When one company looks at buying another, the potential buyer engages in a “due diligence” process designed to help it fully understand the relevant risks and opportunities before the deal is done. In today’s digital economy, most business assets are intangible, and so intellectual property (IP) is among the most meaningful of the variety of issues that an acquirer needs to examine. But while most due diligence checklists include dozens of questions pointed at the target company’s patents, trademarks, and copyrights, trade secrets get relatively little attention, often limited to a single request to confirm that the target has some system in place to protect its secrets from unauthorized disclosure.
This light touch on trade secrets, compared to the other forms of intellectual property, can seem bewildering when you consider that secrecy has been shown repeatedly to be the preferred method of protecting commercial innovation. Moreover, with so many companies turning to data collection and analysis as a way to enhance their competitive position, one would think that trade secrets should get top billing in any assessment of a commercial transaction. That it frequently doesn’t may reflect the roots of trade secrets in state common law, distinct from the registered IP rights, which can be counted and more easily valued. Even though we now have legislation at the state (Uniform Trade Secrets Act) and federal (Defend Trade Secrets Act) levels, trade secrets may still seem relatively mysterious to many of the corporate lawyers who lead due diligence efforts in connection with acquisitions. Or those lawyers may just assume that these issues are being handled by the company’s IP specialists.
Some industries and companies typically pay close attention to their most valuable secrets, due to the nature of their businesses. Examples include chemical manufacturers, biotech companies with their heavy emphasis on R&D, and to a certain extent software companies that increasingly locate their core algorithms in a private cloud, where customers can use the tool but not look inside. But a lot of what makes any business valuable consists of more dispersed technoloy, including knowing what not to do (“negative know-how”) and insights drawn from data analytics that in turn drive marketing strategies.
Based on anecdotal experience, it seems that, with some exceptions where the acquirer pays very close attention, there is often a disconnect between the perceived importance of information assets in the abstract and how they are actually treated in the context of planning, investigating, and executing business combinations. Even where these assets might seem not to matter very much, as when the acquirer plans an “acquihire” (buying the company just to get its smart employees), there is still reason for concern, since trade secrets reside largely in the heads of individual actors, who may or may not stay around after the deal is done.
All businesses face risks in connection with their information assets, more or less constantly. That’s a necessary result of the trend toward “open innovation,”2 coupled with the fact that the systems used for storage and communication of data allow wide access to hundreds or thousands of individuals and are to one degree or another insecure. A lot can be done to manage those risks on an ongoing basis, but the potential acquisition presents a uniquely fraught circumstance compared to other relationships because the parties’ interests at the outset are not necessarily aligned, and the time frame for dealing with some very complex and challenging issues is often quite short. Both sides in the deal must confront significant risks resulting from the understandable anxiety that each experiences (or should experience) from sharing or receiving highly confidential information.
Let’s first consider the target company. Classically, the biggest hazard faced by the target is the almost existential risk that it will expose its core secrets to a suitor who ultimately walks away from the deal and goes into direct competition. And while that fear is legitimate and should inform any number of protective strategies, it may make more sense to first recognize a somewhat counterintuitive problem: the risk of success. By this I mean that if the deal goes through, the target will have to provide very extensive “reps and warranties”—essentially guarantees about the ownership and security of its information assets and freedom from third-party claims. Here is an example, cast in the typically overburdened prose of commercial transaction documentation:
The Company and each of its Subsidiaries have taken all commercially reasonable measures to protect and preserve the confidentiality of any Trade Secrets that comprise a material part of the Company IP. To the knowledge of the Company, all use and disclosure of Trade Secrets owned by another Person by the Company or any of its Subsidiaries have been pursuant to the terms of a written agreement with such Person, or such use and disclosure by the Company or any of its Subsidiaries was otherwise lawful.
The prospect of signing on to these guarantees represents a challenge because the target needs to start preparing for this responsibility very early in the process, by revisiting its trade secret protection program, as well as its compliance with outstanding confidentiality agreements. Of course, this can also be viewed as an opportunity to enhance trade secret governance, no matter the outcome of the proposed acquisition. IP counsel advising the target company can be very helpful in directing this analysis, including identifying specific areas of risk and setting priorities for management action.
