On May 11 2016 President Obama signed into law the Defend Trade Secrets Act (DTSA), capping several years of hearings and negotiations that eventually led to an almost-unanimous vote in Congress. The primary aim of the statute was to provide industry with the option of asserting civil claims for trade secret misappropriation in federal courts. Although trade secret law had traditionally been the province of the states, their varying rules and procedures were seen as increasingly mismatched to the needs of businesses that operate in the global, information-based economy. Allowing cases to be filed in federal court was expected to increase the effectiveness of protecting data assets.
The basic approach was to adopt the standard definitions and remedies provided in the Uniform Trade Secrets Act (UTSA), which since 1979 had been embraced (although with variations) by 47 of the 50 states. As a result, the new law also aligns very well with Article 39 of the 1995 Agreement on Trade-Related Aspects of Intellectual Property (TRIPS), which also was patterned on the UTSA. As with most legislative efforts, however, some special concerns led to the enactment of unique provisions.
The most hotly debated of these was a procedure to permit ex parte applications for orders to seize items that contain a trade secret. In an environment where valuable data can be downloaded to a small device and taken across borders, industry wanted a quick remedy when evidence surfaced that such a theft was threatened. But adapting a process that has worked well in the context of counterfeit goods turned out to be awkward, since separating the improper from the legitimate is harder to do with information. In the end, Congress agreed on a number of strict requirements and limitations designed to prevent abuse, looking much like the restrictions which over the years have been placed on the use of Anton Piller orders.
A second special feature was the creation of an exception for whistleblower disclosures, by granting immunity under state or federal trade secret law to any individual employee, contractor or consultant who reports in confidence to the authorities information about wrongdoing within an organization. This provision was animated by a lack of reliable protection under current laws, whose ambiguity tended to discourage reporting of crimes. But its focus on law enforcement stood in contrast to the near-simultaneous adoption by the EU of a much broader whistleblower exception in the Trade Secrets Directive.
Another change from the UTSA, reflecting a concern about labour mobility, places a limitation on what sort of injunctive relief judges can issue against departing employees. The so-called “inevitable disclosure doctrine,” under which an employee might be blocked from taking on an identical job for a direct competitor, was rejected. Instead, federal courts may place conditions on a new job – such as working in a different area of the company – but only based on evidence of the employee’s behaviour from which it can be inferred that the former employer’s secrets are at risk of misuse.
What can we observe from the first year’s experience with this new option for trade secret litigation? In general, the law appears to be performing as intended, although in some areas, such as whistleblower protections, it has been rough going. Ex parte seizures have not proved the scourge that critics feared. While federal filings are popular, state courts remain even more so, and probably for good reason. And some intriguing and impactful questions remain so far unanswered.
Since the DTSA came into effect there have been over 300 cases filed, with a few dozen rulings on early-stage issues. Because direct filing in federal court was not previously available, there are no comparative statistics. But most experienced practitioners observe that the take-up has been substantial, confirming the assumption that businesses would often choose federal protection if they had the choice. However, many more cases continue to be filed in state courts, where localised disputes – imagine an insurance agent moving across town to another brokerage, for example – are handled effectively.
In general, the law appears to be performing as intended, although in some areas, such as whistleblower protections, it has been rough going
Indeed, the generally enthusiastic early adoption of the DTSA may not continue for the long term. Although cases involving actors and witnesses in other states or countries will usually benefit from a federal forum, due to common rules and nationwide service of process, federal courts are not always the best place for a plaintiff to file a trade secrets claim. In part this is because in the federal system a case is assigned to a single judge for the duration, so the judge tends to focus on early disposition. In contrast, most state court systems divide and distribute their work, and early motions tend to be resolved by one judge letting the case continue through to a trial before a different one.
In trade secret cases, at the outset the plaintiff typically has more speculation than evidence about what has happened and the extent to which its information is in peril. Since the US has a tradition of very broad discovery rights, courts long ago settled into an approach for handling this information asymmetry by allowing cases to be filed based on a reasonable suspicion that misappropriation has occurred, with discovery left to fill in the gaps. When the DTSA was new, concern was expressed that federal courts might apply a “heightened pleading standard” required typically in cases of fraud. That fear has not played out, however, as the few courts where initial pleadings were challenged on that basis have rejected the argument and confirmed that a short statement of facts demonstrating a “plausible” theory of liability is enough.
In other ways, however, the tendency of federal courts to closely examine pleadings has shown up in the early DTSA decisions. In one case, a motion to dismiss was granted for failure expressly to plead that the trade secrets related to a product or process in interstate commerce, which is practically speaking a low bar but nevertheless a jurisdictional requirement under the statute. In another case, however, a judge dismissed a complaint for failure to plead in sufficient detail the basis for the plaintiff’s assertion that it had made “reasonable efforts” to protect its secret information. While that is also a necessary element under state laws, most state courts have allowed plaintiffs to plead it with very little evidentiary support.
To date we have not seen the courts address in any comprehensive way the basic question of how trade secrets – which are the only IP right not described through a government registration process – are to be defined in litigation. Because the scope of discovery depends to a great extent on understanding exactly what is the subject matter of the dispute, we can probably expect this issue to emerge over time as a common subject for early case management.
Since the DTSA came into effect there have been over 300 cases filed, with a few dozen rulings on early-stage issues
On one aspect of DTSA pleading there seems to be clear agreement: when a complaint alleges misappropriation that was complete before the statute became effective, the DTSA does not apply. However, if the complaint alleges new acts of misappropriation in the same transaction, the DTSA will apply to those acts, while the prior acts will be covered by relevant state law.
While the legislation was pending before Congress, some opponents, primarily academics, expressed concern that the provisions for ex parte seizures would become “routine” and subject to abuse by powerful trade secret holders to extract unjustified settlements. In actual practice those fears have not been realised. Very few plaintiffs have even requested this extraordinary form of relief, and it has been granted publicly in only two cases, with another two reportedly under seal.
