“Knowledge conquered by labor becomes a possession – a property entirely our own.”
— Samuel Smiles
Sometimes it seems that trade secrets are always fighting for respect. I recently ran into a friend who teaches at a European university. He somehow found a way to squeeze into the conversation a pronouncement: “You know, trade secrets are not property.”
Stay with me; this gets interesting.
I sighed, because I knew what was coming. I’d heard it many times before. “The essence of property,” he said, “is the ability to exclude others, and that doesn’t exist with trade secrets. Anyone is free to discover the same information, or to reverse engineer a product to learn how it is made.”
I acknowledged that trade secret rights are not exclusive, and it’s easy to reverse engineer some things. “But what about secret formulas, like Coca-Cola’s, and secret algorithms, like Google’s? And companies often make products using processes that you can’t figure out by looking at what’s public.” He was ready with the ultimate squelch: “Sure, but all of that is not property, because you can’t exclude anyone; you might not even know when someone is using the same so-called secret. If you can’t order them off, it’s not property.”
Like I said, I’ve heard this before. Even in the specialized world of intellectual property, the other major rights – patents, copyrights, trademarks – give you exclusivity, at least for a time. (Twenty years for patents, life of the author plus 70 years for copyrights, and during commercial use for trademarks.) If someone tries to make the same invention, publish the same song, or use a confusingly similar mark, you can get a court to make them stop, just like you can protect your land against trespassers. But for trade secrets, you have to accept the fact that others may develop, or discover, the same information that gives you an advantage over your competitors.
In some parts of the world – mainly Europe, where my professor friend was from – this distinction can matter. When the EU in 2016 issued its Trade Secrets Directive, requiring all the member states to meet certain standards in their national laws, it specifically said that trade secrets were not to be treated as “intellectual property.” That meant that the earlier EU Enforcement Directive, which provided some helpful remedies like seizure, and which required sharing certain information with the owner of the IP, wouldn’t apply to trade secrets.
Never mind that every one of the EU member countries have long been signatories to the 1995 TRIPS Agreement, which declares, in Article 1, Section 2, that all categories of IP, including “Undisclosed Information” (Article 39), are “intellectual property.” In Europe, the combination of academic inflexibility and political cowardice has kept business secrets trapped in this “non-property” abstraction.
On our side of the Atlantic, we’ve taken a more practical view about treating information as “property.” As we imported the law of trade secrets from Britain (which is about to leave the EU, but apparently not because of how they treat secrets), U.S. judges recognized that the knowledge developed by a business that gives it an edge should be treated like more traditional forms of property. This was important to an emerging industrial economy that required sharing information in confidence with employees and others.
In 1868, Massachusetts’ highest court ruled that if one “invents or discovers, and keeps secret, a process of manufacture . . . he has a property in it” that courts will protect against a breach of confidence. But the ability to assert trade secrets had already been established by the same court many years earlier. It may seem deliciously coincidental to those of you familiar with Roald Dahl’s Charlie and the Chocolate Factory that the first trade secret case in the U.S. was about . . . a process for making chocolate. If you want to look it up, it’s Vickery v. Welch, 36 Mass. 523 (1837).
In the first half of the 20th Century the courts took a small detour by emphasizing that the interest being protected was more about the confidential relationship than the information itself. In 1917, the U.S. Supreme Court declared that “the property may be denied, but the confidence cannot be.” But in later cases, the Court ruled that trade secrets may be taxed, that the constitutional requirement of compensation for seizure of property applied to trade secrets, and that “confidential business information” was “property” within the meaning of the mail and wire fraud statutes.
These decisions align with the way that business treats valuable information as an asset. It can be bought and sold, licensed, shared, and pledged as collateral. Is it “property”? The view here is that if it waddles and quacks, it’s a duck.
But apart from the way we treat it in transactions, what is it about this special right that should make us feel comfortable calling it property? It is the element of control. Although we can’t control whether someone independently develops the same information, we can control who gets access to our own, and under what circumstances.
Back in 1623 in Constantinople (now Istanbul), a fellow named Avedis Zildjian was trying to perform alchemy, and while he didn’t manage to transform base metal into gold, he did happen on a special alloy of copper, tin and silver that when fashioned into a circular sheet made a great sound. Today, the Zildjian family company still supplies what are considered the world’s best cymbals to leading musicians all over the world. The secrets are safe because they’ve not been disclosed outside the family for generations.
Other businesses can achieve the same effect, simply by managing their information assets. In fact, the modern law on trade secrets requires that, before courts will lend a hand to enforce promises of confidentiality, the owner has to show that it has engaged in “reasonable efforts” to keep the information secret. What’s “reasonable?” The law doesn’t specify, beyond teaching that every circumstance is unique, reflecting the value of the information, the risk of its loss, and the cost (including inconvenience) of instituting various measures to reduce the risk.
In the end, getting help from the courts to protect your secrets will depend to some extent on how much you exercise the control that comes with secrecy. Realizing the need to share information with employees, vendors, customers and collaboration partners, you should establish all the controls that help everyone understand the confidential nature of your data assets and reduce the risk of inadvertent leakage or contamination by someone else’s secrets.
Next month, in Part 2, we’ll take a closer look at what businesses should be doing to maintain the integrity of these most valuable assets. In the meantime, just remember this: you have control over who gets access and what they can do with those assets. Exercise that control, and you’ve staked a claim to your property. No matter what the European professor says.
“We’re from the government, and we’re here to help.”
— Anonymous
According to Merriam-Webster, the “Word of the Year for 2019 is “they” when used in the singular, typically to avoid ascribing a gender to the person being referred to. The larger point is this: language matters. Since this is a space dedicated to secrecy, let’s consider how we use language to determine who gets access to our trade secrets. For today, we’ll be looking specifically at how government does this. After all, they write the laws and so should be practiced at defining exceptions to property rights.
Why should the government care at all about business secrets? Examples will help us here. Locally, the fire department needs to know what hazardous chemicals you might be storing at your plant, in case they have to come and put out a fire there. For different but equally compelling reasons, the Food and Drug Administration (FDA) insists on knowing exactly how drugs are made, and the Environmental Protection Agency (EPA) requires submission of pesticide ingredients. And then there is the government as consumer: last year the U.S. spent over $550 billion on purchasing goods and services from the private sector, and with all that economic clout comes the right to demand access to a lot of related data.
