In over 40 years of handling trade secret disputes, I have seen plenty of “successful” results, but never a time when my client said, “Gee that was fun; let’s do it again!” They may tell me they’re happy with the outcome, but hey, I know that it also feels good to stop hitting yourself with a hammer.
It’s a fact that more than 90% of trade secret cases settle without a trial. But too often those settlements only happen after years of litigation. There are ways to make that process less painful, and in an earlier article we looked at the advantages and limitations of arbitration and private judging as means to recapture some amount of control over the dispute. But unless the parties already had an arbitration agreement before the problem arose, one of them will probably see an advantage to playing it out in court.
There are plenty of ways to spend time and money in these cases. They begin with a struggle over what the trade secrets actually are. That can take months, even years, while the lawyers also fight about each side making available its documents and witnesses. Sometimes millions of documents and dozens of witnesses. All this is to prepare for a possible trial where, as experienced lawyers will tell you, the outcome usually hangs on just a handful of records and a few critical bits of testimony.
Approaching closer to the actual trial, reality and exhaustion tend to combine, leading the combatants to settle, primarily as a way to avoid looming risk. But this comes at an enormous sunk cost of money, energy and distraction from the actual business. At the end, the silent regret in the room is about not having arrived at this same place a lot sooner. So why do otherwise smart, calculating managers wait so long, and suffer so much, to get to a settlement?
Some apologists for the status quo will tell you that it’s necessary to press every procedural point in order to test the adversary, and that only when you have collected all of the records and examined every possible witness can you engage in “informed” negotiations. Plaintiffs’ lawyers will add that trade secret cases are all about stealth, so there must always be more that the defendant is hiding. Defendants will point out that the lawsuit represents an existential threat to their business. Or, perhaps more likely, to their personal honor.
Why Emotions Drive Trade Secret Litigation
Anecdotal evidence from colleagues, and my own experience, suggests that trade secret warfare has such staying power because it is so often driven by the personal emotions of the participants. Here is the key distinction: unlike any other kind of intellectual property dispute, the trade secret case is all about fault in a relationship.
As I’ve said before, it was my very early experience handling divorces that prepared me for trade secret litigation. Whether it was about employees leaving to start a competing company or join a competitor, or between two companies that had been in some collaboration, there was a rupture in a relationship, and trust was shattered. Sometimes that trust had been built over years, as with the young engineer who was mentored by the company founder only to strike out on his own, or the start-up band of disrupters grown close by fighting the entrenched incumbents, only to see one of their siblings leave for greener pastures (or more stock options). Even in big companies, internal teams develop loyalties as they rely on each other through the tough times.
So when this happens, who feels hurt? Pretty much everybody. The colleagues left behind may include managers and co-workers who feel deceived and abandoned (probably not admitting a touch of envy). The accused misappropriator is startled and in deep denial that anything could be wrong. They may feel scapegoated by their former boss (that venal bastard who never liked my ideas anyway). And hanging over it all is that primal emotion called fear: how long can this go on, and what will happen to me? Again, even in the business-to-business environment, it’s tactically about blaming and avoiding blame, but emotionally about betrayal and treachery.
Not Just Stolen Code, But Bruised Feelings Too
Here lies the root of the problem: the dispute is not just about some software code or customer list, but (to varying degrees of course) about the need to resolve bruised feelings. And without thoughtful intervention, that resolution can take a lot of time.
This may be the point where you expect me to describe the wise and trusted lawyer riding in to solve the case. Sorry. Naturally, there are – ahem – wise and trusted lawyers out there, but often the most they can do is bring down the heat a bit and work to make the litigation process as efficient as possible. Again, emotions run high among the participants in the drama, and clients – at least at the outset of a trade secret fight – may expect their counsel to be warriors first, advisors second. And an outsider might say that the lawyers have a certain conflict of interest that may lead some of them (subconsciously) to want to prolong the struggle.
Indeed, there are lawyers who make themselves part of the problem by acting out, effectively channeling the emotions of their clients. My wife, Laura-Jean, who is a psychotherapist, tells me this is called “merger,” but a different kind than we think of in the corporate world. The lawyer, rather than acting the independent professional, “merges” with the client’s perceived emotional state and then acts on it. Thus, we have the lawyer who, a couple of years ago, threw a cup of coffee at her opponent in a deposition, deservedly leading to dismissal of the case.
Mediation is the Perfect Path to Settlement
In trade secret disputes it’s the responsibility of the lawyers not just to avoid tantrums, but to act in their clients’ interest by guiding them toward settlement early and often. Lawyers are in a position to appreciate when their clients have tunnel vision due to emotional overload, unable to see the actual costs and risks that lie ahead. It’s up to the professional to be practical and help the client look at the situation through a business lens. Naturally, it’s hard to make that shift in the midst of battle.
This is precisely why that other form of alternative dispute resolution, mediation, is the perfect method for resolving trade secret disputes. A neutral facilitator leads the process, allowing counsel to retain some attitude as an advocate. The mediator, as we all know from centuries of experience in relying on intervention from respected elders, is able to see alternatives that the parties can’t. While lawyers have their eye on a future trial, the mediator begins with the solid truth that there was a relationship here once, and so there are always opportunities to tap that reality and, in the process, satisfy some of the unspoken emotional needs that lurk behind the legal advocacy. And the mediator has a broader appreciation for the collateral damage that happens in litigation and can find ways to preserve third-party relationships that might otherwise be battered and lost.
Mediation is the natural, organic solution to the typical trade secret case that takes on a life of its own, becoming a soap opera for the participants. Properly engaged, even at the outset of a case, it supports the parties in identifying the real problems and preparing for solutions to emerge. And it doesn’t have to be a single event. Indeed, at its most effective, mediation is a process that begins as soon as the parties reach some inflection point in the case where it seems acceptable to involve a neutral.
Pick a Mediator Who Will Pick at Your Case
Unlike other, more procedurally predictable IP litigation, such as patent infringement, these inflection points can happen often in trade secret disputes, because judges make decisions that leave both sides dissatisfied, or some new piece of evidence looks like it might shift momentum. That doesn’t mean the litigation has to stop while talks go on. The first session with a mediator may lead to little more than an agreement to share certain information and prepare for a later conversation, while in the meantime the lawyers can consult with the mediator privately, building the kind of trust that will allow a deeper exploration of possibilities at the next stage.