Indeed, because one requirement of the procedure is that “normal” injunctive relief provided under Federal Rule 65 is demonstrably insufficient, the effect seems to have been to focus attention of the courts on that process. It turns out that Rule 65 in practice is broader and more flexible than some had imagined. As some DTSA cases have shown, where the proof is strong, plaintiffs may be able to secure the functional equivalent of an ex parte seizure under pre-existing authority: judges can issue immediate orders to restrain misuse and disclosure, and even to require surrender of devices containing secrets.
Federal statutes are presumed to operate only within US territory unless it clearly appears that Congress intended otherwise. The DTSA legislation did not contain an express statement of extraterritorial effect. But anyone reading the bill as it was passed would probably conclude that Congress wanted it to apply to foreign misappropriation of domestic commercial secrets. The bill included a section on the “Sense of Congress” stating that “[t]rade secret theft occurs in the US and around the world, and, wherever it occurs, harms the companies that own the trade secrets and the employees of the companies.” Another section required regular agency reports on the “scope and breadth of the theft of trade secrets of US companies occurring outside of the US” and what can be done to “reduce the threat of and economic impact caused by” such foreign theft.
Because the scope of discovery depends to a great extent on understanding exactly what is the subject matter of the dispute, we can probably expect this issue to emerge over time as a common subject for early case management
As an alternative to considering those strong but indirect statements from Congress, courts might turn to a portion of the pre-existing Economic Espionage Act of 1996 (EEA), the federal criminal statute that was amended to allow for the provisions of the DTSA. The EEA includes a provision expressly declaring its extraterritorial effect, but only when an “act in furtherance of the offense” occurred in the US or the “offender” was a US citizen or permanent resident. Because these terms are normally used to apply only to criminal laws, one could argue that the section does not apply to civil claims, or that if it does the reach of the DTSA is similarly restricted by required connections to the US.
So far only one court has touched on the issue of extraterritorial effect of the DTSA, and it read the EEA provision as applying equally to the civil claim. However, it was a collateral issue in the case and did not receive close analysis. Given the prevalence of foreign misappropriation, coupled with the potentially more powerful remedies now available in federal court, we can expect this issue to be squarely addressed before long. Answering the question whether the DTSA applies fully, conditionally, or not at all to conduct outside the US could have a profound effect on cross-border litigation over trade secrets.
The DTSA’s limitation on judicial power to restrain departing employees from accepting a new position has so far received close attention in only one case, but with clear effect. An executive working for a defence contractor took a job with a competitor serving the same government agency. When his former employer sought an injunction that would prohibit his doing business for that agency, the court found that such a restriction in theory would not amount to an impermissible restraint on accepting employment. And although the DTSA also forbids injunctions in conflict with state law protecting labour mobility, the applicable state rule provided an exception when necessary to protect trade secrets. The court’s order granting injunctive relief stands as an example of the DTSA’s effective balance of legitimate, competing interests.
The vast majority of cases filed so far under the DTSA have coupled that claim with a parallel misappropriation claim under the law of the state in which the federal court sits. In some cases the two laws may have meaningfully different standards, depending on the extent to which that state’s law varies from the DTSA. A common example would be the limitations period, which is three years under the DTSA but can extend to as long as five or six years under some state laws. Other variations include the availability of royalties as an alternative to injunction, the definition of what constitutes a trade secret, and allowable damage theories. No federal court has yet expressed that this simultaneous assertion of different laws to cover the same claim is problematic; however, we are still in the early stages of most DTSA cases, and as they proceed closer to trial we can expect to see courts require elections or otherwise resolve the conflict.
It turns out that Rule 65 in practice is broader and more flexible than some had imagined. As some DTSA cases have shown, where the proof is strong, plaintiffs may be able to secure the functional equivalent of an ex parte seizure under pre-existing authority
Other state laws are often asserted along with a trade secret claim. Enforcement of a noncompetition contract or other restrictive covenant is a common example. But where alternative legal theories can be asserted under state law for what amounts to the theft of information – business torts such as conversion, breach of confidence and unfair competition – the issue becomes potentially more complicated. That is due to a section in the UTSA that declares the “displacement” of such claims in favour of the single statutory cause of action. Most states have interpreted this section broadly, making it impossible in those states to assert the alternative claims. When the DTSA was being considered, some commentators speculated that federal courts hearing DTSA claims might allow the displaced theories because the DTSA itself has no similar “displacement” provision. But in the only case that has directly confronted the issue, the court reasoned that alternative claims displaced by the law of the relevant state could not be revived merely by bringing them together with a DTSA claim in federal court.
Protection for whistleblowers under the DTSA was expressed as “immunity” from liability under any state or federal trade secret laws. That term has special significance under US Supreme Court decisions, requiring that district courts promptly determine whether a defendant enjoys the privilege and if so dismiss the case. However, most immunities are immediately apparent by a person’s undeniable status, such as a government official. DTSA immunity is qualified not only by the requirement that the individual disclose information in confidence to law enforcement or to an attorney, but that the disclosure be made “solely” for the purpose of “reporting or investigating a suspected violation of law.”
In the only case that has construed this provision, the employee had taken confidential documents and provided them to his attorney, who asserted that he was reviewing them for possible disclosure to the authorities. The employer filed for an injunction requiring the documents to be returned, and the employee moved to dismiss on grounds of immunity. The judge issued an order that the documents be surrendered to the court, and he refused to dismiss the case, noting that it was not possible on the record to conclusively determine that reporting to law enforcement was the employee’s “sole” objective.
Critics of the decision have argued that immunity must be determined as a first priority, and that it undercuts the purpose of the statute to subject a whistleblower to any litigation risk or expense. Some have suggested that courts will develop a procedure similar to that used in connection with challenges to personal jurisdiction, in which discovery is allowed only on the relevant predicate facts, which then can properly inform a motion to dismiss.
