NEARLY EVERY BUSINESS HAS TRADE SECRETS that need protection. Such trade-secret protection is an essential component of enterprise risk management plans. Understanding how the protection of trade secrets fits into a global business plan is the first step. Second, companies must ensure that they define their trade secrets, protect access to that information, and train employees to understand the significance of confidential data. Then, companies should harness the energy of their employees to ensure that their risk management plans have real traction.
Because businesses operate in a global economy, trade secrets that fuel a company’s profitability are as valuable in one country as they are half a world away, making cross-border and international industrial espionage a threat to be taken seriously. For example, a General Motors employee was recently arrested and charged with stealing proprietary company information relating to hybrid vehicle technology for use abroad by a Chinese automotive manufacturer. Dow Agro Sciences had much the same experience when it discovered that an employee had taken secrets relating to organic insecticides for use in China. And in a third example, a former software executive of derivatives firm CME Group was arrested for allegedly copying thousands of files to thumb drives and trying to flee the country.
There are several factors that have come together to produce an environment ripe for trade-secret theft. Most importantly, in a digital world, trade-secret theft is easy. You don’t need to back a panel truck up to a company facility to steal a shelf load of hard copies of formulas, pricing data, or marketing plans. You don’t even need to make copies. And you may not need to be in the facility. All you need is computer access. Exacerbating the problem is that, in a digital world, copying and forwarding data without regard to the niceties of who owns it are commonplace. These trends, combined with a significant reduction in employee loyalty brought on by poor economic conditions, profoundly raise the risks and increase the need for trade-secret protection.
Hampering employer efforts to protect valuable data is the fact that legal protections for trade secrets differ around the globe. What qualifies legally as a trade secret in the United States may not be what fits the legal definition in Latin America or Asia. Similarly, enforcement rights and remedies differ from nation to nation.
The first step in protecting trade secrets is to identify which pieces of data really belong in the company’s trade secret protection program. Any information that meets the definitions developed should be listed in a central database. In-house counsel and outside law firms should be consulted to help with developing protocols for identifying data and documents that need to be included in the list.
Next, a company must create a process for keeping the central record up to date by adding and deleting information as appropriate.
Throughout the world, an important aspect of invoking trade secret protection is the effort a company puts into maintaining the secrecy of its trade secrets. By starting with a list of trade secrets and then working forward to ensure limited access, companies will have powerful evidence that the materials they classify as trade secrets deserve legal protection. The list also provides a starting point for the next phase of the process: determining who needs to be granted access to the company’s secrets.
The next step is to determine who should have access to the company’s trade secrets and why. That process begins by assessing which positions currently have access. In some cases, it may be that the number of positions with those privileges needs to be reduced.
Once the positions that require access are agreed on, that decision needs to be documented. Companies should keep a list of these privileged positions and the employees currently in them, cross-referenced by trade secret. This list should be reviewed frequently to make sure it is current and that persons with access still need that access to perform their jobs. If a person changes jobs, access should be reassessed, and if someone leaves the company, access to the system should be revoked immediately.
The trade-secret access list helps management spot whether access is appropriately limited by numbers and types. Typically, the more valuable the secret, the fewer the number of people with access should be. And for certain high-level secrets, it’s typical not to grant access to any vendors or contractors.
Confidentiality agreements. Every employee who is granted access to trade secrets should be required to sign a formal confidentiality agreement. This requirement should apply to employees and contractors.
Some companies may go further and require employees to sign restrictive covenants, which limit the use of certain information, and noncompete agreements, which limit a person’s legal right to leave the company and go immediately to a nearby competitor or to start up a competing firm. Noncompete agreements can’t be unlimited in geographic scope or time.
Companies should also use the employee access list to determine potential trade-secret risk when an employee leaves the organization, when it learns that an employee is in financial stress, or when an employee’s loyalty may be open to question. The list will show at a glance each project the employee has or had access to.
