A constant challenge for businesses with important trade secrets is how to simultaneously make commercial use of them while also preserving their legal status. To be protected as a trade secret, a piece of commerciallyvaluable information must be “the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” Cal. Civ. Code § 3426.1(d). Activities directed beyond the confines of the business present various disclosure risks, ranging from unscrupulous commercial partners to outright theft. External threats to trade secrets can be managed in various ways: robust contracts, tight limits on how and with whom information is shared, and so forth. But defending trade secrets also requires careful internal management.
A key question for managers of intellectual propertyis how far to take the policies and procedures that govern the control of a business’s IP portfolio. In some ways the law is frustratinglyvague about what measures need to be taken. One often confronts uncomfortable ambiguities when crafting a concrete plan that will be “reasonable under the circumstances.” A guiding principle is that “reasonable steps” are sufficient to protect information in such a waythat it can only be exploited by an outsider who uses inappropriate or unlawful methods to obtain it. The goal is therefore to ensure that anyone outside the firm who learns about a trade secret is doing so in a controlled way.
Unprotected disclosures risk losing trade secrets
The overarching goal of internal trade secret policyis to prevent unprotected disclosures. Once information escapes the holder’s control, it can rapidlylose its special legal status. In some circumstances a business maychoose to share certain trade secrets with third parties under confidentialitycontracts. For many businesses such disclosures are difficult to avoid. For example, many businesses hire third-partycontractors to maintain their computer networks. An IT professional may have incredibly deep access to a client’s information and needs to be subject to a strict contractual obligation to respect its confidentiality.
Unprotected disclosures can happen in other ways. A risk that probablykeeps many managers up at night is that an employee accidentally discloses secrets bysending an email to the wrong recipient, or attaching the wrong files. A trade secret could also be accidentallyrevealed in a casual conversation. Such slips mayleave a short window for recovering the secret before it is lost for good, but they need to be addressed promptly and with vigor.
Sloppy disclosures can happen in other ways that are potentially more problematic, because they are deliberate. Executives who are excited about a company’s technology might disclose more than they should when talking to people who aren’t bound byconfidentiality obligations: journalists, industry groups, potential investors, and so forth. An advertising campaign for a new product might be designed in such a waythat the trade secrets are effectively disclosed to sophisticated competitors. A trade secret could also be inadvertently disclosed in a publicly available patent filing, and potentially even in nonconfidential litigation paperwork.
Internal trade secret management requires diligence and training
The specific steps a companyshould take to control how its trade secrets are handled within the companyitself will depend on the specific qualities of the trade secrets themselves and the size of the business, among other factors. A given piece of secret information will have certain raw characteristics that must be taken into account in crafting a program to protect it. A large file of computer code, which must be complete to function, mayrequire a different approach than a formula that could fit on a single sheet of paper. Likewise, a verysmall firm will have different challenges from a verylarge one. Smaller companies potentially have an easier time ensuring their employees are using best practices, but they may also need to rely much more on outsiders and they mayface greater employee turnover. Smaller firms may also be less likelyto have the full suite of controls over their electronic systems.
Here are a few examples of the kinds of internal strategies that manycompanies will find useful for protecting their trade secrets. For many of these, the object isn’t simplyto establish a sound legal argument for whysomething should receive protection as a trade secret. More importantly, it is also to prevent unprotected disclosures in the first place.
- Draw clear lines around trade secrets and who can access them. Before information can be protected as a trade secret it has to be identified as such. The process should be deliberate, disciplined, and thorough. Similarly, the people who will have rights to access trade secrets should be clearlyidentified by management. One component of these exercises is to ensure that the trade secret label isn’t used so broadlythat it starts to impose unnecessary administrative burdens on the ordinary operation of the business.
- Compartmentalization. Where possible, dividing up the components of a trade secret into distinct, rigidlycontrolled parts can be a powerful defense. The Coca-Cola Companyfamously uses compartmentalization to preserve its “secret formula”: even a top executive may onlyknow one part of the complete recipe.
- Regular training. Employees who handle trade secrets need to be periodicallyreminded about how to handle them. This is especiallyimportant for employees who routinelyshare information under thirdpartyconfidentiality agreements. Employees who do this sort of work are well positioned to know when a relationship has ended or gone sour, which maytrigger an effort to enforce a confidentiality agreement’s “return or destroy” clause. Employees also need to know when to report incidents like inadvertent disclosures.
- Electronic controls. The digital age presents a host of risks for holders of trade secrets. A variety of software tools are available to help companies manage their most sensitive data. Restricting network permissions is a basic step that most companies can take. Some businesses may need to limit how email is used, how much access employees have to the Internet, and how readilyinformation can be printed.