Trade secret owners and their counsel appear to have embraced the DTSA eagerly, seeing in the federal forum a familiar and more reliable environment for resolving disputes. But even though one case has already gone to trial (resulting in a verdict for the plaintiff), most cases are still in relative infancy. As they mature we can expect substantial progress in the developing federal jurisprudence. If all goes well, federal courts will influence not only each other but also the continuing development of state laws that closely align with the DTSA, leading to the greater harmony and efficiency in trade secret enforcement that Congress intended.
In the recent lawsuit filed against Uber by Waymo for hiring the head of its driverless car project, what would have been a normal discovery dispute over access to a report suddenly became a lot more complicated when the former Waymo executive asserted the fifth amendment, claiming that forcing disclosure of the document could incriminate him.
Trade secret litigation between companies is common, but criminal charges—or the threat of them—isn’t. So how is it that commercial disputes become criminal?
The answer usually is that the trade secret holder believes it has very strong evidence of theft and decides to approach the authorities. If you are located in a state with criminal trade secret laws, you have a choice of reporting to the county prosecutor or going to the FBI or Department of Justice, who operate under the authority of the Economic Espionage Act. In a number of states, and in each of the 93 federal districts, there will be prosecutors and investigators trained in handling technology cases. If yours seems sufficiently serious, they may agree to take it on.
But would you want them to? The answer may not be obvious. Certainly, the advantages of referring your trade secret claim for criminal prosecution can seem compelling. Considering the costs and risks of typical civil litigation, the idea of calling in the resources of the public prosecutor and sitting back to watch them annoy your adversary is attractive. So the first advantage is cost. Even though you will still have to spend time to teach the investigators and prosecutors about your industry and the facts of your case, you will be spared the disruption and expense of pretrial depositions, since the discovery process is very limited. And even if you have your own lawyers monitor and coordinate the proceedings, you stand to save a great deal over what you might have had to spend in regular civil litigation.
Second, the results of a successful criminal prosecution can sometimes get you to a civil settlement quickly and with maximum leverage. If the defendant pleads or is found guilty, that result is binding in a civil case and the only issue becomes the kind of remedy or amount of money that should be awarded. And it doesn’t work the same way in reverse. If the defendant is acquitted, the civil case can still proceed and can result in a judgment for the plaintiff. The reason is that the burden of proof (beyond a reasonable doubt) is so much higher in a criminal case. In this sense, using the criminal process is a no risk proposition for the victim.
The third major advantage is speed. Many trial courts are blocked in a logjam of civil litigation, with some cases taking years to get to trial. (Of course, if your case is decided and settled on a preliminary injunction, you can complete the process much faster.) However, the criminal case, unfettered by an extensive discovery process and having special preference on the calendars of most courts, will usually move to a conclusion fairly quickly. And considering the distraction from productive work that usually comes with this kind of case, faster is almost always better.
Fourth, the criminal process gives you a remedy that is usually unavailable in civil litigation: the search warrant. There is always an advantage to seizing evidence before anyone has had a chance even to think about altering or destroying it. And it’s hard to imagine a more impressive way to get someone’s attention than to be visited by armed law enforcement.
Indeed, one overriding advantage of criminal prosecution is its deterrent effect. Because trade secret theft is infrequently prosecuted, the news will travel fast to other employees, vendors, and competitors who might be inclined to be loose with your data. Unless the prosecution is badly mishandled, it almost doesn’t matter what is the outcome of the process. You will be known as having such a serious concern for your rights, that you will call in the police.
So if using the criminal process is such a great idea, why not pursue it in every case? Why bother at all with the expense and uncertainty of civil litigation? To begin with, you may not be able to get the prosecutor to take your case. Even where the authorities are enlightened and enthusiastic about trade secret matters, they want to take on only the ones they can win under the burden of a “beyond reasonable doubt” standard.
But there are a number of potential pitfalls and disadvantages in using the criminal system. First and most important is loss of control. You’ve passed the ball to the prosecutor, who will now call all the plays. Once you’ve started the procedure, you can’t stop it. Most prosecutors will consider input from the victim in deciding what risks to take or whether to dispose of the case before trial. But even though the prosecutor is a lawyer, you’re not the client; the state is. It is the interest of the government in punishing wrongful conduct that controls a criminal case. As a result, the prosecutor has the final say in what happens.
This dimension of the process can be especially frustrating when you want to settle, having achieved your goal of protecting your data. But no matter what agreements, orders, or money the defendant offers, you cannot make the criminal case go away.
Another aspect of this loss of control surfaces when you try to bring or continue a civil suit at the same time that criminal charges are pending. In the typical case of surreptitious misappropriation, you need access to the defendant’s testimony and documents to prove your claim. Ordinarily you get this through discovery. But when a criminal action has been filed, many of the records are in the hands of the authorities, having been seized in executing the search warrant. And if you try to take the defendant’s deposition, you’ll get a refusal to answer based on the right against self-incrimination. In effect, there’s nothing more you can do.
Because trade secret theft is not often prosecuted, you face another risk: the police or prosecutor may mishandle the case in any number of ways. This is especially true with technology matters, where sophisticated handling may be required to preserve secrecy or prevent damage to evidence.
Indeed, another drawback to the criminal process is the possibility that the very information you are trying to protect may be even more widely disclosed. Remember that the criminal defendant has a right to a public trial. Sometimes defendants will exercise this right to the maximum, hoping that the risk of further disclosure will convince you to ask that the charges be dropped. Although the judge will normally issue orders limiting access to confidential information, this may precipitate risky confrontations over just how much of your data actually qualify as trade secrets. In deciding these issues, the judge may be affected not just by the defendant’s demand for an open trial. If the case is at all newsworthy, the press will be pushing to open the courtroom and get access to the records. And not far behind them may be your competitors.
Finally, remember that the public prosecutor may not be able to achieve your goal of winning the case. The burden of proof is very high, and this fact may allow the defendant to “slip through.” In addition, even a very good trade secret case can be lost through lack of resources. There may be few expert witnesses and consultants available to the government to develop the most convincing presentation. In the end, this too is an issue of control: if you want to be able to determine how the case is managed and how vigorously it is pursued, you may have to do it yourself, in the civil courts.