Here’s an important tip: for trade secret cases you need a mediator that is “evaluative” rather than just “facilitative.” That means that the neutral will at some appropriate point share with each party in confidence their view of the merits of the case. Instead of just helping the participants listen to each other, the mediator proactively judges the direction that each side needs to take to find a solution, helping them to come closer – not necessarily to the middle, but to a place that will resolve all of the issues that led to the dispute. Often, the main issues are not about money, but about reputation, respect and cooperation.
Ultimately, the best mediators will help the parties restore some dimension of the trust that they had lost, perhaps discovering some opportunities that they never could have imagined if they had tried to resolve this on their own. And although my guess is that no one, regardless of the outcome, would ever want to re-enroll in Trade Secret University, we lawyers can improve the value of our services, and the happiness of our clients, by helping them to graduate early.
By Stefan Dittmer, Partner, Dentons, Germany, and James Pooley, Professional Law Corporation, USA, Members of the ICC Commission on Intellectual Property, International Chamber of Commerce (ICC)
Most kinds of intellectual property (IP), such as patents, copyrights, trademarks and designs, are rights granted by a government. But there is another right that depends only on the choice of an individual business: secrecy. The law protects someone who shares information in confidence with another, but does not require that it be registered with any agency. If there is a dispute, the legal system will sort it out.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage. While other forms of IP are carefully limited to creative works that meet a very specific set of requirements, protection for secrets applies broadly to any information that is secret, that has some commercial value, and that the owner has taken some steps to maintain in confidence.
It is this breadth and flexibility of secrecy that make it so attractive, in particular to smaller organizations that may not have the budget to build a portfolio of registered IP rights. Every restaurant can have its secret recipes. Every beauty salon has its customer list and knows the individual preferences of its patrons. Every furniture maker has “tricks” to increase the efficiency or quality of the finished goods. More recently, secrecy has been identified as a means to protect unstructured data, for example, machine data produced in large quantities and used to fuel automation, or algorithms, another key component of the digital industry.
Trade Secrets: the other IP right, featured in an earlier edition of the WIPO Magazine, offers an introduction to trade secrets.
The laws of most countries, following the standards laid down in the Agreement on Trade Related Aspects of Intellectual Property Rights (the TRIPS Agreement) protect obligations of confidentiality in business transactions. The reality of continuing relationships means that the vast majority of those obligations are respected by the participants.
In the United States, trade secret laws had traditionally been a matter left to the individual states. A Uniform Trade Secrets Act was proposed to the states in 1979 and since then has been widely adopted, but with varying provisions that made enforcement on a national scale fairly complicated. In 1996, the federal government enacted the Economic Espionage Act, but it was limited to criminal remedies. Twenty years later, the US Congress passed the Defend Trade Secrets Act of 2016 (DTSA), which for the first time, gave trade secret holders the option to file civil claims in federal court, offering a number of procedural advantages over state courts.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage.
In effect, the DTSA has harmonized the rules that apply to trade secret disputes, and the number of cases brought in federal court has surged. As is true in other areas of commercial litigation in the United States, a claim can be made based on circumstances that “plausibly” infer that the defendant has misappropriated a trade secret. After that, a broad array of “discovery” methods, including extensive document production and pre-trial taking of sworn testimony from witnesses, is used by both sides to uncover the relevant facts. Although this easy availability of discovery allows trade secret holders to more effectively enforce their rights, it makes litigation in the United States generally more expensive than in any other country. Coupled with the sometimes-uncertain outcomes and generous damage awards due to the availability of civil lay juries, this environment can be intimidating for companies from other jurisdictions that are used to the more modest cost and predictability of the civil law framework that does not allow for discovery or juries.
Almost at the same time as the DTSA was adopted in the United States, the Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) against their Unlawful Acquisition, Use and Disclosure (Directive (EU) 2016/943 of 8 June 2016, or “EUTSD” for the purposes of this article) entered into force.
Before that, the national laws of EU member states, similar to the laws of any major economy, protected trade secrets one way or another. However, the fragmentation of the legal landscape across the EU was identified increasingly as an obstacle to cross-border technology transfer and R&D or, more generally, innovation.
Pressure from industry and business associations, but also growing political support for the idea of harmonization, not the least the “Europe 2020 Flagship Initiative Innovation Union,” paved the way for adopting the EUTSD. It has been implemented by EU member states. Although full harmonization was not intended or achieved, companies doing business in the EU can expect to find national legal regimes in the member states that are reasonably identical or similar across the entire EU.
Inevitably, the process of introducing the EUTSD reignited the discussion as to whether secrecy is an IP right, after all. It is, in many aspects, an academic issue because even those who question the quality of secrecy treat it in many respects like an IP right. Contrary to the prevailing legal doctrine in the United States, the EU decided against qualifying secrecy as an IP right. As a consequence, Directive 2004/48/EC on the enforcement of intellectual property rights, better known as the Enforcement Directive, does not apply. While individual EU member states, notably Italy and Slovakia, decided otherwise, the practical relevance of this inconsistent approach is limited in that the EUTSD stipulates an enforcement regime quite similar to that of the Enforcement Directive.
This seemingly coordinated effort on both sides of the Atlantic to improve trade secret enforcement was the subject of a study by the International Chamber of Commerce published in 2019.
Recent reform and upgrading of trade secret laws has not been limited to the EU and the United States. In 2018 and again in 2019, China made significant amendments to its Anti-Unfair Competition Law to expand the definition of a protectable trade secret and to increase penalties for theft, including the availability of punitive damages. China further refined its law to address the trade secret owner’s challenge of developing sufficient evidence by declaring a “preliminary” showing of misappropriation sufficient to trigger a requirement that the defendant prove independent development of the information.
What does all of this legislative activity directed at strengthening trade secret laws mean for SMEs? There are two general consequences. First, the subject of protecting competitive advantage by secrecy has received more attention than ever before, with the result that more resources are available to assist SMEs in managing this often-overlooked aspect of intellectual property. Second, businesses of all types and in all countries are challenged to take advantage of this easy-to-use approach, not only to protect their own data, but to avoid unwanted exposure to the trade secrets of others.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy. Legislation poses virtually no limit to the kind of information that can be claimed as a trade secret; it can be any kind of information, as long as “it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question” (the TRIPS Agreement, Article 39), and derives from its secrecy some actual or potential commercial value. Of course, the information must be distinct from individual skill, which is outside the scope of legal protection.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy.