Government purchases are regulated by the Federal Acquisition Regulation (FAR), a law only somewhat less complex than the tax code. But for “commercial items” the FAR gives the government no data rights. The seller can provide “limited rights,” allowing the government to use information only for internal purposes and repairs, protecting it from public disclosure.
Although not everyone sells to the government, many businesses are required to give the government a great deal of information that they don’t want the competition to see. A federal statute, aptly named the Trade Secrets Act, has been in place for over a century, making it a crime for federal employees to disclose valuable business information. In addition to the FDA and EPA, this law and other regulations designed to protect trade secrets apply to mandatory disclosures made to the Securities and Exchange Commission, the Consumer Product Safety Commission, the Occupational Health and Safety Commission, and even the Post Office.
Over the first half of the 20th century, as the federal government broadened its regulatory functions, keeping business data confidential was straightforward: companies would mark their records “confidential” and agencies would keep them sealed from public inspection. Then came the Freedom of Information Act (FOIA, pronounced with delight or disdain, depending on your interest, as “FOY-YAH”).
Originally adopted in 1966, FOIA was expanded in 1974 following the Watergate scandal, to allow broader and easier access to government by the public. It requires that federal agencies promptly make available to any “person” any requested record unless it is “exempt” from disclosure. Two aspects of “Exemption 4” are relevant here. The first is for “trade secrets,” which one might expect allows companies to breathe easy about the risk of disclosure. However, the courts soon interpreted the phrase “trade secrets” under a 1939 guide (the Restatement of Torts) to have a very narrow meaning, so that part of the exemption was not much help.
A second part of the exemption applied to “confidential commercial information,” and this at first seemed to provide comfort for submitters. But the courts eventually narrowed the meaning of this phrase, too, adding the requirement that, to prevent disclosure, a submitter had to prove “substantial competitive harm.”
This “competitive harm test” might not have been much of a problem if the issue were always resolved privately between the government and the owner of the secret information. But another actor was usually involved. Almost from the outset of FOIA, a statute intended to inform the public about the workings of their government, the most frequent applicant for disclosure has been — no prize for guessing — commercial entities. With the potential of access to information saving years of expensive research, competitors would challenge the exemption in court, leaving the trade secret owner to argue over the vague and speculative concept of “substantial harm.”
Not anymore. A few months ago the U.S. Supreme Court issued its first opinion on the meaning of Exemption 4. In a case called Food Marketing Institute v. Argus Leader Media, the issue was whether information about food stamp redemption at individual grocery stores, submitted by them to the FDA, had to be revealed under FOIA. Examining the text and history of the statute, the court held that “confidential” has an ordinary, dictionary definition and applies to any information that a business would customarily treat as “private.” The “competitive harm test” had been improperly added by the courts.
For companies that need to share competitively sensitive information with the government, this ruling provides much more certainty about keeping the information from competitors. But while celebration may be in order, it’s no time to relax. Agencies, and the people that work for them, can make mistakes. Just ask Monsanto, whose RoundupÒ herbicide dominates the market because it is effective against a large range of annual and perennial weeds and allows planting soon after spraying. In 1982, the EPA gave the secret formula to a lawyer for one of the company’s competitors. (The information was later retrieved.) And then of course there are state and local agencies to deal with.
What should companies do to protect themselves against the risk of disclosure by the government? First, put prominent labels on all sensitive records before they are submitted. This kind of marking may be required by a special statute or regulation that applies to your industry; but even if it isn’t required, it’s common sense to communicate boldly your claim of confidentiality to those who are handling your data.
Another way to control the risk of disclosure is to get an agreement from the agency involved. This is more cumbersome than just marking your documents, but it increases the odds that the information will be handled with care, and that the agency will refuse to disclose it to an outside party.
Finally, closely examine your draft submissions. Try to find a way to supply the required information without revealing your business secrets. To the extent that you achieve that goal, then your data will have the best possible protection against government disclosure.
The “Word of the Year” for business in 2020 is “confidential.”
“Any sufficiently advanced technology is indistinguishable from a rigged demo.”
— James Klass
The spectacular failure of blood-testing firm Theranos is the subject of a riveting book, Bad Blood by investigative reporter John Carreyrou, and an engaging documentary, “The Inventor” on HBO, focusing on Elizabeth Holmes, the once-celebrated wunderkind who dropped out of Stanford at age 19 to “change the world” with a device that would perform hundreds of diagnostic tests with a few drops of blood from a finger stick. It’s a story made for Hollywood (Jennifer Lawrence will play Holmes in the forthcoming movie), filled with lies, deception, threats and sex, set in a Silicon Valley startup.
Once valued at $9 billion, Theranos raised hundreds of millions from famous investors such as Rupert Murdoch, Betsy DeVos and the Walton family (owners of Walmart). It landed a corporate partnership with drugstore giant Walgreens, which built a series of “wellness centers” in its stores, where customers could order blood tests without a prescription. Due to a legal loophole, the Food and Drug Administration (FDA) hadn’t examined the Theranos device, called “Edison,” which was still just a prototype. But the show had to go on. Most blood tests had to be performed with a traditional syringe draw. As for the “droplet” tests, they were dangerously unreliable. The technology that made everyone so excited, it turned out, didn’t actually work. Theranos collapsed. Elizabeth Holmes now faces trial for criminal fraud.
Theranos’ initial success was not something that Holmes could have achieved on her own. She needed the cooperation of a supporting cast of prominent men (yes, they were all men) on her board, including such luminaries as former Secretaries of State Henry Kissinger and George Schultz, former Senator Sam Nunn and retired General James Mattis (who would go on to serve as Secretary of Defense in the Trump administration). None of them had backgrounds in medicine. Also serving on the board, and as the company’s lead lawyer, was David Boies, the trial lawyer who had represented Vice President Al Gore in his election case before the Supreme Court.
