Internal Strategies Businesses Can Take to Protect Trade Secrets

A constant challenge for businesses with important trade secrets is how to simultaneously make commercial use of them while also preserving their legal status. To be protected as a trade secret, a piece of commercially valuable information must be “the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” Cal. Civ. Code § 3426.1(d). Activities directed beyond the confines of the business present various disclosure risks, ranging from unscrupulous commercial partners to outright theft. External threats to trade secrets can be managed in various ways: robust contracts, tight limits on how and with whom information is shared, and so forth. But defending trade secrets also requires careful internal management.

A key question for managers of intellectual property is how far to take the policies and procedures that govern the control of a business’s IP portfolio. In some ways the law is frustratingly vague about what measures need to be taken. One often confronts uncomfortable ambiguities when crafting a concrete plan that will be “reasonable under the circumstances.” A guiding principle is that “reasonable steps” are sufficient to protect information in such a way that it can only be exploited by an outsider who uses inappropriate or unlawful methods to obtain it. The goal is therefore to ensure that anyone outside the firm who learns about a trade secret is doing so in a controlled way.

Unprotected disclosures risk losing trade secrets

The overarching goal of internal trade secret policy is to prevent unprotected disclosures. Once information escapes the holder’s control, it can rapidly lose its special legal status. In some circumstances a business may choose to share certain trade secrets with third parties under confidentiality contracts. For many businesses such disclosures are difficult to avoid. For example, many businesses hire third-party contractors to maintain their computer networks. An IT professional may have incredibly deep access to a client’s information and needs to be subject to a strict contractual obligation to respect its confidentiality.

Unprotected disclosures can happen in other ways. A risk that probably keeps many managers up at night is that an employee accidentally discloses secrets bysending an email to the wrong recipient, or attaching the wrong files. A trade secret could also be accidentally revealed in a casual conversation. Such slips may leave a short window for recovering the secret before it is lost for good, but they need to be addressed promptly and with vigor.

Sloppy disclosures can happen in other ways that are potentially more problematic, because they are deliberate. Executives who are excited about a company’s technology might disclose more than they should when talking to people who aren’t bound by confidentiality obligations: journalists, industry groups, potential investors, and so forth. An advertising campaign for a new product might be designed in such a way that the trade secrets are effectively disclosed to sophisticated competitors. A trade secret could also be inadvertently disclosed in a publicly available patent filing, and potentially even in non confidential litigation paperwork.

Internal trade secret management requires diligence and training

The specific steps a company should take to control how its trade secrets are handled within the company itself will depend on the specific qualities of the trade secrets themselves and the size of the business, among other factors. A given piece of secret information will have certain raw characteristics that must be taken into account in crafting a program to protect it. A large file of computer code, which must be complete to function, may require a different approach than a formula that could fit on a single sheet of paper. Likewise, a very small firm will have different challenges from a very large one. Smaller companies potentially have an easier time ensuring their employees are using best practices, but they may also need to rely much more on outsiders and they may face greater employee turnover. Smaller firms may also be less likelyto have the full suite of controls over their electronic systems.

Here are a few examples of the kinds of internal strategies that many companies will find useful for protecting their trade secrets. For many of these, the object isn’t simply to establish a sound legal argument for why something should receive protection as a trade secret. More importantly, it is also to prevent unprotected disclosures in the first place.

Draw clear lines around trade secrets and who can access them. Before information can be protected as a trade secret it has to be identified as such. The process should be deliberate, disciplined, and thorough. Similarly, the people who will have rights to access trade secrets should be clearly identified by management. One component of these exercises is to ensure that the trade secret label isn’t used so broadly that it starts to impose unnecessary administrative burdens on the ordinary operation of the business.
Compartmentalization. Where possible, dividing up the components of a trade secret into distinct, rigidly controlled parts can be a powerful defense. The Coca-Cola Company famously uses compartmentalization to preserve its “secret formula”: even a top executive may only know one part of the complete recipe.
Regular training. Employees who handle trade secrets need to be periodically reminded about how to handle them. This is especially important for employees who routinely share information under third party confidentiality agreements. Employees who do this sort of work are well positioned to know when a relationship has ended or gone sour, which may trigger an effort to enforce a confidentiality agreement’s “return or destroy” clause. Employees also need to know when to report incidents like inadvertent disclosures.
Electronic controls. The digital age presents a host of risks for holders of trade secrets. A variety of software tools are available to help companies manage their most sensitive data. Restricting network permissions is a basic step that most companies can take. Some businesses may need to limit how email is used, how much access employees have to the Internet, and how readily information can be printed.