The more challenging aspect is to identify and apply security measures that are “reasonable,” since every control brings with it a certain cost, either in money or efficiency or both (consider, for example, the annoyance of dealing with two-factor authentication, in which you have to wait for a unique code to be sent to your phone). What is reasonable under the circumstances will be decided ultimately by a court taking into account a company’s risk environment, the value of the information, the threat of loss and the cost of measures to mitigate the risks.
To identify its most important trade secrets, the business should consider the value of the information, measured by the investment made to develop it, the potential advantage it provides over the competition, the potential damage from loss of control, its exposure to any form of reverse engineering (which is, in principle, allowed in most jurisdictions), and/or the likelihood that a competitor might independently discover or develop it.
Once information has been identified as a valuable trade secret, the company needs to carry out realistic risk assessments to determine appropriate security controls. Introducing different classes of information with corresponding security measures can be useful to structure the process of managing trade secrets. Other parts of this process may include labeling the information in accordance with its classification, restricting access to those with a need to know, applying other physical and electronic safeguards and using properly drafted confidentiality (or non-disclosure) arrangements in situations where information must be revealed to a supplier or other business partner.
In the EU, the adoption of Regulation (EU) 2016/679 (General Data Protection Regulation) helped to raise companies’ awareness for data security. Technical and organizational measures, mandatory under the General Data Protection Regulation (GDPR), Article 32, to protect the secrecy and integrity of personal data, can also be “reasonable steps under the circumstances” to preserve the confidentiality of trade secrets.
SMEs, for the very reason that they often rely on secrecy rather than registered rights to protect their IP, are particularly prone to the threat of becoming targets of industrial espionage. For them, it is essential to not only apply high levels of cyber security, but to update and upgrade them regularly to remain on top of technical developments. After all, what is “reasonable under the circumstances” is subject to change due to technical progress and the relative value and threat variables, which may change over time.
While cyber-crime is on the minds of many businesses, the most prevalent threat to the preservation of secrecy are individuals who, while employed by the company (or by a trusted supplier), legitimately hold or have access to the information, but leave the company and carry the information to their new employer. In addition to contractual confidentiality obligations that should be standard in any employment agreement, IT surveillance within the limits of employment and data privacy legislation, frequent training on applicable duties, and a diligent exit process, including exit interviews, can help mitigate the risk. So can an established and well-communicated practice of strict enforcement in cases of security breaches. And not to forget that third party information illegally brought into the company by new hires also poses a threat to the company’s position, making it important that recruiting and on-boarding processes are reviewed.
Thanks to recent improvements in trade secret laws around the world, SMEs have more options and opportunities to increase enterprise value and prevent loss of data assets by using the IP right that is entirely in their control: trade secrets.
The Lord of the Rings trilogy ends in suitably spectacular fashion with a battle scene following the retreat of all the good people to “Helms Deep,” a tall stone fortress built into the recess of a massive rock mountain. Seemingly impregnable, the thick wall facing the invaders contains a small flaw: a drainage outlet about five feet high, large enough to pile in some spiny medieval bombs. That done, one of the bad guys in heavy armor but inexplicably looking just like the Olympic torch carrier, glides between lines of his cheering comrades and dives in with the flame to blow a hole big enough for the army to pour in.
Now, immediately shift your mind’s eye from New Zealand to New York: you are watching the scene from The Big Short where Ryan Gosling’s character overhears at a bar a secret trading strategy to bet against the subprime housing market (you know how that one turned out), and then proliferates it by making a call to a wrong number. And for something too improbable to qualify as a movie idea, consider this real-life drama from 2010: Apple, a company infinitely obsessive about the secrecy of unreleased products, finds out that an employee left an iPhone 4 prototype in a bar. Then (this is true) the same thing happens the next year with an iPhone 5 prototype, with a different employee, in a different bar.
Protect the Perimeter, or Guard the Core?
The managers of most companies tend to see information security as a Lord of the Rings problem, with the focus on protecting the perimeter. This reflects the popular view. Indeed, from reading headlines about hackers, you might think that cybercrime –malign attacks from evil outsiders – represents the most common way that commercial information is lost. And you would be wrong. It’s not the overlooked vulnerability in the company’s firewall that gets exploited by determined external enemies. Instead, it’s the careless employee who overshares on social media, brags at parties, or leaves a sensitive document in an airport lounge. (Remember traveling on planes?)
According to a 2013 study by Symantec, over half of departing employees believe it’s entirely acceptable to take company data when they go, and they tend to act on that belief. Forty percent have plans to use the information in their new position. This is not necessarily malicious behavior. Many (68%) just think the organization doesn’t care, given a lack of any apparent enforcement. Anyway, if the information is software, 44% believe that because they wrote it, it belongs to them. From my work with clients, I’d say the situation hasn’t changed.
So, it shouldn’t be surprising how often information is lost just because someone sends a sensitive email to the wrong person, or a group text instead of a private exchange, or because an employee decides that the company’s VPN is just too much trouble.
Nevertheless, when corporate managers think about information security, the first place they look at is the ramparts, when it’s what’s happening behind the walls that should keep them up at night. According to a 2017 Gartner report, businesses spend 62% of their security budgets on defending the network, compared to 18% for the “endpoint” devices in the hands of users.
All of this is not to say that we shouldn’t be guarding the perimeter against hackers, who are everywhere and apparently never sleep. Fortunately, the tools available to detect and react to cyberespionage are constantly improving, and despite the occasional disasters (most of which can be traced back to – ahem – human error), we seem to be staying slightly ahead in the cybersecurity arms race.
An Endless Supply of Human Folly
But clearly the more serious and pervasive threat is from insiders. Unlike the hackers who are trying to break into our systems, these are people that we trust with access to sensitive information, because we have to. Given the complexities of the globalized, digital economy, we have no choice but to share our secret data with employees, not to mention the anonymous employees of supply chain partners, all of whom stay connected remotely through multiple devices, and being human, can get easily fatigued or distracted.
Naturally, these risks are amplified as we have shifted to mostly remote work, where insider threats are dispersed and managers can’t always see them, including the subtle cues of individual behavior that might flag a problem. But increasingly, some of the same kinds of technologies that protect us against malicious outsiders are being developed to address the internal threat.
As we have observed before in this space, trade secret problems come in many different dimensions and circumstances, but all of them share a common feature: somebody did something stupid. Try as we might to create policy frameworks, management structures and training programs, the supply of human folly seems inexhaustible.