But the most important enabler of the Theranos con was not a human being. Instead, it was secrecy. According to the book and documentary, to keep investors and business partners in the dark about what was going on, Holmes used the excuse that the breakthrough invention had to be kept under the tightest possible wraps, lest competitors leap ahead. Her lawyers reinforced this notion, giving it enough credibility that Holmes could draw in otherwise rational people with the promise of a healthier society, a disrupted industry, and capital gains. This gave Holmes the comfort to actually fake demonstrations of the Edison: while important visitors were taken on tour, their blood sample was taken out of the machine and whisked to a downstairs lab where it was analyzed using commercially available equipment, with the results returned to the meeting room just in time.
Nondisclosure agreements were secured from everyone who came into contact with the company. And those agreements were enforced vigorously, apparently even using private investigators and threats of crushing litigation to keep knowledgeable employees from speaking with the press. (If you are interested in learning how lawyers can terrorize well-meaning whistleblowers, I urge you to read the book.)
Secrecy was apparently also used within the company, keeping employees “siloed” from other areas by an extraordinarily strict need-to-know policy. As a result, those who worked on running the machines didn’t know what the engineers might be doing to fix and improve them, and new development projects kept people guessing about whether the real breakthrough technology was being sharpened in the next room. All of this partitioning of knowledge was coupled with enthusiastic “us vs. them” speeches by Holmes designed to keep morale strong and faith alive.
Of course, the “dark side” of trade secrets—where the law enforcing confidentiality is used in unintended ways—isn’t unique to Theranos. Nondisclosure agreements have been accused (without much empirical evidence) of discouraging employees from moving to new jobs, for fear that they will inadvertently misuse some confidential information. More recently and notoriously, they have become part of the “#MeToo” conversation, as a mechanism for suppressing the truth by silencing victims of abuse.
But we have ways of preventing, or at least mitigating, these inappropriate consequences. Courts routinely exercise discretion to favor the free movement of employees from job to job. There are now strong whistleblower protections built into federal law for those who want to share with the authorities confidential information about potentially unlawful conduct.
Even the Theranos story doesn’t mean that trade secret law is inherently dangerous. Consider Apple, one of the world’s most secretive companies. (Holmes famously modeled her clothing and business habits after Steve Jobs.) Apple has consistently used NDAs and secrecy management to protect products under development, to great effect when they are ultimately unveiled, all without touting non-existent technology. And it’s easy to imagine how Theranos might never have happened if investors and business partners had been less credulous and more insistent to understand the technology. It is entirely possible to couple information security with appropriate governance and oversight; indeed, that is how most companies behave. More than any problem with trade secret law, the Theranos debacle is about greed, hubris and the overwhelming power of human denial when faced with inconvenient facts.
However, the Theranos story got me thinking about other aspects of secrecy and technology that pose stickier problems. The one that comes to mind is artificial intelligence (AI). As a concept, AI has been with us a long time, representing the evolution of powerful computing that we imagine might someday mimic the human brain. But only recently has it seemed on the relatively near horizon, with systems being deployed on information sharing platforms like Facebook, and, soon it seems, in our cars. It’s one thing to let Google protect its search engine; but we have seen how fake news can affect elections, and we wonder how computers will be able to make life-or-death decisions while driving themselves (and us) down the road.
A common public reaction to these concerns about personal-impact technology is to demand “transparency” of the companies that use AI in their tools. We want to know exactly what the algorithm is that determines our news feed, and we want visibility on what the car will do when faced with the choice of hitting the baby carriage or grandma. But here we run into a dilemma common to all forms of advanced technology: we need to encourage the innovation that gives us new products and services; but to enable the necessary investment of money and risk we need to guarantee secrecy so that the innovator can recoup its investment.
When as a society we faced a similar problem a century ago with an emerging technology with profound individual consequences, it was pharmaceuticals, and eventually we fashioned an approach that has worked fairly well to serve both private and public interests, in spite of the narrow loophole that Theranos exploited. Drug companies are required to reveal to the FDA their formulations and test data, where technically qualified officials examine the drug or device for efficacy and safety. All this is done behind closed doors, to protect the company’s investment in some very expensive and risky research. But because we have confidence in the ability of the agency to get it right, we are comfortable using the drugs that have been approved.
It’s not clear to me that a similar model would work to address the potential flaws in secret AI engines. How would we develop models for testing everything that could possibly go wrong? How could a government agency reliably make predictive judgments about software that operates in the world, rather than chemicals that operate in the human body? And even if those challenges could be overcome, what do we do about the fact that the AI algorithms, unlike drug formulations, are not static, but are built to dynamically alter themselves through machine learning?
I don’t have a good answer to these questions. Unlike the situation at Theranos, where the risk of harm from secrecy could have been met by some healthy skepticism and common sense, AI presents a uniquely difficult challenge to find the right balance of competing interests. We need to keep talking about it.
"....Based on evidence collected and presented in the civil trial, which started with a bang but ended prematurely with a whimper, Levandowski definitely took the files at the heart of the charges. But the case, the first one by a new corporate-fraud strike force in the northern district of California, is not as open and shut as the government would like it to sound.
“[A criminal case] has a much higher bar,” said James Pooley, a Silicon Valley attorney who specializes in intellectual-property law, adding that the government has to prove that what Levandowski took with him was “a trade secret, that it was valuable, and it was stolen, and you have to prove all that without a reasonable doubt.”
Eric Goldman, a professor at Santa Clara University School of Law, and Pooley pointed out that the government is going to have to prove that Levandowski downloaded the documents with intent to do harm to Waymo, that he believed these were trade secrets and that he intended to misuse them......."
"...Levandowski is a standout among an elite cadre of engineers with expertise in autonomous driving, which is widely considered the future of the auto industry. In 2004, he was part of a UC Berkeley graduate student team that created a self-driving motorcycle to compete in early federally sponsored races. He went on to found a series of companies related to autonomous vehicles, some of which were acquired by Google and later by Uber.
“For a guy who was so smart, the way in which he (allegedly) behaved here was really dumb,” said James Pooley, a Menlo Park lawyer specializing in trade secrets.
In Silicon Valley, where job-hopping is almost obligatory, the case underscores why companies “have to be sober and clear-eyed about the risk you face when you hire someone from a competitor in a fast-moving field where there are a limited number of very knowledgeable people,” Pooley said...."
