign adversaries and individuals not being able to make a company whole for the loss suffered even if the individual is subject to jurisdiction for civil suit.
If a company suffers a breach including loss of trade secrets and identifies the perpetrators as out- side of the U.S., the company should consider setting up a monitoring program for imported goods that encompass its trade secrets. Assuming the company took reasonable steps to protect the trade secrets prior to the breach, it may be able to get an injunction to prevent the importation of goods utilizing its proprietary information.xvi This will be a difficult endeavor, but for a company with highly valuable trade secrets, such vigilance may be the only meaningful choice in many situations.