Machine Learning and Artificial Intelligence as a Possible Solution
The current hope is that machines will be the match for our failings. Artificial Intelligence (AI) has developed a reputation as aspirational, having fallen short of previous predictions. But it’s certainly much improved, and its ability to recognize patterns and make nuanced judgments provides reason for hope that it can be applied to predicting and managing human behavior.
That said, to deploy intelligence you have to first know some facts. And this is where Machine Learning (ML) comes in. While humans constantly demonstrate an inability to learn from their mistakes, for example by continuing to build houses in flood zones and forests, machines are terrific at it. They don’t get defensive when criticized, and like your dog, they just want to know what makes you happy.
So, combining ML’s talent for education with AI’s capacity for analytics and executive thinking seems an ideal way forward. And indeed, industry has stepped up and created some interesting possibilities. Perhaps inevitably, the security vendors seem to be innovating mainly in the area of new acronyms and other jargon designed to reinforce how much you don’t know. But stay with me for a moment and I think you’ll get a sense of where we’re headed.
An Alphabet of Defenses
Once upon a time there was plain old Data Loss Prevention (DLP) software, which sort of did it all and had a nice generic name. Now we have UAM, which stands for User Activity Monitoring, tools that gather data at its most granular, like individual screen captures, text messages and even keystrokes. UAM also sucks up data from DLP applications, as well as from systems engaged in Security Information and Event Management (SIEM) and User and Entity Behavioral Analytics (UEBA – which, wait, is now called SIEM 2.0). Got all that? No?
Okay, here’s a simpler explanation, through an example. We all deal with authentication by passwords, as well as the more annoying two-factor authentication, in which we wait for a code to be delivered to another device. With a process called Risk-Based Authentication (RBA, sorry), the system doesn’t only verify identity. Using a combination of AI and ML to create a baseline understanding of user behavior, it also examines context to search for anomalies and create warnings or blocks against dangerous behavior. It can examine emails from supposedly trusted sources to see if they align with previous messages, looking for very subtle differences in syntax and diction that might indicate a phishing scam.
So, while we’re sitting in front of our computer at home, far away from the office, we have the comfort of knowing that we’re not really on our own, that we have someone watching over us, protecting us against ourselves, and preserving the information assets that make this job possible.
In the final moments of The Lord of the Rings, despite the breach of its fortifications. Helms Deep was saved by the extreme heroics of its defenders. In business, the workforce may look a bit more like the careless traders in The Big Short. They could use some reinforcements.
James Pooley, member of the Center for Intellectual Property Understanding and former deputy director general of the World Intellectual Property Organization, understands the full seriousness of cyberespionage.
Pooley agrees that COVID has created a riskier environment because employees are away from their usual offices. But the problem is not entirely current, he notes, explaining that a new risk environment emerged in the last 15 to 20 years, as we moved into an information-based economy, where the asset base shifted from tangibles to intangibles.
In addition, “the imperatives for sharing information and trusting other people went up like crazy because of globalisation”, he says. Supply chains have become longer and more complex, as companies shifted to vendors abroad and therefore have to manage their operations at a distance.
During the early-1970s, “all that a company needed to do to protect its information assets was to guard the photocopier and watch who went in and out the front door, because there were no networks, no internet and records were stored on paper”, says Pooley. But, over the last decades, digitalisation coupled with globalisation has changed the playing field. Some of the most valuable assets have become intangible, opening up a whole new world to hackers.
So how does sensitive data end up in the wrong hands? Pooley argues that swathes of valuable information is lost because of employee inadvertence. In rough numbers, he says, “some 80 to 85 per cent of information loss occurs through employees, as opposed to hackers worming their way in from outside”. While organisations can spend effort and money on secure IT infrastructure, they neglect employee behaviour at their peril.
“I see it over and over again,” says Pooley. “I get hired as an expert to critique the protection systems for companies in litigation over trade secrets, because they have to prove they took reasonable steps to prevent the things from happening.” What he sees is companies neglect to train their employees on how to identify and handle confidential data.
Meanwhile, hackers look for the weakest link in a company’s information chain, for instance when employees use the public wifi of a restaurant near their office for work purposes. He mentions the 2014 hack of Target, when the company’s heating and air conditioning contractor was used as an entry point by hackers, who exploited the vendor’s weaker system to gain access to the Target system.
“It's just astonishing to me that more companies don't pay better attention to these issues, but there we are,” says Pooley. “Maybe I'm a Cassandra, but remember, Cassandra was right.”
How can companies train their employees to be more vigilant? “Preventing bad behaviour is usually about awareness, because people want to do the right thing and they want their jobs to be preserved,” he says.
When Pooley advises companies, he begins with a high-level strategic examination of what the company’s most important information assets are, what risks or vulnerabilities they face and what mechanisms there are to reduce these risks.
“Being really attentive to where the risk points are will alert you to pay special attention to areas that are likely to be used as points of entry,” he says. Companies need to set up policies and procedures to ensure their IP is protected and training employees is a big part of that.
“I worked with one company that built a consumer product primarily manufactured in China, so there were obvious leakage risks connected to that.” As they went through the process of developing a comprehensive system to protect their IP, Pooley asked for all the senior managers of the company to get together in one room to discuss the matter. Even though this was not easy to arrange, he insisted.
Once all senior managers came together, including the supply chain managers who talked about issues they experienced directly, sharing information triggered insights for managers across the board.
“‘Wait a minute, I don't think I've ever really looked at the non-disclosure agreement that we have with company x and when it expires.’ All of a sudden, they're seeing vulnerabilities, where they hadn't really thought about them before,” says Pooley. “No one expected the specialty arm of the organisation that dealt with all these companies in China would have something to say to the other business units, but vulnerabilities can overlap.”
Are silos and inefficient communication partly to blame for companies’ vulnerability when it comes to countering cyberthreats? Pooley argues organisations need to confront the fact that separate units within their business may have set up unnecessary walls. In reality, information flows and risks are usually shared across the business.
Part of the solution could be found through automation, he says, because automation includes behavioural analytics and insight tools that help companies monitor what exactly it is employees do on their platforms. However, using these tools always has to be balanced with individuals’ expectations of privacy.
Pooley concludes: “The message that I often give is cyberespionage is scary and ugly, and we need to do everything we can to prevent it and deal with it. But if we're not managing our employees in a smart way, it's almost like we’ve left a couple of doors open.”
“You never have trouble if you are prepared for it.”