When one company looks at buying another, the potential buyer engages in a “due diligence” process designed to help it fully understand the relevant risks and opportunities before the deal is done. In today’s digital economy, most business assets are intangible, and so intellectual property (IP) is among the most meaningful of the variety of issues that an acquirer needs to examine. But while most due diligence checklists include dozens of questions pointed at the target company’s patents, trademarks, and copyrights, trade secrets get relatively little attention, often limited to a single request to confirm that the target has some system in place to protect its secrets from unauthorized disclosure.
This light touch on trade secrets, compared to the other forms of intellectual property, can seem bewildering when you consider that secrecy has been shown repeatedly to be the preferred method of protecting commercial innovation. Moreover, with so many companies turning to data collection and analysis as a way to enhance their competitive position, one would think that trade secrets should get top billing in any assessment of a commercial transaction. That it frequently doesn’t may reflect the roots of trade secrets in state common law, distinct from the registered IP rights, which can be counted and more easily valued. Even though we now have legislation at the state (Uniform Trade Secrets Act) and federal (Defend Trade Secrets Act) levels, trade secrets may still seem relatively mysterious to many of the corporate lawyers who lead due diligence efforts in connection with acquisitions. Or those lawyers may just assume that these issues are being handled by the company’s IP specialists.
Some industries and companies typically pay close attention to their most valuable secrets, due to the nature of their businesses. Examples include chemical manufacturers, biotech companies with their heavy emphasis on R&D, and to a certain extent software companies that increasingly locate their core algorithms in a private cloud, where customers can use the tool but not look inside. But a lot of what makes any business valuable consists of more dispersed technoloy, including knowing what not to do (“negative know-how”) and insights drawn from data analytics that in turn drive marketing strategies.
Based on anecdotal experience, it seems that, with some exceptions where the acquirer pays very close attention, there is often a disconnect between the perceived importance of information assets in the abstract and how they are actually treated in the context of planning, investigating, and executing business combinations. Even where these assets might seem not to matter very much, as when the acquirer plans an “acquihire” (buying the company just to get its smart employees), there is still reason for concern, since trade secrets reside largely in the heads of individual actors, who may or may not stay around after the deal is done.
All businesses face risks in connection with their information assets, more or less constantly. That’s a necessary result of the trend toward “open innovation,”2 coupled with the fact that the systems used for storage and communication of data allow wide access to hundreds or thousands of individuals and are to one degree or another insecure. A lot can be done to manage those risks on an ongoing basis, but the potential acquisition presents a uniquely fraught circumstance compared to other relationships because the parties’ interests at the outset are not necessarily aligned, and the time frame for dealing with some very complex and challenging issues is often quite short. Both sides in the deal must confront significant risks resulting from the understandable anxiety that each experiences (or should experience) from sharing or receiving highly confidential information.
Let’s first consider the target company. Classically, the biggest hazard faced by the target is the almost existential risk that it will expose its core secrets to a suitor who ultimately walks away from the deal and goes into direct competition. And while that fear is legitimate and should inform any number of protective strategies, it may make more sense to first recognize a somewhat counterintuitive problem: the risk of success. By this I mean that if the deal goes through, the target will have to provide very extensive “reps and warranties”—essentially guarantees about the ownership and security of its information assets and freedom from third-party claims. Here is an example, cast in the typically overburdened prose of commercial transaction documentation:
The Company and each of its Subsidiaries have taken all commercially reasonable measures to protect and preserve the confidentiality of any Trade Secrets that comprise a material part of the Company IP. To the knowledge of the Company, all use and disclosure of Trade Secrets owned by another Person by the Company or any of its Subsidiaries have been pursuant to the terms of a written agreement with such Person, or such use and disclosure by the Company or any of its Subsidiaries was otherwise lawful.
The prospect of signing on to these guarantees represents a challenge because the target needs to start preparing for this responsibility very early in the process, by revisiting its trade secret protection program, as well as its compliance with outstanding confidentiality agreements. Of course, this can also be viewed as an opportunity to enhance trade secret governance, no matter the outcome of the proposed acquisition. IP counsel advising the target company can be very helpful in directing this analysis, including identifying specific areas of risk and setting priorities for management action.
But the deeper and more consequential concern is that the transaction will not come to pass, and the purported acquirer turns into a competitor made more capable and threatening by virtue of having had access to the target’s secrets. Here too, reducing this dimension of risk begins with getting the house in order regarding trade secret management. The first step in taking adequate precautions is to know what trade secrets you have, how they are represented (in code, in process documents, in the head of the fellow who operates the production line, etc.), and what their value is to the company. The latter can be an expression of how much they contribute to profitability due to increased efficiency, for example, or of the damage that would be caused if the information fell into the hands of a competitor. Either way, addressing in a disciplined way the relative value of the target’s major categories of information assets will inform the extent of risk taken in the coming negotiations over how much of it the suitor will be allowed to see and under what conditions, as well as perhaps the financial terms of the hoped-for acquisition.
The starting point for disclosure must be a robust nondisclosure agreement (NDA) by which the potential acquirer acknowledges the confidential nature of the process and promises not to disclose or use any confidential information other than to evaluate the possible deal. This contract has to be negotiated at the outset, separately from the terms of the eventual transaction (although executing a concurrent letter of intent is quite common), and before any secrets are exposed. From the target’s perspective, the NDA needs to include a broad definition of “confidential information,” allowing for only the standard exceptions for information that is publicly known, developed by the recipient independently of its exposure to the secrets, provided properly by a third party, or already in the recipient’s possession (the latter should be limited to what can be demonstrated by contemporaneous records).
To the extent possible, the target should resist agreeing to a “residuals clause,” which removes from coverage any information that is “retained in the unaided memory” of the people who are to have access to the target’s secrets. Although there may be good reasons for the potential buyer to want such protection for itself (see discussion below on this point), the practical effect can be to grant a license to the target’s secrets. Not only does this open up the possibility of unfair competition from the buyer if the deal doesn’t go through; it also imperils the general enforceability of the target’s secrets as to others, because they can claim that the information has not been the subject of “reasonable efforts” to protect it, a necessary element of establishing trade secret rights.