But the deeper and more consequential concern is that the transaction will not come to pass, and the purported acquirer turns into a competitor made more capable and threatening by virtue of having had access to the target’s secrets. Here too, reducing this dimension of risk begins with getting the house in order regarding trade secret management. The first step in taking adequate precautions is to know what trade secrets you have, how they are represented (in code, in process documents, in the head of the fellow who operates the production line, etc.), and what their value is to the company. The latter can be an expression of how much they contribute to profitability due to increased efficiency, for example, or of the damage that would be caused if the information fell into the hands of a competitor. Either way, addressing in a disciplined way the relative value of the target’s major categories of information assets will inform the extent of risk taken in the coming negotiations over how much of it the suitor will be allowed to see and under what conditions, as well as perhaps the financial terms of the hoped-for acquisition.
The starting point for disclosure must be a robust nondisclosure agreement (NDA) by which the potential acquirer acknowledges the confidential nature of the process and promises not to disclose or use any confidential information other than to evaluate the possible deal. This contract has to be negotiated at the outset, separately from the terms of the eventual transaction (although executing a concurrent letter of intent is quite common), and before any secrets are exposed. From the target’s perspective, the NDA needs to include a broad definition of “confidential information,” allowing for only the standard exceptions for information that is publicly known, developed by the recipient independently of its exposure to the secrets, provided properly by a third party, or already in the recipient’s possession (the latter should be limited to what can be demonstrated by contemporaneous records).
To the extent possible, the target should resist agreeing to a “residuals clause,” which removes from coverage any information that is “retained in the unaided memory” of the people who are to have access to the target’s secrets. Although there may be good reasons for the potential buyer to want such protection for itself (see discussion below on this point), the practical effect can be to grant a license to the target’s secrets. Not only does this open up the possibility of unfair competition from the buyer if the deal doesn’t go through; it also imperils the general enforceability of the target’s secrets as to others, because they can claim that the information has not been the subject of “reasonable efforts” to protect it, a necessary element of establishing trade secret rights.
Another significant provision from the perspective of the target addresses what to do about verbal disclosures of secret information. The buyer’s NDA may limit confidential information to what is contained in documents that are prominently designated as confidential. But the due diligence process normally includes interviews in which additional sensitive information may be revealed. It is important that the target at least have the opportunity to identify this information in a written communication within a specific time following disclosure. And speaking of time, the target should consider very carefully any attempt to limit the term of the recipient buyer’s confidentiality obligations. Again, such a limitation (typically three to five years) is rational and reflects the other party’s interest in avoiding the administrative burden of perpetual compliance. But as with the residuals clause, putting a limit on the period of confidentiality can have the effect of granting a license when the period expires; so the target must be comfortable that none of the shared information will remain valuable after that time.
Whatever the terms of the NDA, there will remain some risk that information will be misused beyond the target’s awareness or ability to prevent. Therefore, it also needs to focus on the process of disclosure, to ensure that information is only transferred when and to the extent that it needs to be. In general, it is a good idea to use “progressive incremental disclosure,” starting with an exchange of nonconfidential data, and then working gradually through increasingly sensitive information as trust and confidence between the parties build. Each stage thereby provides a basis for understanding the value and risk of moving to the next stage. For some highly sensitive information, special restrictions might include limiting disclosure to named individuals or under supervision without the ability to copy or take notes. And it may even be possible to negotiate for a limited disclosure of certain items, or certain details, leaving full disclosure to occur only after closing. Sometimes the acquirer will accept such terms because it has been able to make a sufficient assessment based only on partial access and the deal otherwise has enough momentum to justify it.
In contrast to the target, the buyer’s major risk, besides overlooking some aspect of the target’s data assets, is in its exposure to information that might be relevant to the company’s own R&D or other business transactions. These concerns for potential “information contamination” are most acute when the company has an existing plan to develop related technoloy in-house but wants to compare that possibility to what it might be able to acquire outside. This is known as the “make vs. buy” conundrum, and it is fraught with hazards.