— Theodore Roosevelt
My head was turned by the recent news of President Trump’s final-day pardon of Anthony Levandowski, the former head of Google’s self-driving car unit who was recruited into Uber with full knowledge that he had downloaded 14,000 confidential files on his way out, and who was later convicted of trade secret theft. I was struck by the White House statement of justification. It said that Levandowski – who hadn’t yet served a day of his 18-month sentence – “has paid a significant price for his actions.”
Mr. Trump also noted that Levandowski “plans to devote his talents to advance the public good.” We of course wish him luck with that, and hope that his next public interest venture turns out better than the Way of the Future Church, which he created to focus on “the realization, acceptance and worship of a Godhead based on artificial intelligence (AI) developed through computer hardware and software.” I promise I’m not making that up. But you can’t prove it by going to the church’s website, which has been taken over by a company hawking fidget cubes, digital cameras and sewing machines. (Also true.)
But back to the main story. I have no doubt that Levandowski has “paid a significant price” for his misdeeds, but it caused me to think about the price paid by others who were involved in this fiasco of a hiring, most specifically Uber. It all started out well, with Uber building a team of bright engineers focused on a future of autonomous vehicles that would – um – replace all those “independent” drivers. Anyway, the company’s young president, Travis Kalanick, was so smitten with Levandowski that he got his board to agree to hire Levandowski at a cost of $250 million in Uber stock, plus $680 million to acquire his new self-driving truck company.
When Google found out about Levandowski’s midnight download and what he was doing at Uber, the lawsuit came quickly. As I’ve pointed out in an earlier article here, the optics weren’t so good, since Uber had agreed to indemnify their new head of engineering against his prior “Bad Acts” (yes, that’s what they were called in the agreement; not making that up either). This turned into Silicon Valley’s favorite soap opera for a couple of years, the civil case finally settling early in the trial, with Uber paying out another $245 million in stock, this time to Google. Kalanick lost his job. And Uber ended up selling off the autonomous vehicle business. As for Levandowski, he pled guilty to trade secret theft, the judge calling it the “biggest trade secret crime I have ever seen.”
Now, I’m sure that your company wouldn’t get itself into a mess like that. But salacious stories like this one serve as a reminder of all the things that can go wrong when we hire someone from the competition. Especially when we stop thinking about risk and see only upside. So, let’s talk about that risk and what you can do to keep yourself out of trouble – and never, ever need a presidential pardon.
The problem starts with what I call the “recruiter’s dilemma.” Management solemnly tells those in charge of hiring that the company is looking only for great talent, bringing them on for their “skill and experience.” However, at the same time, and ever so subtly, a parallel message may go out: but by the way, we’re struggling with this really tough problem, and if you can find someone who knows how to solve it – who has done it before – that would be terrific. As a result, the recruiter suffers from cognitive dissonance, and management has injected potentially unknowable risk into the process.
Of course, this is just human nature at work. We act under the influence of the strongest force in the universe, which is denial, along with its close cousin, justification. The job of management is to impose some discipline on the recruiting effort, both to erect guardrails against cavalier behavior and to help drive the message to the workforce that ethical behavior is the best way to mitigate most risks.
Here are my top eight suggestions for keeping this function under control so you can hire the best people but avoid lawsuits.
First, examine your motives and plans. Are you sure you want this person (or this team) solely for their skill, or is it possible that, somewhere in the mix, you’re trying to solve a specific problem with someone else’s solution? Be honest to yourself.
Second, design the recruitment with a clear-eyed, sober assessment of what can go wrong. Don’t let urgency overcome your common sense. High-level employees come with a lot of sensitive information packed into their heads. How likely is the current employer to feel betrayed? Has the company sued others on the way out? Will this cause internal problems for which they will need a scapegoat? Thinking through all the risks will help you determine the extent to which you may need to take special measures to head off a fight.
Third, engage your recruiters with an unambiguous message about avoiding contamination with a competitor’s data. Depending on the sensitivity of the hire, this may be the primary imperative for those doing the recruiting, and they need to have those concerns top of mind. This may translate into specific guidelines and checklists for promoting the position and for speaking with candidates. Those involved in interviewing all need to be trained to radiate respect for others’ intellectual property, and to avoid asking questions that might lead to inappropriate disclosures.
Fourth, create a system for communicating with potential recruits that consistently reinforces your company’s respect for others’ confidential information. Consider requiring candidates to sign an agreement before the first interview in which they promise not to share any information that might be considered confidential. Insist on getting copies of any restrictive agreements at that point, rather than waiting until the offer is made. Be clear that if they are hired they must arrive “clean,” with none of their former employer’s information with them, at their home, or on their personal devices or cloud storage, and that violation of that policy may lead to termination.
Fifth, before the new recruit submits their resignation, meet to review and reinforce the ground rules and to surface any areas of concern. Remind them that they must continue to devote their full time and loyalty to their employer. Suggest that they take the time to organize current projects and separate their personal belongings and files, so that they can be ready if they are “walked out.” Warn against any significant downloading of files, wiping of drives, or other activity that might be misunderstood. Ensure that all electronic computing and storage devices are left behind intact. Discuss how the employer is likely to react, and suggest ways in which the recruit can deliver their resignation diplomatically and demonstrate their good faith during the departure process. Find out if they have any specific concerns around confidential information and direct them to their own counsel as appropriate. Finally, be sure that they are able to answer this question honestly and comfortably: can you explain how you will be able to do the job that we’re hiring you to do and still honor your obligations to your former employer?
Sixth, if the new hire is a manager in their current company, you need to discuss how they will handle communications with those who report to them. Most state laws place special duties on managers to avoid using their positions of authority to encourage others to leave. Generally, it is best that managers be isolated from the process of recruiting others, and that careful records be kept of those who reach out to express an interest to follow them.
Seventh, prepare co-workers for integrating their new colleague in a way that avoids any transfer of sensitive information. Set clear rules that are grounded on avoiding contamination by not asking inappropriate questions or putting the new arrival in a position that could be compromising. Let everyone know that there may be some meetings or projects where the new person will be deliberately excluded for a period of time. In some cases, it may be a good idea to role play how to handle awkward situations.
Eighth, carefully plan and execute onboarding of the new hire. Have them sign the standard agreements that include a promise to respect the intellectual property rights of others. Discuss how they will be expected to handle the transition, and how they should conduct themselves with their new colleagues. Create a point of contact to answer questions or concerns. And perhaps most important, ensure that they receive meaningful training on how the company handles its own and others’ confidential information.
You’re unlikely to ever find yourself in a lawsuit approaching the scale of the Uber case, or need a presidential pardon. But every trade secret dispute carries with it the risk of crippling costs and distractions. Because employees are the most frequent vector for information loss, you can help yourself by being prepared.