Making sure that information designated as a trade secret can only be accessed by those listed as having access rights is critical. This step can make it more difficult for secrets to be stolen and can help the company prevail in a lawsuit.
Absent good controls, employees will be more likely to disregard protection protocols. Also, if information is ever lost or stolen, a court will be more likely to deny the company legal protection if it learns that the company did not make reasonable efforts to protect itself.
For example, in one recent case (Amedisys Holding v. Interim Healthcare of Atlanta, U.S. District Court for the Northern District of Georgia, 2011) a company sought an injunction against a former employee who took logs that tracked patient referrals with her when she left to work for a competitor. These logs held detailed information on her former employer’s current and prospective patients and were used to target sales efforts.
The court granted the injunction, ruling that the company had made reasonable efforts to protect the information. Both the company network and e-mail were protected and the logs were available only to a select group of employees. Each printed page of the logs was stamped “confidential property.”
In another case (Omega Optical v. Chroma Technology, Vermont Supreme Court, 2002), the court ruled that a clearly confidential process could not be considered a trade secret because the company took no steps to protect it. The company manufactured high-tech filters for microscopes and apparently assumed that such a technical, scientific process would be a trade secret by default. But the company had no policies concerning the protection of trade secrets, and the only security measure in place, a traditional lock-and-key system, was unreliable because the sign-out procedures for keys were not enforced or monitored. For long periods of time, the public even had access to employee work areas. Employees received no notice that any company processes were trade secrets and no documents were marked confidential.
The court considered all these factors in ruling on the case, which involved a number of the company’s employees who left to start their own business. The court found that the confidential information the employees took with them was not legally considered a trade secret.
Specific measures. Case law and the author’s own experience suggest that companies should examine several aspects of security, including physical barriers, policies and procedures, IT security, and monitoring of social media.
The general physical security precautions a company should consider are basic and include perimeter fencing, access control, and alarmed or self-locking doors to areas containing trade secrets. Security guards may be employed but aren’t always needed. Courts also look for physical barriers to viewing and visual cues, such as “authorized personnel only” signs at access points, sign-in procedures for visitors, and ID badges for employees.
IT security is also critical. Important measures include unique passwords for computer-stored information, pop-up screens indicating confidential information, and firewall protection. Companies that are serious about protecting trade secrets restrict remote access to their internal computer system, place trade secrets on separate servers, prohibit the use of outside software and hardware, and keep records of electronic access. In addition, restricting the ability to download or copy information is crucial.
However, having protective systems in place is only a first step. Systems should be audited to review access, use, and copying and to find signs of anomalies that might warrant investigation. For example, in a lawsuit filed in federal court in May, the Huntington National Bank in West Virginia is suing several former employees for trade-secret theft. It charges that just before the employees resigned and started a competing business, they spent weeks downloading confidential customer information from the bank’s secure database. The employees had the right to access the information at that time, but a timely audit would have revealed the unusual activity and may have prevented the alleged theft.
In general, companies should have policies informing employees that their company e-mail, company issued electronic devices, and all company communications systems are subject to review. Employees should be required to consent to Internet usage rules and to employee monitoring of their Internet use. Similarly, the company should obtain waivers from employees for background checks and other reports covered by the Fair Credit Reporting Act.
In addition, companies should have effective policies on the use of social media with regard to discussions about company information outside the workplace, and they should routinely monitor Internet postings to guard against security breaches. While employers’ surveillance of “concerted protected activity” is an unlawful labor practice, there have been no cases that make review of public statements to guard against trade-secret theft a violation of the National Labor Relations Act. Where postings are password protected, companies that suspect trade-secret theft should consult counsel about how to proceed.
As with many aspects of security, employees are the first and most important line of defense. They need to know they have a stake in protecting the company’s confidential information. In combination with active monitoring of systems to identify usage anomalies, it is critical to build a culture in which employees view company trade secrets as theirs to protect.
To that end, companies must make protection of company trade-secret assets a core value, shared and enforced across the work force. The best way to do this is to conduct comprehensive training.