During a recent seminar I was asked, “What can companies do to stop the loss of trade secrets to places like China?” The questioner seemed stressed and a bit angry, perhaps reflecting a certain frustration that there may not really be an answer. While I can understand the concern, and although there is no way to entirely eliminate information security risks when doing business overseas, we certainly can reduce them.
The modern commercial environment is inescapably digital and global. Long supply chains and open innovation strategies require sharing valuable information with actors in countries where legal protection systems are not robust. Companies increasingly employ foreign nationals, both in the U.S. and in installations abroad. And just like any other employees with knowledge of your secrets, they tend to move about.
The legal backdrop for all of this can seem confusing. If you look at the WTO standards for trade secret protection laid out in the 1995 TRIPS Agreement, they look pretty solid. (They also look familiar, since they were adapted from the Uniform Trade Secrets Act.) But the problem lies in enforcement. Bringing a trade secret claim requires access to proof, and civil law countries don’t provide discovery. So you need to perform your own investigation and then deal with the local authorities. We’ll look at some things you can do to improve your chances in litigation; but first let’s consider how to manage relationships to avoid problems in the first place.
First, you need to set a strategy for handling your most valuable data. Inform yourself about the places where you think you might have to expose that data; what cultural differences might influence the way that people there will respect your rights? Are there local laws and policies on employee rights that could affect the trustworthiness of the people who will have access? Some cultural practices, such as the acceptability of “trading favors” or the ability of friendships to trump business obligations, could alter your risk calculus. Note that we are dealing here with the classical “insider threat” through which most critical information is lost. Whether the loss occurs through some electronic connection is not the point; the weak link is the personal actor.
And so in addition to the local cultural and business environment, your strategy has to consider the various relationships that will be implicated: collaborators, outsourcing partners, vendors, distributors and even customers can be vectors of information loss. If you intend to operate through a local subsidiary or establish your own local research facilities, then these too will become “endpoints” in your connected network. Finally, consider how these relationships will play out with other actors in other countries where you have operations.
As in any risk analysis, you have to be sufficiently informed about your environment so that you can make intelligent decisions about your appetite for risk. In this context, that means having a thorough understanding of what information assets you own, how quickly their value degrades, and what are the likely threats of loss. Understanding all of this will help inform the decisions you make about particular deal structures, or about how you package your secrets and where you send them.
Some governments require that, as a condition of entering their markets, you may have to license your relevant know-how or other intellectual property to a local partner. In its most benign form, these requirements are intended to provide a kind of “training” to local industries, to help them move up the value chain and become more productive. In a darker sense, they can also be simply a way of forcing technology transfer to favor domestic companies. Either way, you need to consider the risk of loss as a cost of entering, or staying in, that market.
Some foreign laws regulate contracts, including nondisclosure agreements, to impose time limits on confidentiality. This can provoke surprises when dealing with local licensees, so if the information is particularly valuable look carefully at these restrictions, and at competition laws that regulate issues like territory or use restrictions on dealing with your data.
Of course, some local partners can be very valuable in helping a business succeed, by applying their special knowledge or connections. And some markets, such as China or India, are so huge that the risk of some information loss is deemed acceptable. The point is not to avoid doing business in these places because they are risky, but to consider carefully the nature of the risks so that you can make smart decisions.
Legal issues are only a part of the picture when considering foreign operations. Because trade secret protection fundamentally relies on trust, your first line of defense is the integrity of the people you will be dealing with. So employ a “know your partner” rule. Thoroughly investigate before establishing the relationship, and carefully monitor and manage it throughout. This applies to the usual external relations with collaboration or outsourcing partners, vendors, distributors and customers. It applies with special force to your local managers, who will have ongoing access at some level to inside information, and they should be subject to extensive background checks (as well as solid contracts and ongoing training and close supervision).
For each of your potential corporate partners ask: how well can I trust this company? What will it do to protect the secrets that I will disclose to it? Here, beware of the common but threadbare promise to protect your secrets with “the same level of care as is applied to its own.” Instead, get specific about exactly what they do to manage confidentiality. What sort of contract (confidentiality and noncompete) program do they have in place with their own employees? What is their training program for trade secret protection? Do they do background checks on their employees? What procedures are in place for physical and electronic security? How sophisticated and well-enforced is their own information security policy? Will they subcontract any of the work they are doing for you, and if so how do they protect against problems with the subcontractor, or with that company’s subcontractor? What has been the history of the company’s other commercial relationships? Does it have ties to the government?
In the U.S., contracts are important, but the law often will imply a confidential relationship, such as with employees or a long-standing supplier. The same is not true in most of the rest of the world, where secrets are often legally protected only by contract law. And the difference is even greater when it comes to remedies and enforcement in case of a breach. When dealing with foreign actors with access to your information, what’s in the contract is the most important factor.
Be very detailed about what information is to be protected, and how. This includes who is to get access and for what purposes. Also be specific about exactly what protection measures you expect for the facilities where your information will be kept, the IT systems that may be used with it, and procedures to be followed for return of materials at the end of a project. Where possible, require downstream agreements with all individuals and companies that may be given access (including noncompete provisions where allowed by local law), coupled with recordkeeping that will make monitoring compliance straightforward and easy. In fact, you may want to specify the content of these downstream confidentiality agreements to be sure that they name your company as the beneficiary of the secrecy obligation; in some countries, you may not be able to assert a claim if you are not named in the contract that binds that specific person or organization.
Expect to have to do more to manage and verify compliance when you are dealing with foreign relationships. Be sure that your partner is obliged to tell you when someone leaves the project team, and to take specific steps to follow up and ensure that confidentiality is respected by the departing employee. Require advance approval for any subcontracting. If you can get it, include an indemnity clause that puts the risk of loss on your partner in case there is a problem that happens through the people or companies they work with. Provide for regular audits and any other monitoring procedures that might be helpful.