One of the uniquely fascinating aspects of trade secret disputes is that they are laced with unbridled emotions, accusations of treachery, and actors who angrily disagree over basic facts. In other words, they provide a perfect metaphor for the year 2020.
Let’s take a look back at the cases this year that are worthy of comment, either because they involved some unusual set of facts or because they provide useful guidance for behaving better in 2021.
First, this year brought two massive verdicts in trade secret cases. February’s Chicago jury verdict in Motorola v. Hytera came in at $764 million, of which $418 million was for punitive damages. Then, in October, a jury in the New York case by Cognizant against Syntel awarded $854 million, including $570 million in punitives. Even more remarkable, the same trial counsel represented the plaintiffs in each case. Congratulations, Kirkland & Ellis! See, some people had a very good year in 2020.
A big award in another case got reduced, in Epic v. Tata, 971 F.3d 662 (7th Cir. 2020). The jury had awarded $240 million in compensatory damages and $700 million in punitives. The trial court reduced the damages to $140 million and limited the punitive award to twice that amount under the Uniform Trade Secrets Act (UTSA). On appeal, the 7th Circuit held that constitutional due process required a further reduction in the punitive award to $140 million. Still, the case is another reminder that unethical behavior (here, accessing a competitor’s data by misleading a customer) can lead to enormous awards.
In Ajaxo v. E*Trade, 48 Cal.App.5th 129 (2020), the court confirmed that it was acceptable to use the “Georgia-Pacific factors” from patent law in order to inform the damage analysis in a trade secret case.
One of the lingering questions since enactment of the Defend Trade Secrets Act (DTSA) in 2016 has been whether the pre-existing provisions of the Economic Espionage Act establishing jurisdiction over foreign misappropriation would apply to civil cases as well. The first decision analyzing this question came in January, in Motorola v. Hytera, 436 F.Supp.3d 1150 (N.D. Ill. 2020), ruling that the statute did apply where at least one act in furtherance of the “offense” occurred in the U.S. That ruling enabled the large verdict referred to earlier; but its continuing impact is potentially much broader, given the international character of many business relationships. And just to sharpen the point, the court in vPersonalize v. Magnetize, 437 F.Supp.3d 860 (W.D. Wash. 2020) ruled that the “act in furtherance” need not have been committed by the defendant.
To qualify information as a trade secret, the owner must show “reasonable efforts” to keep it confidential. Increasingly, courts are unwilling to excuse what looks like sloppy behavior by the plaintiff. In Amgen v. California Correctional, 47 Cal.App.5th 716 (2020), the court said that merely putting the word “confidential” on an email blast to 170 people wasn’t enough. And in a real sign of our times, the contents of a Zoom meeting among franchise owners lost confidentiality protection because the organizers did not require passwords or keep accurate track of who gained access to the call. Smash Franchise v. Kanda, 2020 Del.Ch. LEXIS 263. On the other hand, in Ultimate Timing v. Simms, 715 F.Supp.3d 1195 (W.D. Wash. 2020), the court found that an email request to treat information as confidential was sufficient.
The DTSA defines an owner as one who has rightful possession of a secret, such as through a license. So mere possession is enough to establish standing to sue, even though the plaintiff had developed the information under a “work for hire” contract that gave title to a third party. Advanced Fluid v. Huber, 958 F.3d 168 (3d Cir. 2020). But merely claiming ownership of a patent improperly derived from a trade secret does not invoke a question of “inventorship” under the Patent Act, so removal on that basis to federal court is improper. Intellisoft v. Acer, 955 F.3d 927 (Fed.Cir. 2020).
Taking someone else’s secret by “improper means” is unlawful. Back in the 1970s, aerial surveillance of a construction site was condemned by a judge as a “schoolboy’s trick.” The same expansive view of unethical business behavior animated the finding in Compulife v. Newman, 959 F.3d 1288 (11th Cir. 2020) that using “bots” to “scrape” information from the plaintiff’s publicly accessible website that was designed to provide data only to individual humans amounted to “improper means.” That said, in the more common circumstance of departing employees, early intervention by lawyers can help their clients avoid liability. In Flatiron v. Carson, 2020 U.S. Dist. LEXIS 48699 (SDNY), counsel advised, and the client adopted, a plan to reduce the risk of misuse of secrets by a former employee. As a result, the court rejected the plaintiff’s claim of “threatened misappropriation.”
Employee confidentiality agreements are typically viewed as fair and non-controversial. But if the employer gets aggressive and limits post-employment use of publicly available information, the nondisclosure agreement can be analyzed under the rules applicable to noncompete contracts, and declared unenforceable. TLS Mgmt. v. Rodriguez-Toledo, 966 F.3d 46 (1st Cir. 2020). In California, employee noncompete agreements have long been outlawed. But oddly for the first time this year, a California court ruled what should have been obvious, that the prohibition does not apply during the term of employment, when duties of loyalty justify imposing that restriction. Techno Lite v. Emcod, 44 Cal.App.4th 462 (2020). In another case dealing with California’s ban on noncompetes, the court held that strict application of Business & Professions Code § 16600 is applied only to employee agreements, not to contracts between businesses, which are examined under a rule of reasonableness. Ixchel Pharma v. Biogen, 9 Cal.5th 1130 (2020).
Because trade secret claims often come as a surprise to the defendant, and early procedural moves such as preliminary injunction applications can consume counsel’s attention, it is possible to overlook some of the finer points about litigation holds and other aspects of evidence preservation. But turning off an autodelete function on the defendant company’s email server is not viewed as one of the fine points. In Weride v. Kun Huang, 2020 U.S. Dist. LEXIS 72738 (N.D. Cal.), the resulting destruction of evidence justified terminating sanctions and a fee award. So, pay attention; you have been warned.
As we in the trade secret bar are fond of saying, ours is the only area of intellectual property where the subject matter is not laid out in a government document, and where a dispute may be the first time that anyone is required to articulate what the thing is. But even if a plaintiff as part of its sensible trade secret management program has made a list, you can be sure that it will be challenged in litigation as insufficient to inform the defense. Indeed, identification of trade secrets has become one of the most hotly contested aspects of any claim. There are legitimate competing interests at stake, and one of the positive developments in 2020 was the publication by the Sedona Conference of a Commentary addressing this singularly challenging issue.