Another significant provision from the perspective of the target addresses what to do about verbal disclosures of secret information. The buyer’s NDA may limit confidential information to what is contained in documents that are prominently designated as confidential. But the due diligence process normally includes interviews in which additional sensitive information may be revealed. It is important that the target at least have the opportunity to identify this information in a written communication within a specific time following disclosure. And speaking of time, the target should consider very carefully any attempt to limit the term of the recipient buyer’s confidentiality obligations. Again, such a limitation (typically three to five years) is rational and reflects the other party’s interest in avoiding the administrative burden of perpetual compliance. But as with the residuals clause, putting a limit on the period of confidentiality can have the effect of granting a license when the period expires; so the target must be comfortable that none of the shared information will remain valuable after that time.
Whatever the terms of the NDA, there will remain some risk that information will be misused beyond the target’s awareness or ability to prevent. Therefore, it also needs to focus on the process of disclosure, to ensure that information is only transferred when and to the extent that it needs to be. In general, it is a good idea to use “progressive incremental disclosure,” starting with an exchange of nonconfidential data, and then working gradually through increasingly sensitive information as trust and confidence between the parties build. Each stage thereby provides a basis for understanding the value and risk of moving to the next stage. For some highly sensitive information, special restrictions might include limiting disclosure to named individuals or under supervision without the ability to copy or take notes. And it may even be possible to negotiate for a limited disclosure of certain items, or certain details, leaving full disclosure to occur only after closing. Sometimes the acquirer will accept such terms because it has been able to make a sufficient assessment based only on partial access and the deal otherwise has enough momentum to justify it.
In contrast to the target, the buyer’s major risk, besides overlooking some aspect of the target’s data assets, is in its exposure to information that might be relevant to the company’s own R&D or other business transactions. These concerns for potential “information contamination” are most acute when the company has an existing plan to develop related technoloy in-house but wants to compare that possibility to what it might be able to acquire outside. This is known as the “make vs. buy” conundrum, and it is fraught with hazards.
The reason we refer to this situation as a conundrum is that the potential acquirer has separate interests that tend to compete with each other. For example, it wants to know as much as it can about the target’s technoloy and strategies, so that it can adequately assess the transaction. But at the same time, acknowledging that the deal may not happen, it also wants to protect its own freedom to operate and so would like to keep exposure to the target’s secrets to a minimum. This ambivalence is sometimes compounded by different internal agendas, typically because of the related internal development program, whose leaders naturally would like to win the “make vs. buy” contest. This can lead to their breaching the wall between their group and the deal team, as they try to better understand the competition.
The challenge is much greater if no such barrier was erected to begin with. In Nilssen v. Motorola, the court denied summary judgment on the defendant’s claim that its competing product was developed independently of the target’s technoloy, because some of the supervisors of the internal project had attended due diligence meetings with the target company’s engineers. As the court explained, “the placement of key employees in a position where they might assimilate a trade secret permits an inference of misappropriation.” The point had been made even more forcefully by the Federal Circuit in Roton Barrier v. Stanley Works, in which the prospective buyer had tried to argue that the personnel exposed to the target’s secrets did not meaningfully participate in the internal development project, but merely supervised others who did the work. The court rejected the argument as “disingenuous.” It also declined to recognize as independent the work of a third party hired by the buyer to manufacture its competing product, because it had been given instructions by those who had access to the target.
Occasionally the breach occurs in a narrower but equally dramatic way, as when the buyer’s outside patent attorney is tasked with reviewing the target’s unpublished patent application to assess its strength. This was the situation in X-IT Products v. Walter Kidde, in which the court denied summary judgment to the defendant because the draft claims in the application were deemed to reflect the target’s confidential assessment of the most protectable features. The attorney had passed on this information, together with a list of cited prior art from the application, to an associate who was working on an application for the defendant in a related field. Although the defendant managed to demonstrate independent work in every other respect, this leakage was enough to deny summary judgment.
Transgressions like these can have serious consequences beyond exposure to a damage award. In Den-Tal-Ez v. Siemens, the buyer falsely assured the target that it was no longer interested in acquiring a competitor, while in fact it was conducting meetings in parallel and ultimately chose the competitor. Having been exposed to the plaintiff’s manufacturing facilities and technical know-how, the buyer was enjoined from completing its intended acquisition, or acquiring any other competitor, for a period of three years. The injunction was affirmed based on a theory of threatened misappropriation, which the court deemed “inevitable.”
While some of these mistakes are operational, the potential acquirer’s first line of defense against liability is an NDA carefully constructed to cabin its exposure. Ideally, the contract should limit protected information to that which is provided by the target in writing and clearly marked as confidential. If verbal disclosures are to be permitted, they should be effective only if confirmed in a specific writing within a brief period. (Note that someone on the recipient’s side should be tasked with receiving and verifying the contents with those involved in the disclosure.)
Whether or not the prospective buyer is engaged in development of a competing product or service, it is wise to include in the NDA an acknowledgment that it may be so engaged, and that there have been no representations of exclusivity, the buyer being free to consider the acquisition of alternative businesses or technologies. The most reliable way for the buyer to protect its freedom is by insisting on a “residuals clause,” typically some variation of the following:
Discloser agrees that the disclosure of Confidential Information to Recipient shall not impair the right of Recipient to engage in its business, including the development of products and services that are competitive with that of Discloser, provided that Recipient does not breach this Agreement. Therefore, it is agreed that Recipient may use Residuals for any purpose. “Residuals” means any information retained in the unaided memories of the Recipient’s employees who have had access to the Discloser’s Confidential Information pursuant to this Agreement. An employee’s memory is unaided if the employee has not intentionally memorized the information for the purpose of retaining and subsequently using or disclosing it in violation of this Agreement.
Other important provisions of the NDA include setting a time when confidentiality will expire (this may prompt push-back from the target, but particularly if there is no residuals clause the administrative burden of perpetual management of the exposure can be a very legitimate concern) and a choice of law and forum (critical for cross-border deals). A requirement to arbitrate disputes may also be helpful, especially as a way to ensure confidentiality.
