Trade Secrets Protection: Some Common Sense and an Ounce of Prevention Is Worth a Pound of Cure
Given the dire consequences a company can face once a valuable trade secret goes out the door, corporate executives need to understand what their trade secrets are as well as how to protect them. Under the law, a trade secret has “independent economic value,” and to earn legal protection an employer must take reasonable steps to protect it.
Too often a company’s own employees, intentionally or not, pose the greatest threat to unintentional disclosure. Employers would be well-advised, therefore, to take several steps to better protect the secrecy of their trade secrets, involving both personnel policies and technology solutions.
Let’s begin with some initial steps any company should take:
- Define their trade secret(s) in employment contracts (including non-disclosure agreements [“NDAs”] and proprietary information and inventions assignment [“PIIAs”]), offer letters, policies, employee handbooks, etc.
- Obtain signed employee acknowledgments of trade secrets and confidential treatment.
- Use and constantly update legally compliant NDAs and PIIAs.
- Conduct new employee orientation and continuing education of employees regarding the value and the need to safeguard the company’s trade secrets.
- Periodically remind employees of the importance of protecting the employer’s trade secrets and other proprietary and confidential information, including “pop up” boxes and electronic acknowledgements each time that an employee logs into a system containing proprietary information.
Implementing internal controls is critical. Employers should:
- Restrict access internally by disseminating such confidential information only to those employees who truly have a need to know.
- Implement appropriate monitoring procedures.
- Limit computer access through passwords.
- Stamp confidential documents with a legend, such as “trade secret — document contains confidential and proprietary information — strictly limit circulation.”
- Security clearance, badges, keys to access locked information, etc.
- Require all third parties to execute non-disclosure agreements.
- Require the return of all company property, and require execution of a “Termination Certificate” representing and warranting that the departing employee has returned (or permanently destroyed) all company trade secrets and other confidential and proprietary information.
The value of exit interviews cannot be overstated. Employers can ask departing employees, for example, whether he or she has:
- Returned all company property;
- Executed and returned the “Termination Certificate” representing and warranting that the employee has returned (or permanently destroyed) all company trade secrets and other confidential and proprietary information; and
- Complied with all of his or her contractual and legal obligations.
There are particular questions one might consider asking in an exit interview, including:
- “Do you have any company documents in your possession or under your control?”
- “Have you given any company documents or information to anyone outside the company?”
- “Do you still have access to any company documents?” [“If so, which documents?” “Where are these company documents located now?”]
- “Do you have any company documents or materials at home?”
- “Have you returned all flash drives that contain company information?”
Upon voluntary or involuntary termination of an employee’s employment, employers should consider saving forensic copies of the data on any mobile devices used to access the employer’s trade secrets and other proprietary information, and then purging the data on the device and deactivating any user names and passwords issued to that employee that would allow access to the employer’s trade secrets and other proprietary information.
Other steps could include:
- Sending a follow-up letter to the departing employee and his new employer to notify them of their non-disclosure/non-use obligations.
- Continuing to monitor the risk of disclosure or unauthorized use of the company’s trade secrets, including by former employees who leave to work for competitors.
- Sending a letter to a competitor to inform it of the employer’s internal controls to prevent the use or disclosure of the former employer’s trade secrets if it anticipates litigation over a hiring decision.
In light of the special risks with “BYOD” (bring your own device) to work policies, employers should consider implementing some additional safeguards:
- Create a checklist setting minimum technical requirements for an employee’s personal device: For example, grant the employer access for business purposes; require cleaning of device by IT upon separation of employment or other business needs (“remote wipe” if lost/stolen); legally diminish employees’ privacy expectations (e.g., “Employees should expect that all information created, transmitted, downloaded, received or stored in Company computers … and email systems … may be accessed [and monitored] by the Company at any time without prior notice”); etc.
- Take security software precautions. Most employees do not have sufficient security software to protect confidential information, trade secrets, and other private and/or confidential information on their personal devices. Therefore, employers should implement measures to protect the information to minimize the risk of data breaches. For example, the remote access should be set so that after a certain period of inactivity, automatic logout occurs. Employers should consider managing employees’ mobile devices using “mobile device management” (“MDM”) software, which allows employers to remote wipe and encrypt either all information on the device or just Company information.
Employers face additional risks by posting trade secrets “in the cloud” or on cloud-based storage sites like DropBox. Since the employer’s trade secrets and other proprietary information are being hosted by an unknown third-party provider, there is an increased risk that the information could leak to the public, thus eviscerating trade secret protection. Employers hosting trade secrets in cloud-based storage also face challenges in recovering trade secret and other information following a breach.
Moreover, there may be uncertainty over which jurisdiction’s laws apply (particularly if the server is not located in the U.S.). For these reasons, if employers choose to store trade secrets and other proprietary or valuable information in the cloud, they should negotiate a robust contract with the cloud service provider, which includes prohibitions on any disclosure or misuse to third parties and clearly defining the terms of the provider’s services.
While this list may seem lengthy, they can make the difference between your trade secrets staying safe or being disclosed. And should the latter occur, documentation of having taken these steps can make the difference in any litigation resulting from that disclosure.