The training should explain to employees what company information is a trade secret and why the company protects these secrets. The trainers should emphasize how much job security depends on maintaining the assets of the business and that it is in everyone’s interest to make sure trade secrets stay secret.
Employees should be taught how to protect against both inadvertent disclosures and outright theft. Employees should also be taught how to report their concerns and to whom. The company must assure employees that it has internal avenues through which suspicions may be voiced confidentially and that it will follow through by conducting a thorough investigation.
Penalties for breaching confidentiality should also be included in the training. This can vary among companies. Some companies tie improper handling of trade secrets to loss of compensation or benefits. Forfeitures of nonvested equity grants or deferred compensation, clawback arrangements affecting both salary and equity, liquidated damage provisions allowing for legal attachments, and other similar techniques are among the types of provisions companies use in instances where improper taking is established. Employees affected by these provisions should be repeatedly made aware of the consequences of trade-secret loss.
If theft does occur and a legal case is brought, proof of the existence of a regular training program can help the company win its lawsuit. Similarly, the absence of training can hurt. In Omega, the court was troubled by the lack of training on trade secrets. The court wrote that “Omega failed to take steps to put its employees on explicit or implicit notice that certain information conveyed to them during their employment was to be kept confidential.”
Plan for Departures
A policy on how to handle departing employees is the final prong in a trade-secret protection program. The policy should cover everything from the exit interview to preserving a physical workspace.
Employers should conduct an exit interview for any employee who had access to trade secrets, but special attention should be given to departures that raise red flags. Involuntary termination, refusal to participate fully in an exit interview, and going to a competitor are all red flags that indicate this departure may merit special attention. If the departing employee had trade-secret access, the company should take steps to ensure that those secrets aren’t leaving too, such as spot checking e-mail and hard drives and looking for access anomalies during the period before the departure.
For any employees with trade-secret access, even those not raising red flags, the company should preserve the hard drives and other data storage devices that they used. For all departing employees, the company should spot check access to the computer network and look for anomalies.
A similar practice led to a lawsuit filed by Genesco Sports against an employee, in June 2011. In the case, Genesco alleges that the employee resigned his position and then spent his last two weeks on the job downloading proprietary information from the company’s internal network to his company laptop. Genesco claims that an hour before the employee left the building for good, he downloaded the confidential information from his laptop to a USB drive. Then, the lawsuit claims, the employee deleted the information, along with all of his e-mail.
Three days later, an IT specialist at Genesco examined the employee’s laptop, as per company procedure. The specialist was alarmed that the e-mail had been deleted, and he investigated further, coming to the conclusion that the employee had allegedly absconded with trade secrets. The case has yet to be heard so the facts and the outcome are not yet known. However, it is clear that Genesco’s policies helped it take quick action that may have resulted in uncovering a theft.
Employers should also consider requiring "garden leave" provisions for those with access to significant trade secrets. Under a garden-leave provision, employees must give their employer a certain amount of time as notice before they resign. They then go on paid leave for the notice period. Thus the employee is being paid to “tend his garden.” Garden-leave provisions have two benefits. First, they are looked upon more favorably by the courts than noncompete restrictions, in which a company prohibits an employee from working in a specific industry for a specific period of time. Second, garden-leave provisions allow a company time to conduct an investigation into the employee before that employee begins working somewhere else. Typically, garden leave lasts for 60 to 90 days.
If there are immediate concerns about a departing employee, the company should consider securing his or her workspace. Physical inspection of office contents may also be necessary. Personnel policies facilitating these searches should be part of the trade-secret protection plan and should be in place well in advance.
Protecting trade secrets must be part of the enterprise risk management plan long before a company realizes that confidential information is missing. By clearly defining their trade secrets, taking steps to protect them, and involving employees in that effort, companies can take great strides toward keeping corporate secrets under wraps.
Jonathan L. Sulds is cochair for the Global Labor and Employment Law department at Greenberg Traurig, LLP. He practices in New York City, New York.