Where possible, include specific and substantial penalties for any breach of confidentiality. Foreign courts may sometimes recognize these contract clauses and award much more than would have been available as normal damages. To ensure the most robust remedies, try to get the other side to agree to U.S. jurisdiction in the case of any dispute. (This may be most effective with companies that have existing relationships or assets in the U.S. that they want to protect.) Consider including an arbitration clause, which some foreign jurisdictions may be more likely to enforce than a general concession to U.S. jurisdiction. Arbitration has the advantage of privacy, and often can produce more effective remedies than you can get directly from a court.
While contracts are important, the most detailed agreements are not a substitute for close, even obsessive, management. Don’t take anything for granted, and follow up on every issue. Even though it will take up more time, you will be better informed, and your intense attention will serve a message that you are serious about protecting your rights. Encrypt and document all communications. Mark every document prominently as confidential, and create special procedures for handling particularly sensitive records.
Make information security a positive objective for your partner. Create incentives that are connected to good security outcomes. Encourage quick and full disclosures of any problem, including reports on what departing team members are doing. And provide (don’t just require) continuous secrecy training to every person who has access to your data.
Before making any substantial investment in a foreign location, retain legal counsel who is familiar with the practical realities of the jurisdiction and has helpful connections with local law enforcement. It’s not just about the content of the laws, but about how to get enforcement when there’s a problem. Are there special restrictions on employee confidentiality or invention assignment agreements? Do employees have to be paid special compensation for their inventions? Are injunctions available? How much proof do you need to win? What damages can you expect to recover? What are the risks of pursuing a claim in litigation?
One time-tested strategy for managing risks to your trade secret is never to let one person know all that’s necessary to make it valuable. Brought to scale for large organizations, this divide-and-allocate approach can include:
For example, automotive manufacturers going into developing countries have resisted doing their research and design work there. And when Sony increased its manufacturing in China, it clarified that some very important parts, such as the PlayStation game controller chip, would always be made in Japan, for security reasons. These strategies may not be sustainable in the long term, so be realistic about how long it will take for your current secrets to be compromised, so you can be working on making them more or less obsolete through your next generation technology.
Whether or not you establish facilities in foreign markets or enter into relationships that require sending your technology there, you or your colleagues will be “carriers” of your company’s secrets whenever you travel. Here, apply equal doses of common sense and paranoia to avoid mistakes. Consider replacing your electronic gear – laptop and phone – for travel with stripped-down versions that contain only the applications and (encrypted) files you will need for this trip. Have them examined and “scrubbed” on your return, so that you can know whether there has been any attempted compromise and whether it is safe to transfer your updated files. While in the foreign country, assume that all internet traffic is watched and recorded. Always use encryption, and where possible use a Virtual Private Network (VPN) to connect to the internet. Avoid all public wireless networks. When in meetings, assume that conversations are being recorded.
Trade secret litigation is hard, expensive and disruptive. Doing it in a foreign jurisdiction can be all of those things but worse. So first try to find a non-litigation solution to the problem. If that can’t work, consider whether it might be possible to sue only in the U.S. If that is not an option, then consider this:
When we think about trade secrets, we usually focus on keeping our own data safe. But an even bigger risk comes from hiring employees who can infect our systems with confidential information from a competitor. Companies often learn this the hard way. Boeing’s hiring several managers from Lockheed led to a $615 million fine and indictments of the individuals. Hilton poached two Starwood executives to create a competing hotel brand, but they came with thousands of documents and prompted a lawsuit that killed the project and cost $150 million to settle. Recently a similar situation at Zillow required a $130 million settlement.
Contamination also happens through lower level staff. In a survey by Symantec, over half of employees who left their jobs reported keeping data that belonged to their employers, and most of them planned to use it in their new positions. And perhaps most worrying, 68% of them said that their current employers take no action to protect against improper use of third party data.
Worrying but perhaps not surprising. As in other aspects of human behavior, denial plays a leading role here. Employees, anxious to please and “hit the ground running,” convince themselves that downloading a few files for “reference” isn’t wrong. And employers in competitive industries, happy to get access to experienced talent, often ignore the warning signs.
The bad news is that, left alone, third party data infection can gestate for many months or years while it worms through a company’s systems, projects and products, emerging to cause disruption and lawsuits, often long after the bad actors have moved on. The good news is that this is a risk that can be managed, and in the process you can also help prevent your own information from leaking outside the company.
In highly competitive industries with high labor mobility, recruiting poses a conundrum that many managers prefer not to dwell on. The best new employees come from the competition, because they’ve got “relevant experience.” But extending this logic increases the risk: the perfect hire is the one who comes with whatever it takes to solve our problems and leapfrog ahead: the one who has worked on an identical project or product and knows the competitor’s strong and weak points. Any company that projects ambivalence about these ethical risks is bound to attract individuals who are prepared to take risks too, increasing the chance of a trade secrets train wreck.
Proper management of the process begins with designing and advertising the recruitment. What will the announcement say about the job requirements? Ideally, the qualifications should be expressed in generic terms, avoiding anything that could be interpreted as trolling for a source of competitive data.
Of course, if the recruiting isn't entirely honest, and the company is interviewing the competitor's staff in order to find out what they're working on, that's a different kind of risk, layering fraudulent motives on an already tricky transaction. So establishing clear policies and providing appropriate training for the recruiters is critical.
Indeed, guidance and training are especially important for those who conduct the pre-employment interview. Guided by a checklist (see box for a sample), they should be motivated to learn only what is needed in order to assess the candidate's general knowledge and skill set, that part of their experience that they are entitled to take with them. This basic rule has to be communicated to the candidates as well, warning them that they are not to reveal sensitive information of any kind.
This should be confirmed with a brief acknowledgement like this one:
To: Widgets, Inc.I am applying for employment with Widgets, Inc. I assure you that:
Dated: ________________ Signed: _________________________
Occasionally you will want to bring on someone who has been a key performer for a competitor. Highly-placed managers in research and development or marketing are especially likely to cause serious concern when they change jobs. Even if they aren’t subject to a non-compete agreement or a post-employment invention assignment (both issues that require specialized advice), hiring them from a competitor can provoke a lawsuit based on the idea that the person knows so much, and the new job is so much like the previous one, that they can’t possibly do the new one without compromising the confidential information that they know. Whether or not a court might issue an injunction based on a threat of "inevitable disclosure" (a subject for another newsletter) is not the main point; merely provoking litigation is harmful enough.
