Trade Secrets in the Digital World

Patents and copyrights powerfully protect intangible rights, but they are time-limited and require public disclosure of protected material. Intangible information maintained as a trade secret lessens misappropriation risk so long as the information is subject to measures preserving secrecy. Trade secrets may thus be ideal for intellectual properties such as customer lists, chemical formulas, manufacturing processes, software programs, code, and digitally stored data. Maintaining adequate security measures, however, is crucial. 

Until recently, trade secrets were protected under a patchwork of state laws. Under the 2016 federal Defend Trade Secrets Act (DTSA), trade secrets are now also federally protected. Federal law is fairly consistent with the Uniform Trade Secrets Act (UTSA), which has been adopted by most states but allows owners of misappropriated trade secrets to sue in federal court. The DTSA includes an updated definition of information that may constitute a trade secret, including “programs” and “codes,” and endorses both physical and electronic storage of information. This language reflects the reality that proprietary information is increasingly stored and accessed digitally.

As with any trade secret, digitally stored trade secrets must be subject to reasonable measures to preserve secrecy and cannot be generally “known.” For example, software code cannot be protected as a trade secret if it is composed merely of generally known elements without novelty; but the combination of public domain elements and digital data providing competitive advantage can be subject to trade secret protection. 

TRADITIONAL MEASURES HAVE DIGITAL ANALOGS

Satisfying secrecy requirements for digitally stored information presents additional difficulty. Traditional measures, such as storing a secret formula in a guarded and locked safe, may not practically prevent unauthorized digital access. However, traditional measures can be analogized to the digital world. A company with software, source code or other digital information constituting trade secrets should develop strong cybersecurity procedures (including passwords and firewalls), keep its cybersecurity systems updated, and limit access of digital information to authorized users. Tiered levels of access and user permissions are particularly important so that only employees with need-to-know status can access the confidential information. 

If a bad actor circumvents secrecy measures and accesses a trade secret, a suit for trade secret misappropriation may be applied, effecting injunctive relief for actual or threatened misappropriation, as well as recovery for damages. The DTSA does not preempt state law, so a plaintiff may sue based on DTSA and state law claims. It is now common to assert claims under both DTSA and UTSA.

Remedying trade secret misappropriation through litigation, however, generally requires proving that the information falls within the definition of eligible information — that the owner/plaintiff took reasonable precautions to keep information secret, that the information derives independent economic value from not being generally known or ascertainable, and that the information was misappropriated by the defendant. 

Without considering these elements before a bad actor takes and uses its valuable information, a business could find itself without recourse when the worst happens — particularly as the sort of information constituting a trade secret may not be protected by patent or copyright.

A plaintiff alleging misappropriation can expect the defendant to claim plaintiff did not take sufficient measures to preserve secrecy. The specific precautions employed by the plaintiff, and the reasonableness of those precautions, can be a dispositive factor in a misappropriation case. It is also the one factor most within the control of the plaintiff. Although a business cannot necessarily control the nature of the information it uses or the conduct of third parties, it can control the measures used to protect valuable information. It is thus crucial to maintain adequate precautions to keep trade secrets secret, and to proactively document that precautions were taken. 

PROTECTIVE STEPS TO TAKE

There is virtually no limit to the amount of time and money that a company may expend on these precautions — to the point that business function can be impaired. The following protective measures are reasonable steps for businesses to consider:

• Design a well-developed set of rules and guidelines to prevent disclosure of trade secrets. Document them in order to prove trade secrets were, in fact, protected. 
• Require employees to sign a confidentiality agreement defining trade secrets and requirements to appropriately manage company trade secrets. Impose a duty of inquiry where trade secret status is uncertain. Periodically remind employees of their obligations and remind departing employees of those obligations in an exit interview.
• Ensure employees understand and acknowledge that the business may engage in electronic monitoring (e.g., of email, internet and telephone use) to check for trade secret misappropriation.
• Have a defined set of procedures that employees must follow to obtain approval to share trade secrets (e.g., with third-party vendors), and require review of speeches and articles for confidential information before publication. 
• Maintain internal secrecy by dividing secret processes into steps with different people or departments executing each step, or by providing partial access among select individuals or departments. 
• Limit access to confidential materials to employees with need-to-know status. 
• Limit access to workspaces and facilities to employees and third parties who execute sign-in/sign-out procedures.
• Sequester confidential materials in specially restricted areas. Require passwords and additional levels of permission to access digital spaces where confidential materials are stored, and keep login records.
• Consistently mark trade secret materials with the business name and “CONFIDENTIAL,” and employ confidentiality notices even in internal workspaces.
• Restrict reverse engineering of products containing trade secrets to the extent feasible. 
• Ensure that confidential documents are properly disposed of (e.g., permanently deleted, shredded).
• Stay apprised of cybersecurity developments and vulnerabilities, and update digital infrastructure and practices accordingly. 
• Preserve evidence if trade secret misappropriation is suspected.

Maintaining reasonable precautions to preserve the secrecy of trade secret information is a continuing obligation requiring businesses to adapt practices for its physical and digital data. Such practices can provide significant payoff should theft of valuable trade secrets occur.