While everyone is reading this helpful guide, the cases keep coming. In Jabil v. Essentium, 2020 U.S. Dist. LEXIS 24371 (M.D. Fla.) the court held it sufficient to define secret software by providing file names and paths for 16,000 files. Sometimes litigants use experts to explain that because they can understand the description, the court should approve it. But the expert’s elucidation itself has to be understandable. In Calendar Research v. StubHub, 2020 U.S. Dist. LEXIS 112361 (C.D. Cal.), the court rejected what it characterized as “a circuitous path of unexplained jargon.” By comparison, the judge in Caudill Seed v. Jarrow, 2020 U.S. Dist. LEXIS 94821 (W.D. Ken.) allowed the plaintiff to broadly claim a “knowledge base” derived from years of R&D.
Finally on this subject, I refer to the recent opinion in Inteliclear v. ETC, 978 F.3d 653 (9th Cir. 2020), not because it creates new law on identification, but only because some people think it does, and I respectfully disagree. The case is highly unusual because on the first day of discovery the defendant filed a motion for summary judgment directed at the insufficiency of the trade secret description. In opposition, the plaintiff provided additional information about its claim, but the trial court granted the motion anyway. On appeal, the Ninth Circuit held that the dimension of the plaintiff’s trade secret was an issue of fact that couldn’t be resolved summarily. The only real lesson of this case is never to challenge an initial trade secret description by an early motion for summary judgment; file a request for protective order instead. The case does not, as some have suggested it does, represent some new federal standard regarding identification of trade secrets.
Protecting trade secrets in litigation is a concern in many kinds of cases where sensitive information has to be presented and the parties confront the tradition and constitutional requirements regarding public access to courts. Those requirements are not absolute, of course, but proper balancing of interests requires careful observance of court procedures for sealing. In Uniloc v. Apple, 964 F.3d 1351 (Fed. Cir. 2020), the party filing its sealing motion was hardly discriminating; it asked the trial court to seal almost everything in the parties’ briefs, “including citations to case law and quotations from published opinions,” along with a number of exhibits containing publicly available information. When that motion to seal was denied, the litigant came back with a more restrained request, but the court denied it, and the order was affirmed on appeal. The lesson: on motions to seal, which can consume a great deal of the court’s time and effort, get it right the first time. And by the way, be scrupulously aware of variations in rules among district courts. In the Western District of Washington, for example, the sealing rules state that a request to withdraw material in case the motion is denied must be made at the time the motion is filed; asking for return of the material once you get a ruling is too late, and the information will be placed in the public record. Rydman v. Champion, 2020 U.S. Dist. LEXIS 51101 (W.D. Wash.).
It’s been a long, and occasionally very frustrating, year. Having made it through 2020, we can all use a bit of comic relief. Sometimes it shows up in trade secret cases, usually unintentionally. In PB Legacy v. Am. Mariculture, 2020 U.S. Dist. LEXIS 62947 (M.D. Fla.) we learn that trade secret protection extends to . . . shrimp. Who knew?
The World Trade Organization will decide on Thursday whether to approve an Indian and South African proposal that would allow countries to disregard intellectual-property protections on Covid vaccines and therapeutics. Proponents claim the move would increase patients’ access to vaccines, especially in the developing world, by enabling companies to mass-manufacture generic copies of those drugs. In reality, suspending intellectual-property rights would make things much worse. The proposal is cynical—designed to benefit India’s and South Africa’s domestic drug industries at the expense of patients around the world.
India is the world’s largest manufacturer of generic drugs, and South Africa is another big producer. They lament that the U.S. and Europe have blocked intellectual-property rights suspension, even though a greater number of WTO member countries are in favor.
I’ve heard this line of attack before, and it is fraught with danger.
“The single biggest problem in communication is the illusion that it has taken place.”
— George Bernard Shaw
The conversation begins,
“Can you keep a secret?”
“Yes, of course,” they say.
What happens next? Naturally, you tell them what it is that you are going to trust them with.
That’s the way it happens in personal relationships. In business, it’s usually more complicated. And it depends a lot on who you’re talking to.
Let’s first consider the employee confidentiality agreement. In some smaller businesses, especially in the “low tech” economy, employee non-disclosure agreements (NDAs) may not be necessary, because workers neither create nor are they exposed to company secrets. But if you’re making things from a private recipe, or if employees learn sensitive information about customers, it’s a good idea to have these contracts. And if you’re in a knowledge-based industry, they’re more or less essential.
With the NDA (and related agreements like invention assignments) in place, the employer feels comfortable sharing all the information that the employee needs to know to do their job. But what do these agreements actually say about what the confidential information is? In other words, what do they tell the employee about what it is that they’re supposed to be protecting?
The answer usually is “not much”. Crafted by lawyers or copied from a form, employee NDAs can be hilariously broad, citing categories of data that have no relationship to what the person is actually doing. It’s common to see a definition of “confidential information” that “includes but is not limited to” 30 or more topics ranging from “ideas” to “techniques” to “samples” to “know-how” to “sketches” to “formats” to “business models” to “documentation” to “research”. Got it? I didn’t think so.
Despite the ubiquity of employee NDAs, and their usefulness – in the abstract – as a reminder that the relationship is confidential, some courts have started reading them closely and finding some that sweep too broadly to be enforceable. After all, unless restrained by a noncompete agreement, an individual should be free to take another job and use their accumulated general knowledge and skill. And yet, it’s not possible as a practical matter to customize the NDA for each of hundreds or thousands of employees whose job responsibilities are likely to change over time.
So, what’s an employer to do? The answer lies not so much in the contract – although there’s probably room to increase clarity of expression. Instead, the most appropriate way to communicate to employees about what they are expected to protect is through training. This instruction can take many forms, including published rules, online tutorials and in-person lectures and role playing. The goal is to imbed understanding of what kinds of information provide the company with its competitive advantage, the security risks that the business confronts, and what employees can do to reduce those risks.
Ideally, training extends beyond early orientation and continues, in varied contexts, throughout the period of employment. Well informed about what the company believes to be its most important data assets and how they may be threatened, the employee will be far more likely to proactively protect those assets. And they will be less likely to confuse the employer’s secrets with the personal skill they are entitled to take to the next job.
But it’s not just the workforce that needs clear communication about secrets. In the modern economy businesses have to entrust sensitive information to vendors, for example, to enable design and manufacture. And customers may be given early access to unreleased products. In these relationships, we find some of the same communication problems as can occur with employees. But instead of the definition of what’s confidential, the issue is more often about what they’re supposed to do with the information.