So when you're dealing with one of these high-level hires, always get advice of experienced counsel in order to identify all the risks and potential mitigation strategies. In special cases you may also need to pay for an attorney for the candidate, to provide a buffer of independent advice on how to leave the current job "clean" and reduce the likelihood of a lawsuit.
You face a similar kind of heightened risk when trying to hire a group of employees from a competitor. The competitor’s speculation is easy to understand: with so many qualified individuals out there, the only reason for going after most or all of a team can be to cause damage, and perhaps also get access to an array of special knowledge that will allow your company to move into a new area or product line, implying an intent to steal trade secrets. This, the competitor will allege, is a “raid." Litigation is likely.
Here, we have to confront the same paradox represented by the “perfectly informed” individual hire who knows everything about what the competition is doing: the potential value is high but so are the risks. And those risks can be much higher with a group, not only because there are more people to make mistakes, but also because the competitor is more likely to feel injured and take aggressive action.
The most common source of a group hire is a current or former manager of the team. Consider someone you already employ who used to be a manager for one of your competitors. One day he or she announces a “great opportunity” to capture some extraordinary talent, a group of people who have let it be known that they are ready to consider leaving. The manager knows them all personally, can tell you who are the stars, what special projects they worked on, and even how much you might have to offer in order to get them to move.
This may in fact be an excellent opportunity, but it is filled with risk that has to be managed. The manager likely has special obligations not to use information about the candidates that was learned while leading them. Your first step normally should be to separate your current employee from the recruiting process. Then bring in legal counsel to make sure that you have protocols in place that reduce the worst risks and that cloak your discussions with a privilege against disclosure, in case there is a lawsuit.
Once these precautions have been taken, you can proceed with interviews, ensuring that the same sort of warnings are given and documents signed as would be required for a single individual. Throughout the process, you should communicate to all involved that the company has a strong policy of respecting the rights of others, that your interest is only in the candidates’ general skills, and that you insist that none of the competitor’s confidential information find its way into your organization.
The company’s culture of respect for others’ information rights should be reinforced during the orientation process. As with the pre-employment interview, your goal is to impress on new employees the importance of coming to the new position “clean.” They have to understand that there is no advantage – and there is considerable risk to them personally – in trying to prove themselves by bringing with them the work they did before.
The “on-boarding” process can be a real opportunity to reinforce the importance of the company’s policies and the confidence you have in the new employee’s ability to get the job done only with the skill and general knowledge that they have accumulated during their career. Be sure to go carefully through the various forms and contracts that have to be signed, and make sure that the new hire knows where to go to get answers or address any concerns about information security.
Hiring consultants and contractors poses more risk than regular employees. Because the relationship is short there is less loyalty built into it, and management needs to be tighter. Also, contractors have often been working recently for competitors, and consultants typically are doing that simultaneously. They bristle with current and potentially dangerous information. Required to do the best they can for you, they engage in mental gymnastics to keep all of their known data properly categorized and walled off.
As with other areas of information security, this is a problem of risk assessment and management. You need to protect yourself first with contracts that make it clear that you don’t want importation of anyone else’s confidential data, putting responsibility on the consultant to prevent that. But before entering into the arrangement at all, you should confront any potential conflicts of interest, forcing the consultant to consider and articulate exactly how your concerns will be met.
Recently I shared the podium with an FBI agent who was asked what frustrated him the most when trying to help businesses with trade secret theft. His answer was a surprise: they fire the guy too fast! He explained that when you discover someone might be mishandling information, your most important objective is to know what’s going on, and you could learn a lot more by keeping them around and watching what they do.
That observation stayed with me as I pondered what many have accepted as standard operating procedure: when you are told that someone is leaving for the competition, walk him (or her) out the door immediately. The idea is to avoid having a provocateur in your midst, someone whose lost loyalty might rub off on others. But while that’s understandable, it may not always be smart, especially in the age of electronic communications.
I have seen too many cases where the company has reflexively marched the employee out, only to learn later that they spent their time that day at home, wiping data off their laptop. Whether they think they’re doing you a favor or covering their tracks is not the point; you may have lost the best proof of what they’ve been doing that puts your confidential information at risk.
When you first learn of a departure, you are engaged in triage with two parallel priorities: find out what’s going on, and lock down the evidence. In most circumstances that may give you time for an initial meeting to get some details and perhaps try to turn the situation around. But you also have to be ready immediately to take actions that guarantee you get control over your data.
The initial investigation is low key, brief and uses internal resources. Talk to the supervisor, find out what the departing employee knows and the apparent level of risk presented by the departure. Identify relevant contracts, especially noncompete, nonsolicitation and invention assignments. Get a quick read on any unusual recent behavior, including attempts to access information outside normal areas of responsibility, emailing documents to a personal website or uploading to a cloud storage site.
At this point you may be ready for an initial meeting to confront the employee with any disturbing facts or inferences and make a further assessment of the risk. Where are they planning to go and what will be their responsibilities? How long have they been looking at this? What are the attractions of this new opportunity, and what are the negatives with their current position? If you don’t want to lose them, ask about their willingness to change their mind and stay. If not, make sure that no one else is involved in the move, and assess whether there is any project that would be seriously hurt if they left immediately. (If so, then you might want to arrange a carefully controlled and swift transition process.)
Now you need to find out where all of your data are located. Where are the company laptop and other mobile devices, including USB drives and security keys? Is anything on a home computer system, in personal email accounts or stored in a cloud account such as Dropbox? All of these assets, as well as physical files, need to be located and secure in company premises. Be sure to emphasize clearly – and confirm this in writing – that nothing is to be deleted, even personal files, until the exit interview that will be scheduled to debrief and to separate personal from company data.