No matter how complete and robust the contract governing the transaction, effective due diligence requires very close management of the process. Generally speaking, complete, documented separation should be maintained between those who have access to the target’s secrets (the “clean team”) and those who are engaged in internal development. For particularly sensitive situations, such as where the company has an ongoing project that is directly competitive, it may be wise to employ a third party to handle the diligence, or the relevant portion of it, and to report back only their recommendations. And there may be some information that is so highly confidential that the target is unwilling to provide access at all before closing. This then becomes a matter of assessing the risk, which may be mitigated to an extent through representations and warranties in the transaction documents.
Having identified, allocated, and controlled the risks as appropriate, diligence proceeds with the objective of learning as much as possible about the target’s trade secrets and how they are protected and deployed. Among the documents to be examined should be employee and consultant confidentiality and invention assignment agreements, third party NDAs and related contracts, policies and procedures regarding trade secret protection, training programs, records of R&D, and licenses or other agreements reflecting ownership and control (including the ability to transfer to the acquirer), such as joint development or funding relationships.
Examination of the target’s trade secret protection program is not about checking a box, but should be as thorough as necessary to assess whether it at least meets the “reasonable efforts” element of secrecy as defined by the Uniform Trade Secrets Act and the Defend Trade Secrets Act. Interpreting that provision, the courts expect the trade secret holder to balance the value of the information against the risk of loss, measured against the cost of various measures that could reduce or eliminate the risk. A good description of this basic risk management approach in practice is provided by CREATe.org.
The due diligence process should also address the following questions:
Finally, assuming that the acquisition proceeds, the buyer should have created a thoughtful plan for integration of the target’s workforce. Corporate cultures and practices around treatment of confidential information vary greatly. Employees at a very small company may not be used to the controls required in a more hierarchical organization. Even companies of equivalent circumstances may have established different approaches. The integration plan should combine the best information access and security measures from each, just as with other aspects of their operations. Whatever the decision regarding ongoing structures, the surviving company should institute a rigorous and ongoing training program, with regular follow-up.
Management of trade secrets is fraught with competing interests. There is the tradeoff between security and inconvenience—for example, the annoying wait for a special code to allow “two-factor identification” when you already have your password handy. There is trusting your employees while knowing they might leave to join a competitor. And there is the tension between corporate secrecy and the public interest, such as when the fire department insists on knowing what toxic chemicals are used in your facility.
And now we have the cloud (like “internet,” its ubiquity merits lower case), which offers unparalleled convenience and flexibility to outsource corporate data management to others. But moving IT functions outside the enterprise creates new vulnerabilities for that data, which happens to be the fastest growing and most valuable category of commercial assets. So understanding this environment has to be a high priority for business managers.
The cloud has given us multiple acronyms, like SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). But it’s not as complicated as it sounds. From the customer’s perspective, the cloud is just a bunch of linked servers in some (presumably) secure location that gives you an array of IT resources whenever and wherever you want them. Tech companies like Amazon, Microsoft and Google have built massive clusters of computing power and data storage that can be rented out using their own applications, or as a host for the customer’s software tools. Cloud services are now ubiquitous. If you are using Twitter, Facebook, Office 365 or Box, or just doing a Google search, you are flying in the cloud.
It may come as a surprise to some Millennials that the cloud is not new. It is the result of an evolution of networked mainframe computers that began in the 1950s, leading to the development of “virtual machines” that combined the capabilities of several real ones. As telecommunications shifted to digital, these bundles of remote hardware became a powerful platform for business to increase efficiency by buying computing resources on an as-needed basis.
In the world of trade secrets, the cloud has wrought fundamental change. Software companies used to worry about their customers reverse engineering their products distributed on CDs. Now they put those applications in the cloud, so the customer only has access to its own data and outputs. And the massive and inexpensive capacity of the cloud has enabled companies to generate a new class of assets, including analytics from “big data.” Finally, the cloud has given industry the option to outsource all or part of the information security management function to full-time specialists.
But sending out your data to be stored and manipulated can be like sending out your shirts to be washed—they can get mixed up with other people’s clothes, and you are counting on the laundry to keep everything separated and organized. Even if you prefer the metaphor of putting your jewels in the hotel’s main safe, you need to realize that they are no longer in your control, and you don’t personally know the fellow who works behind the desk. It is this fundamental set of risks that represents the dark, threatening side of the cloud.
The nature and extent of risks to data security differ according to the type of service that the Cloud Service Provider (CSP) offers, as well as its commitment to overall security. The “public cloud” is like a dormitory or public swimming pool. Your information may be rubbing shoulders with others’, possibly including competitor data stored on the same server, so techniques for data isolation will be very important. A “private cloud” is like having everything run on your own servers, but management and location can be outsourced for efficiency.
In between are “hybrid” environments, in which data and applications are distributed among multiple clouds, one or more of which may be public or private, according to needs, risk reduction and cost. There is also the option of a “community cloud” in which multiple organizations with similar interests band together to create a shared private cloud, which can be managed and hosted internally or externally.
All of these models share to some extent the basic prospect of increased efficiency and reliability by not doing everything yourself on your own network of servers. But to the extent you’re not doing it yourself, you’re trusting that others will do it right, and that presents a potentially unknown level of risk to your data assets.
A nominal security advantage of the cloud is that this is the business of the CSPs, and presumably they commit serious resources to hiring the best professionals and installing and maintaining the best security tools. However, as with any other service, there are a lot of options, and unfortunately a lot of variability in quality. According to McAfee, a security firm, only 10% of today’s 25,000 CSPs provide encryption for stored data.
So what should businesses look for in a cloud service?
There is a legal dimension to this question, since being able to uphold your trade secret rights in court requires that you exercise “reasonable efforts” to protect them yourself. Your efforts will be judged in hindsight, and in any event you should view the standard as a minimum, not an aspiration. This means doing the due diligence to find out what sort of risks you may be taking on with a CSP, and working to minimize them.
First, be realistic about the risks to your data. According to the McAfee report, 80% of companies experience third party theft of cloud-stored data each month, with an average rate of 12 incidents per month. Chillingly, the report claims that cloud credentials for 92% of companies are for sale on the “Dark Web.” (Does this make you feel better about the value of two-factor authentication?)