The reason we refer to this situation as a conundrum is that the potential acquirer has separate interests that tend to compete with each other. For example, it wants to know as much as it can about the target’s technoloy and strategies, so that it can adequately assess the transaction. But at the same time, acknowledging that the deal may not happen, it also wants to protect its own freedom to operate and so would like to keep exposure to the target’s secrets to a minimum. This ambivalence is sometimes compounded by different internal agendas, typically because of the related internal development program, whose leaders naturally would like to win the “make vs. buy” contest. This can lead to their breaching the wall between their group and the deal team, as they try to better understand the competition.
The challenge is much greater if no such barrier was erected to begin with. In Nilssen v. Motorola, the court denied summary judgment on the defendant’s claim that its competing product was developed independently of the target’s technoloy, because some of the supervisors of the internal project had attended due diligence meetings with the target company’s engineers. As the court explained, “the placement of key employees in a position where they might assimilate a trade secret permits an inference of misappropriation.” The point had been made even more forcefully by the Federal Circuit in Roton Barrier v. Stanley Works, in which the prospective buyer had tried to argue that the personnel exposed to the target’s secrets did not meaningfully participate in the internal development project, but merely supervised others who did the work. The court rejected the argument as “disingenuous.” It also declined to recognize as independent the work of a third party hired by the buyer to manufacture its competing product, because it had been given instructions by those who had access to the target.
Occasionally the breach occurs in a narrower but equally dramatic way, as when the buyer’s outside patent attorney is tasked with reviewing the target’s unpublished patent application to assess its strength. This was the situation in X-IT Products v. Walter Kidde, in which the court denied summary judgment to the defendant because the draft claims in the application were deemed to reflect the target’s confidential assessment of the most protectable features. The attorney had passed on this information, together with a list of cited prior art from the application, to an associate who was working on an application for the defendant in a related field. Although the defendant managed to demonstrate independent work in every other respect, this leakage was enough to deny summary judgment.
Transgressions like these can have serious consequences beyond exposure to a damage award. In Den-Tal-Ez v. Siemens, the buyer falsely assured the target that it was no longer interested in acquiring a competitor, while in fact it was conducting meetings in parallel and ultimately chose the competitor. Having been exposed to the plaintiff’s manufacturing facilities and technical know-how, the buyer was enjoined from completing its intended acquisition, or acquiring any other competitor, for a period of three years. The injunction was affirmed based on a theory of threatened misappropriation, which the court deemed “inevitable.”
While some of these mistakes are operational, the potential acquirer’s first line of defense against liability is an NDA carefully constructed to cabin its exposure. Ideally, the contract should limit protected information to that which is provided by the target in writing and clearly marked as confidential. If verbal disclosures are to be permitted, they should be effective only if confirmed in a specific writing within a brief period. (Note that someone on the recipient’s side should be tasked with receiving and verifying the contents with those involved in the disclosure.)
Whether or not the prospective buyer is engaged in development of a competing product or service, it is wise to include in the NDA an acknowledgment that it may be so engaged, and that there have been no representations of exclusivity, the buyer being free to consider the acquisition of alternative businesses or technologies. The most reliable way for the buyer to protect its freedom is by insisting on a “residuals clause,” typically some variation of the following:
Discloser agrees that the disclosure of Confidential Information to Recipient shall not impair the right of Recipient to engage in its business, including the development of products and services that are competitive with that of Discloser, provided that Recipient does not breach this Agreement. Therefore, it is agreed that Recipient may use Residuals for any purpose. “Residuals” means any information retained in the unaided memories of the Recipient’s employees who have had access to the Discloser’s Confidential Information pursuant to this Agreement. An employee’s memory is unaided if the employee has not intentionally memorized the information for the purpose of retaining and subsequently using or disclosing it in violation of this Agreement.
Other important provisions of the NDA include setting a time when confidentiality will expire (this may prompt push-back from the target, but particularly if there is no residuals clause the administrative burden of perpetual management of the exposure can be a very legitimate concern) and a choice of law and forum (critical for cross-border deals). A requirement to arbitrate disputes may also be helpful, especially as a way to ensure confidentiality.