If the employee has given notice of willingness to stay on for a period of time, you can take them up on that without necessarily having them be present in the facilities. Beyond tasking them with gathering and producing all company devices and data, and remaining available to answer questions, you may want to just send them home. Preserve evidence by duplicating (preferably through a forensic service) all of the drives and accounts to which the employee had access. And avoid any new damage by terminating the employee’s access to electronic systems.
The initial phase is often completed in the same day that notice is received, and in the process you will have made a basic assessment of the significance of the departure and the level of risk it poses. If that assessment is moderate to serious, then the next step will often involve bringing in outside counsel to perform a deeper investigation. This carries several advantages. First, the entire process will be protected against disclosure by attorney communication and work product privileges. Second, you will have the benefit of specialists who know what questions to ask and how far they can properly and usefully dig for the story. Third, you will get sober, independent advice that is not affected by the emotional reaction of some managers when troublesome departures happen on their watch.
Outside counsel can assist with tying down the forensic record and reviewing it for evidence of improper behavior. They will help you prepare for the exit interview, and in some circumstances they may participate in that process. More typically you will conduct the exit interview internally, with two primary goals: first, learn as much as you can about where the person is going and what they are going to do; and second, deliver a clear and firm message about the importance of respecting their legal obligations, and the consequences if they don’t.
Here is a common exit interview checklist:
I certify that I do not have in my possession, nor have I failed to return, any files, data, notebooks, drawings, notes, reports, proposals, or other documents or materials (or copies or extracts thereof) or devices, equipment, or other property belonging to XYZ Corporation.
I also certify that I have complied with and will continue to comply with all of the provisions of the Proprietary Information and Employee Inventions Agreement which I have previously signed, including my obligation to preserve as confidential all secret technical and business information pertaining to XYZ Corporation.
Following the exit interview, review the results with counsel and formulate a strategy. In most cases, the only followup will be a “warning letter” addressed either to the employee alone or also to the new employer, noting the company’s concerns, citing any relevant restrictive agreements, and offering the assumption that everyone will comply with their obligations. A variation on this approach might include a request for a meeting to discuss assurances required to provide comfort that the employee will not be placed in a position that will imperil the integrity of your data.
Of course if you believe that there’s evidence not just of risk but of actual misappropriation of your trade secrets, you need to take prompt action. You should have outside counsel involved immediately, to help you balance the need for a basic understanding of the facts with the imperative of prompt legal action. But where you can afford the time to prepare before you act, your decisions will be better informed and less likely to cause collateral damage.
Whistleblowers – The first court opinion addressing DTSA whistleblower immunity (18 U.S.C. §1833(2)) was issued on December 6 in Unum Group v. Loftus, 2016 WL 7115967 (D. Mass.). The plaintiff alleged improper taking of company documents by an employee and requested an injunction prohibiting their copying and compelling their return. Although evidence suggested that Loftus had only provided the documents to his attorney for investigation of wrongdoing, the court determined that it could not resolve that fact question and ordered the documents surrendered to the court. The decision has provoked criticism. See link.
China – During the annual meeting of the Joint Commission on Commerce and Trade in DC in November, China announced various improvements to its law and practices on trade secrets, including evidence preservation and calculation of damages. See link.
On January 9 the USTR issued its report to Congress on China in the WTO, noting that China was strengthening its trade secret legal framework, but that the “protection and enforcement of trade secrets in China is a serious problem”. See link at page 9.
On the same day the U.S. Supreme Court declined to hear an appeal by Sino Legend Chemical Co. from a decision of the ITC barring certain imports into the U.S. The appeal sought to challenge the Federal Circuit’s ruling in TianRui Group v. ITC, 661 F.3d 1322 (Fed. Cir. 2011), approving ITC jurisdiction over trade secret misappropriation occurring entirely outside the U.S.
APEC – In November, the Asia-Pacific Economic Cooperation (APEC) group of countries issued a statement approving a set of eight “best practices” for trade secret enforcement at the national level, including providing for both criminal remedies and civil remedies that include damages, injunctions, seizure of goods and cost awards, as well as procedures to obtain and preserve evidence. See link.
Published in the George Mason Law Review, Volume 23, Number 4, Pages 1045-1078
The trade secret laws of most countries – including the recent U.S. federal Defend Trade Secrets Act – contain the same requirement: in order to enforce its rights, a trade secret owner has to show that it has made “reasonable efforts” to protect its information from loss. In other words, before judges get involved in your dispute, they want to know what you’ve done to help yourself.
But what’s “reasonable?” The laws don’t tell us. Like the “reasonable person” standard in negligence, courts are supposed to decide each case in the context of its unique facts. That said, looking back at several decades of decisions, we can get a good sense of the principles at work, and also how they may be shifting as the business environment becomes more digital and more global.
The good news is that the standard is flexible, taking into account the value of the information, the risk of loss or contamination, and the cost (in money and effort) of measures to reduce those risks. For most businesses, this means simply taking a close look at what drives your competitive advantage, and then applying ordinary risk management analysis to define the broad outlines of a protection plan. In practical terms, this can lead to a variety of specific actions, including the basic ones you find on a lot of checklists with items like confidentiality agreements, IT system access controls, staff rules and training, and facilities security.
So if you’re following one of those checklists, you should be fine, right? Not necessarily. Although judges historically have been forgiving of less-than-robust security measures, they now seem to be paying much closer attention to this issue, and have even thrown out claims without trial where the trade secret owner has been sloppy in its practices.
The best known of the early cases was decided in 1970. DuPont had been building a new chemical processing plant when the construction manager noticed a low-flying plane making several passes over the site. It turned out that a competitor had hired the plane to take aerial photographs of the layout of the facility, which would reveal information about the secret process that DuPont intended to use. Forced to defend its actions in court, the competitor argued that it was just taking a look at what was in plain view. The judge thought that was preposterous, calling the surveillance a “schoolboy’s trick,” explaining that DuPont didn’t have to pitch a tent over the construction site in order to protect its secrets, and that the competitor was guilty of misappropriation by “unfair means.”