Second, find out what the CSP does about security, and how it aligns with the policies and procedures of your organization. Are they certified under the ISO 27000 series of standards and do they guarantee continued compliance? Look for robust controls in the four primary areas of information security: deterrence, protection, detection and incident response. What features come as part of a package, and what options exist for enhancing them?
Third, learn how the provider actually manages specific security issues. Do they outsource any of their own infrastructure? How do they address internal threats from their own personnel? How do they guarantee separation of data? How will they ensure proper deletion of data?
Fourth, and speaking of guarantees, what does their contract say about the issues that matter most? Do they acknowledge that your data belongs to you? (About half will fail that test.) Do they accept liability for loss or contamination of your data? Do they guarantee logging and audit trails that will allow you to comply with existing and emerging government standards for data management compliance?
Finally, take a look in the mirror and accept that when you share your data with anyone, security becomes a shared responsibility. Make sure that you have robust software tools to help you monitor and receive alerts about what is going on. And take the opportunity to review carefully your own internal procedures, especially authentication protocols. Security management in the cloud forms a chain, and you may be its weakest link.
Over the course of two weeks, the United States has imposed tariffs on hundreds of billions of dollars of Chinese goods and has blacklisted Huawei, the world’s largest telecommunications company, on national security grounds. Google, Intel, Qualcomm and Micron have announced that they will stop doing business with the company. The United States has even threatened to withhold intelligence from our key allies if they go forward with plans to use Huawei equipment.
Although there are many issues driving this newly escalated trade war between the United States and China, chief among them is the concern that China and its companies are engaged in intellectual property theft. Say what? Upend global markets over infringement of private technology rights? This must be pretty serious. Let’s take a closer look.
First, a bit of historical perspective. Spying between countries to get access to military and other state secrets has been common for thousands of years. Economic espionage arguably got its start 500 years ago, with the introduction of patent laws, which at the time rewarded whoever was first to import useful technology into the country. No need to be an inventor; just find something new and hurry back to your home country’s patent office.
When I was working at the United Nations in Geneva, we encouraged developing countries to adopt strong IP laws. Their diplomats often took pleasure in reminding me that the United States had launched its industrial revolution with textile technology stolen from England. (You can find the real story of Samuel Slater’s 18th century escapades here.)
By the middle of the 20th century, America had become an economic superpower, and it witnessed Japan rebuilding its economy with cheap knockoffs of U.S. merchandise and some outright trade secret theft. However, over time, Japanese industry innovated, and laws protecting intellectual property followed. The same natural progression based on self-interest in domestic innovation happened in South Korea, which now has a very strict set of laws protecting trade secrets.
For China, going from industrial copycat to tiger (or more appropriately, dragon) has followed a similar path. For example, starting from scratch in the 1980s, China took only 30 years to build the largest and one of the most respected patent systems in the world. This was possible only because the government established domestic innovation and the intellectual property to accelerate it as top strategic priorities. And it has made considerable progress in harmonizing its laws, as I have recently explained.
But China is a special case when it comes to risk of information loss. Not only is it roughly the same size as the U.S. market, but its economy blossomed during the global transition to the information age. That means that secrets are much easier to acquire than back when everything was on paper. And given our dependence on global networks for the transmission of critical data assets, it’s easy to see why Huawei, building the gear to drive those networks, seems like a serious threat. This is so even though the company is privately owned and insists that it will not obey any orders from the government to tap into the systems it is building; after all, critics point out, China’s economy is controlled by the Communist Party.
This begs the question of what to do about the problem. The Trump administration has decided that China has more to lose than the United States in a trade war, and so it has turned to tariffs, and the banning of Huawei, as a way to squeeze the Chinese and force them to stop stealing, reform their laws and open their markets. Coercion can sometimes work, I suppose (unlike the president, I have not written a book on how to make a deal). But history, and the fundamentals of negotiation, point to serious danger.
When one party to a transaction raises the stakes to existential levels to get attention, it risks that the other party will be driven away, not just from the transaction, but also the relationship. Here, the Chinese show more signs of digging in than backing down. Within days of the tariff announcement, China’s president, Xi Jinping, together with the vice-premier responsible for U.S. trade negotiations, paid a very public visit to a large factory processing rare earths, the ingredients essential to lithium ion batteries and other modern technologies. China controls 90% of the world’s supply. And the chosen factory happened to be located in Jiangxi, where in 1934 the Communist Party began its famous “Long March,” a 4,000-mile strategic retreat in painful preparation for its eventually successful fight against the Nationalist forces of Chiang Kai-shek.
The message could not have been weightier or clearer. China is preparing its government and people for a long struggle against the increasingly adversarial United States. It has vowed to “take all necessary measures” in response to the blacklisting of its national champion Huawei, which could result in reinforcement of Huawei’s position in markets not controlled by the United States. According to the company, it has stockpiled critical components as it prepares to manufacture its own semiconductors, freeing it from reliance on U.S. manufacturers.
While it’s possible that the U.S. strategy may produce some sort of agreement in the short term, it’s at least as possible that another result will be the long-term “decoupling” of the Chinese and U.S. economies. That outcome would cause significant harm not only to U.S. industry, which continues to see China as a growing market (trade between the two countries tripled from 2004 to 2018, reaching $660 billion), but also to the global technology-based economy, which relies on common standards and accessible markets.
While the concerns around trade secret theft are real and need serious attention, we should be considering ways to address them that don’t create so much risk of collateral damage. We should accept that China is a controlled economy and that certain aspects of its governance will not change to match our own. As we have done in the past—most notably beginning with the 1994 negotiations leading to the TRIPS Agreement—we should engage in multilateral diplomacy to establish new agreements for the robust enforcement of intellectual property rights, including trade secrets. And we should use our current technological advantage to develop a new generation of encryption tools and other measures to detect and prevent espionage. This would mimic the framework for trade secret protection in our own country, where we provide strong enforcement mechanisms but also require that companies exercise their own “reasonable efforts” to reduce their information security risk.
U.S. industry has invested decades of effort and billions of dollars in securing footholds in the Chinese market, which holds enormous promise over the long term. Our domestic companies have come to rely on global supply chains, most of which run through China. It would be very difficult to disentangle and relocate all those supply relationships. And in the meantime, China has the power to cause our businesses a world of hurt. It’s not just about rare earths. China provides 95% of the world’s fireworks. Think about that during the upcoming Independence Day celebrations.