No matter how complete and robust the contract governing the transaction, effective due diligence requires very close management of the process. Generally speaking, complete, documented separation should be maintained between those who have access to the target’s secrets (the “clean team”) and those who are engaged in internal development. For particularly sensitive situations, such as where the company has an ongoing project that is directly competitive, it may be wise to employ a third party to handle the diligence, or the relevant portion of it, and to report back only their recommendations. And there may be some information that is so highly confidential that the target is unwilling to provide access at all before closing. This then becomes a matter of assessing the risk, which may be mitigated to an extent through representations and warranties in the transaction documents.
Having identified, allocated, and controlled the risks as appropriate, diligence proceeds with the objective of learning as much as possible about the target’s trade secrets and how they are protected and deployed. Among the documents to be examined should be employee and consultant confidentiality and invention assignment agreements, third party NDAs and related contracts, policies and procedures regarding trade secret protection, training programs, records of R&D, and licenses or other agreements reflecting ownership and control (including the ability to transfer to the acquirer), such as joint development or funding relationships.
Examination of the target’s trade secret protection program is not about checking a box, but should be as thorough as necessary to assess whether it at least meets the “reasonable efforts” element of secrecy as defined by the Uniform Trade Secrets Act and the Defend Trade Secrets Act. Interpreting that provision, the courts expect the trade secret holder to balance the value of the information against the risk of loss, measured against the cost of various measures that could reduce or eliminate the risk. A good description of this basic risk management approach in practice is provided by CREATe.org.
The due diligence process should also address the following questions:
Finally, assuming that the acquisition proceeds, the buyer should have created a thoughtful plan for integration of the target’s workforce. Corporate cultures and practices around treatment of confidential information vary greatly. Employees at a very small company may not be used to the controls required in a more hierarchical organization. Even companies of equivalent circumstances may have established different approaches. The integration plan should combine the best information access and security measures from each, just as with other aspects of their operations. Whatever the decision regarding ongoing structures, the surviving company should institute a rigorous and ongoing training program, with regular follow-up.
Management of trade secrets is fraught with competing interests. There is the tradeoff between security and inconvenience—for example, the annoying wait for a special code to allow “two-factor identification” when you already have your password handy. There is trusting your employees while knowing they might leave to join a competitor. And there is the tension between corporate secrecy and the public interest, such as when the fire department insists on knowing what toxic chemicals are used in your facility.
And now we have the cloud (like “internet,” its ubiquity merits lower case), which offers unparalleled convenience and flexibility to outsource corporate data management to others. But moving IT functions outside the enterprise creates new vulnerabilities for that data, which happens to be the fastest growing and most valuable category of commercial assets. So understanding this environment has to be a high priority for business managers.
The cloud has given us multiple acronyms, like SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). But it’s not as complicated as it sounds. From the customer’s perspective, the cloud is just a bunch of linked servers in some (presumably) secure location that gives you an array of IT resources whenever and wherever you want them. Tech companies like Amazon, Microsoft and Google have built massive clusters of computing power and data storage that can be rented out using their own applications, or as a host for the customer’s software tools. Cloud services are now ubiquitous. If you are using Twitter, Facebook, Office 365 or Box, or just doing a Google search, you are flying in the cloud.
It may come as a surprise to some Millennials that the cloud is not new. It is the result of an evolution of networked mainframe computers that began in the 1950s, leading to the development of “virtual machines” that combined the capabilities of several real ones. As telecommunications shifted to digital, these bundles of remote hardware became a powerful platform for business to increase efficiency by buying computing resources on an as-needed basis.
In the world of trade secrets, the cloud has wrought fundamental change. Software companies used to worry about their customers reverse engineering their products distributed on CDs. Now they put those applications in the cloud, so the customer only has access to its own data and outputs. And the massive and inexpensive capacity of the cloud has enabled companies to generate a new class of assets, including analytics from “big data.” Finally, the cloud has given industry the option to outsource all or part of the information security management function to full-time specialists.