So the DuPont case taught that judges will not be too demanding when it comes to the amount of self-help that they expect from trade secret owners. However, in a 1999 case a federal judge granted summary judgment to a defendant in part because the confidentiality legend on the plaintiff’s secret document was deemed not large enough. This result aligns with my personal experience, indicating that today’s courts – and federal courts in particular – are more skeptical and less forgiving than they used to be on this subject.
Context is everything, and circumstances change with time. The expectation of privacy from the skies is less settled today, with Google Earth and other satellite imagery readily available, not to mention the thousands of privately owned drones. The same point applies with even greater force when it comes to computer system security. With the proliferation and increasing sophistication of hacker networks, the risk profile for most businesses has changed dramatically in the last several years. Just ask Target, Sony, Anthem, and J.P. Morgan.
Naturally, as the risks increase, the market responds with tools and systems to prevent cyber attacks, or at least discover them early and frame an appropriate response. And government agencies, most notably the National Institute of Standards and Technology, have suggested frameworks for managing cybersecurity risks. It’s not hard to imagine that these voluntary processes may over time be interpreted by courts as best practices, and even as minimum standards of conduct.
Bottom line: what constitutes “reasonable” efforts is dynamic, and expectations may be increasing, so pay attention. Of course, there’s more to self-help than just preparing for litigation. Don’t confuse the minimum requirement to get into court with the practical goal to prevent loss and contamination of your most valuable assets. To keep your information secure and clean, you should think beyond “reasonable” efforts.
I was giving a talk recently when a senior executive asked me, “If we have the time and resources to focus on just one thing to improve our information security, what would you suggest?” I didn’t hesitate: “Train your workforce.”
As we know from multiple studies, the biggest threat to information assets comes from “insiders,” which means (mostly) your employees. It’s not that you have a team packed with spies; but employees notoriously misunderstand their confidentiality obligations. In a recent survey of software engineers, 55% reported that they thought it was acceptable for them to take their work product with them when leaving the company – and that they intended to do it!
But not understanding the rules is only a fraction of the problem. The main challenge lies in a negligent attitude, a mental fog of inattention that can lead to mistakes.
What kind of mistakes am I talking about? The kind that make you slap your forehead in disbelief. The sales manager at a trade show who, excited about closing the deal at hand, lets slip the existence of an unannounced product. The engineer who brags to his friends on Facebook about a patent application he’s just filed. The R&D director who hires someone from his former employer in order to get an “update” on what they’ve been doing since he left. The business development executive who examines potential licenses of technology without walling off company employees who are working in the same area. These are the kind of mistakes that provoke litigation, and they are all preventable.
Good training is the single most cost-effective step you can take to reduce the risk of information loss or contamination. What makes for an effective training program?
Whatever IT systems or management processes you deploy to mitigate the risks to your trade secrets, those systems and processes are operated by people. So the way that they engage is critical to success. Training reinforces their focus and attention.
This is especially important with today’s workforce, a population that has never been more distracted. Think about it: for years now, social media have been silently encouraging people to use their laptops and smartphones to share every last detail of their personal lives. Sharing information is a good thing, and the more the better. When these same people come to work the next morning and connect their mobile devices to the company network, can we really expect them to shift their mindset and suddenly become models of discretion? Remember, a great deal can be revealed in 140 characters.
Here are some principles for designing an effective training program.
First, make the process inclusive. Not just people who you think are most likely to be exposed to confidential information, but everyone in the company should understand the importance of the issue. Even contractors, consultants and interns should be part of the effort. In fact, they may be even more important because they have inherently less loyalty and are more likely soon to be working somewhere else.
Second, make the training interesting. To keep it fresh and positive, consider using specialized vendors or products that can present serious material in a lighthearted but memorable way, rather than relying only on internal managers to conduct classes.
Third, don’t focus exclusively on protecting information from loss or leakage, but also from contamination. This happens most frequently from new employees who think they’re being helpful by passing on what they learned at their last job. So focus on the on-boarding process and train employees to recognize off-limits information.
Finally – and this is the most important principle – be sure that training is not an event but a continuous process. A single orientation video is not enough. Follow up with email tips, stories, and refreshers. And if business conditions worsen and you start to lose employees, this is a time to increase your training effort, not cut back, because the people who remain represent the source of your intellectual capital.
Let me emphasize that last point. Training is not about ticking a box. You are conditioning the attitude of those who are the primary handlers and protectors of your most important and vulnerable assets. Pay attention to that attitude and they will pay attention to your assets.
“The greatest victory is that which requires no battle.”
— Sun Tzu
Recently I got a call from a client who had just received a letter from a competitor, complaining about an executive the client had hired, and threatening to sue. My client was a young company that had never experienced this sort of threat. But they were less worried than they were angry, and viewed the competitor with more scorn than respect. They wanted to know if we could strike first with our own lawsuit and how long it would take to prevail, as they were sure they would.
Indeed, emotions were running very high on both sides, mostly due to assumptions fueled by an absence of information. The former employer suspected that the executive, who had been evasive about his plans during his exit interview, was working on similar projects. The client believed that the threat was made in bad faith to slow them down, and that an aggressive response would force the other company to relent.
Unlike patent cases, trade secret disputes hinge on issues of fault. Emotional themes frequently dominate the background: breach of trust, treachery, revenge, resentment. But emotions shouldn’t drive decision-making. This is particularly important for a defendant, for whom there is usually no upside, since even “winning” is an expensive distraction. So maintaining objectivity and detachment is critical to the defendant’s primary strategic goal: get out and get on.
Happily in this circumstance, we were able to get the parties in front of a skilled mediator, who helped each understand the other’s perspective, correct some mistaken assumptions, and find a way forward that even left the door open for future collaboration. How different things would have been if the sword had been unsheathed . . . .
For more on this topic, please read my white paper, titled "How to Respond to a Claim of Trade Secret Misappropriation".