One of the more common provisions of a commercial NDA requires the party that receives the secret simply to protect its confidentiality in the same way that it protects its own. That sounds good, but way too often the disclosing company has no idea what the recipient’s information protection program is, or how well it is executed. So rather than just accept the “boilerplate” language and assume that everyone treats their secrets as you do, it may be more prudent to state specifically what controls you expect them to use, and what mechanism (such as an audit) you can invoke to ensure compliance.
And then there is the collaboration partnership or joint venture, where two organizations have swooned over their compatibility and the synergies that promise a successful outcome to the project. The mutual infatuation can lead to dangerous assumptions about division of responsibility and particularly about ownership and control of innovations, or at least credit for them. Remember that these relationships are designed to be temporary, and the inevitable divorce has to be negotiated at the same time as the impending marriage. It helps to be clear-eyed about these things and to discuss them in advance.
But by far the most common sources of misunderstanding are potential acquisitions and license transactions. Here, the parties have a legitimate need to share information in confidence, but an equally legitimate basis to fear that it will lead to trouble. For the acquisition target or potential licensor, there is the risk that the suitor will take a close look at the technology and then walk away in favor of another target or an internal project. And on the other side there is always concern that looking too closely at these external opportunities will contaminate your best engineers or scientists with unwanted information, making it difficult for them to prove that what they develop later was done independently.
The level of risk, on both sides, varies with the intensity of the due diligence that is required to inform the transaction. And this is where robust communication comes in. It’s to the advantage of both participants to discuss risk openly, and to explore ways in which they may be able to reduce it, for example by exposure to the secrets in small steps. If a no-go decision can be made based on access to a smaller dataset, then the two sides can more easily part ways without the threat of litigation.
\The common theme in all these situations is the need to work towards a clear and common understanding. Even in a close, trusting personal relationship we know it’s a mistake to assume that our partner knows what we’re thinking. In business, if you’re going to allow someone access to important information, it is usually a good idea to help them understand what it is that you consider to be sensitive.
In the wake of urban unrest in the early 1960s, local governments imposed nightly youth curfews, and a Massachusetts legislator suggested that all radio and television stations begin their 10:00 evening programming with an announcement: “It’s 10:00 PM. Do you know where your children are?” The phrase was quickly picked up across the country and became a common (and sometimes mocked) cultural artifact of the era.
The idea that parents need to be reminded of their responsibility for their children’s safety and well-being may seem quaint or silly. But parents can get distracted, and there’s little harm in prompting someone to pay attention to a risky circumstance.
For modern business, if you can indulge the metaphor, we may think of data assets as the children of the enterprise, at least in the sense that valuable information is vulnerable to loss or compromise. Reminding companies of the need to be vigilant makes a lot of sense.
That is exactly what the Securities and Exchange Commission has tried to do with its December 2019 Guidance on “Intellectual Property and Technology Risks Associated with International Business Operations.” Although specifically directed at public companies, the advice is equally applicable to private corporations and startups, since management always has a fiduciary obligation to care for corporate assets.
The document begins with an observation applicable to almost every business. “The increased reliance on technology, coupled with a shift in the composition of many companies’ assets from traditional brick-and-mortar assets towards intangible ones, may expose companies to material risks of theft of proprietary technology and other intellectual property, including technical data, business processes, data sets or other sensitive information.”
These risks, the SEC points out, are particularly acute when doing business in foreign countries or dealing with foreign partners. However, the underlying concern is comparable for many domestic transactions, where information has to be shared with others in order to extract value from it. We might expect that the SEC will at some point broaden its guidance accordingly.
In the meantime, having been reminded that it’s a dangerous world out there and that our trade secrets need careful monitoring, how do we even begin to think about it? In other words, how do we know what secrets we have in the first place? And since we’re talking about any competitively useful information, how do we get our arms around the potentially millions of bits of it that help drive the success of any single company?
This is where the parent/child metaphor becomes a bit challenging to apply. Measured against most of the rest of nature, humans tend to have just a few offspring, making it relatively easy to keep track of them. The most fecund of invertebrates, the ocean sunfish, can produce 300 million eggs at a time, although only a tiny fraction of them are fertilized. But consider the African driver ant, where a single queen can lay 3 to 4 million eggs a month, most of which actually hatch. How can she possibly know where they are, no matter what time of day it is?
Let’s leave this fascinating metaphor by recognizing that businesses don’t need to specify each discrete piece of data, but only the ones that matter, what we often refer to as the “crown jewels.” When thinking of trade secret management, don’t fall prey to the notion that you have to identify everything that could prove useful to the business. Even a hardware store doing inventory doesn’t count individual nails. You can count all of your patents, but not all of your secrets – at least not comprehensively.
In an earlier article, we looked at a process of risk analysis to inform a company’s trade secret program, balancing value, threats and mitigation options. That process naturally begins with understanding the dimensions of the property that you’re dealing with. So how do you do that?
A number of tools have appeared in recent years to help companies create a secure “catalog” of secrets. For example, “WIPO Proof,” offered by the World Intellectual Property Organization, provides the ability to time stamp a file to later prove its existence, using blockchain technology. Other services add forms and checklists to enable a company to sort its secrets by priority. But I believe that the most promising emerging methodology consists of a guided process for creating a flexible catalog that describes assets sufficiently to communicate real value, but without disclosing them.
One example of this approach is the Trade Secret Registry. (Disclosure: I have helped to design this system.) Assets of the “crown jewel” variety are defined through a descriptive label tagged permanently to a file that contains the details and remains undisclosed. Relative values are established in a way that does not compromise future litigation. Room is provided for additions and modifications that reflect product lifecycle management.
Ideally, a trade secret catalog should establish the basis not just for informed decisions about access and other risks, but also about unlocking the value of the asset through internal development or other commercialization. We are past the time when the classical corporate patent committee passed innovations only for patenting, leaving trade secrets on the scrap pile. Now, systems for tracking secrets need to enable proactive management to be sure that commercial value is realized.
One dimension of these more robust systems is the ability to bring previously nebulous trade secret information into a category of “recognized” assets that can be insured and also used as collateral for loans. Specifically, companies that certify the integrity of the cataloging process can also act as intermediaries to procure insurance against trade secret loss or liability. And they can deploy the same assets to procure non-dilutive debt financing.
Do you know where your trade secrets are? Finding out may put you ahead of the next SEC bulletin. And it may actually be easier than tracking your own kids.