What is at stake in this trade war animated largely by intellectual property is nothing less than the life blood of global trade. Innovation is like growing fruit trees. You get the best results from cross-pollination. While we should not tolerate theft of our intellectual capital, neither should we give up the chance to find mutual benefit from old-fashioned diplomacy and negotiation. We worked hard to interest China in joining the World Trade Organization and other multilateral institutions so that we could all enjoy the synergies of free trade; we should consider making more use of those institutions and relying less on unilateral boycotts.
Laws to support trade secret rights are critical to the information economy. It may seem counterintuitive, but by enforcing confidential relationships through trade secret laws we make it possible to disseminate and commercialize innovation. Erecting a new iron curtain that separates technology markets and standards between Chinese and American spheres of influence would seriously diminish that effort.
Yes, it’s important to stand up against theft of IP; but creating new barriers may not be the best way to do that. As Denzel Washington said in the 2014 film The Equalizer, “When you pray for rain, you gotta deal with the mud too.”
In 1994, the United States was winding up the Uruguay Round of trade negotiations leading to the establishment of the World Trade Organization (WTO). Tucked in among the toothbrush and rice tariffs was the Agreement on Trade-Related Aspects of Intellectual Property. The TRIPS Agreement was seen as a breakthrough, setting common standards for protecting IP, including provisions on trade secrets that closely aligned with U.S. law.
Twenty years later, I visited a friend at the WTO to find out what had actually been happening as a result of TRIPS. I was especially interested in what countries had done since 1994 to bring their national laws into harmony with the trade secret requirements. Because each member of the WTO was supposed to submit reports on its compliance, I asked about them. Yes, we have them, my friend told me. They were in boxes in the next room. But no one had ever read them.
Just months before my visit, the European Commission had received an industry report lamenting the legal chaos facing companies that tried to enforce their trade secret rights in Europe. Although every one of the 27 member states of the EU was also a signatory to the TRIPS agreement, virtually none of them was in compliance. In response, the Commission issued a “Directive,” instructing all member states to (finally) harmonize some basic aspects of their trade secret laws.
At about the same time, business interests in the United States were pushing Congress to enact the Defend Trade Secrets Act, and it passed almost unanimously. As part of the bill, Congress expressed deep concern about foreign misappropriation of American secrets, demanding regular progress reports.
It seems that governments have been waking up to the serious challenge of trade secret theft.
To better inform its members about this emerging phenomenon, the International Chamber of Commerce in 2017 established a Task Force on Trade Secrets, which has just issued its report, available here. I was privileged to serve as co-chair of this effort, along with Stefan Dittmer of Dentons in Berlin. Although the primary focus of our study was the push for new laws in Europe and the U.S., it includes observations and lessons relevant to leaders and policymakers across all jurisdictions.
One key aspect of our analysis focused on the challenge of dealing with trade secret disputes in countries with a civil law tradition, which is to say most of the world outside the U.S., the U.K. and the Commonwealth. Trade secret theft almost always happens without the victim’s knowledge, and so to present its case the owner needs access to evidence of what happened. But civil law jurisdictions do not provide for information exchange between parties to a lawsuit. Since changing their basic legal framework (and especially embracing the U.S. civil discovery system) is not an option, countries attempting to address the problem have to find other solutions.
The most promising of these involves shifting the burden of proof in cases where the circumstantial evidence seems strong—such as the development of a similar product in an unusually short time after access to the plaintiff’s secrets—and requiring the defendant to prove independent development. This was considered in China last year as an amendment to its Anti-Unfair Competition Law (AUCL), but didn’t make it into the final version. However, very recently—perhaps influenced by ongoing trade negotiations with the United States—China has announced that this provision has been approved as part of new Article 32 of the AUCL, along with the right to seek quintuple damages as a deterrent. (Thanks to Jill Ge of Clifford Chance for the update). Although we need to see how the new law will be applied in practice, it is a very encouraging development.
Countries can also turn to a more classical approach by treating trade secret theft as a crime, which allows the state to gather evidence through a seizure. In 2013, Taiwan added criminal remedies to its trade secret statute, and in 2016 Japan expanded the scope of its existing criminal law to theft of Japanese secrets committed outside of Japan. Both of those changes came as a result of highly publicized civil cases brought by leading domestic companies.
Back in the United States the Trump administration has recently signaled an increased enthusiasm for criminal investigations involving foreign actors. In November 2018, UMC, a leading semiconductor company in Taiwan, was indicted along with a Chinese partner Jinhua, for allegedly stealing secrets from U.S.-based Micron. For the first time since the Economic Espionage Act was passed in 1996, the government also requested an injunction barring imports of certain devices. And in January 2019, the Justice Department indicted China’s Huawei for stealing trade secrets from T-Mobile, even though a jury in the civil case brought by T-Mobile had declined to award any damages. In addition to trade secret theft, the government charged obstruction, based on Huawei’s having engaged in a “bogus investigation” of the incident.
We’ve come a long way since the 1994 TRIPS Agreement, which didn’t seem to generate much interest in trade secret laws. Now, with industry’s increased reliance on data and the willingness of international businesses to plead their case to policy makers, governments around the world are recognizing trade secrets as an asset class that demands special treatment. The Report of the ICC Task Force on Trade Secrets provides a checklist of leading issues to inform efforts to improve domestic laws: (1) give trade secrets their due as a form of “intellectual property;” (2) provide the victim access to proof of misappropriation; (3) ensure that secrets are protected during litigation; (4) award full damages and costs; and (5) avoid creating broad exceptions to trade secret rights.
It’s unfortunate that no one read any of those TRIPS reports years ago. I urge you to take a look now at the ICC report. You’ll come away with a better understanding of how data assets, which travel the world at the speed of light, demand a coordinated approach from governments and industry
The most important and immediate goals for reforming patent eligibility are predictability, predictability and predictability. This framework, coming from legislators who understand the value to our country of a robust and sensible patent system, is exactly the right approach. It will restore much-needed certainty to the acquisition and enforcement of patent rights, reducing costs for all stakeholders.