But sending out your data to be stored and manipulated can be like sending out your shirts to be washed—they can get mixed up with other people’s clothes, and you are counting on the laundry to keep everything separated and organized. Even if you prefer the metaphor of putting your jewels in the hotel’s main safe, you need to realize that they are no longer in your control, and you don’t personally know the fellow who works behind the desk. It is this fundamental set of risks that represents the dark, threatening side of the cloud.
The nature and extent of risks to data security differ according to the type of service that the Cloud Service Provider (CSP) offers, as well as its commitment to overall security. The “public cloud” is like a dormitory or public swimming pool. Your information may be rubbing shoulders with others’, possibly including competitor data stored on the same server, so techniques for data isolation will be very important. A “private cloud” is like having everything run on your own servers, but management and location can be outsourced for efficiency.
In between are “hybrid” environments, in which data and applications are distributed among multiple clouds, one or more of which may be public or private, according to needs, risk reduction and cost. There is also the option of a “community cloud” in which multiple organizations with similar interests band together to create a shared private cloud, which can be managed and hosted internally or externally.
All of these models share to some extent the basic prospect of increased efficiency and reliability by not doing everything yourself on your own network of servers. But to the extent you’re not doing it yourself, you’re trusting that others will do it right, and that presents a potentially unknown level of risk to your data assets.
A nominal security advantage of the cloud is that this is the business of the CSPs, and presumably they commit serious resources to hiring the best professionals and installing and maintaining the best security tools. However, as with any other service, there are a lot of options, and unfortunately a lot of variability in quality. According to McAfee, a security firm, only 10% of today’s 25,000 CSPs provide encryption for stored data.
So what should businesses look for in a cloud service?
There is a legal dimension to this question, since being able to uphold your trade secret rights in court requires that you exercise “reasonable efforts” to protect them yourself. Your efforts will be judged in hindsight, and in any event you should view the standard as a minimum, not an aspiration. This means doing the due diligence to find out what sort of risks you may be taking on with a CSP, and working to minimize them.
First, be realistic about the risks to your data. According to the McAfee report, 80% of companies experience third party theft of cloud-stored data each month, with an average rate of 12 incidents per month. Chillingly, the report claims that cloud credentials for 92% of companies are for sale on the “Dark Web.” (Does this make you feel better about the value of two-factor authentication?)
Second, find out what the CSP does about security, and how it aligns with the policies and procedures of your organization. Are they certified under the ISO 27000 series of standards and do they guarantee continued compliance? Look for robust controls in the four primary areas of information security: deterrence, protection, detection and incident response. What features come as part of a package, and what options exist for enhancing them?
Third, learn how the provider actually manages specific security issues. Do they outsource any of their own infrastructure? How do they address internal threats from their own personnel? How do they guarantee separation of data? How will they ensure proper deletion of data?
Fourth, and speaking of guarantees, what does their contract say about the issues that matter most? Do they acknowledge that your data belongs to you? (About half will fail that test.) Do they accept liability for loss or contamination of your data? Do they guarantee logging and audit trails that will allow you to comply with existing and emerging government standards for data management compliance?
Finally, take a look in the mirror and accept that when you share your data with anyone, security becomes a shared responsibility. Make sure that you have robust software tools to help you monitor and receive alerts about what is going on. And take the opportunity to review carefully your own internal procedures, especially authentication protocols. Security management in the cloud forms a chain, and you may be its weakest link.
Over the course of two weeks, the United States has imposed tariffs on hundreds of billions of dollars of Chinese goods and has blacklisted Huawei, the world’s largest telecommunications company, on national security grounds. Google, Intel, Qualcomm and Micron have announced that they will stop doing business with the company. The United States has even threatened to withhold intelligence from our key allies if they go forward with plans to use Huawei equipment.
Although there are many issues driving this newly escalated trade war between the United States and China, chief among them is the concern that China and its companies are engaged in intellectual property theft. Say what? Upend global markets over infringement of private technology rights? This must be pretty serious. Let’s take a closer look.
First, a bit of historical perspective. Spying between countries to get access to military and other state secrets has been common for thousands of years. Economic espionage arguably got its start 500 years ago, with the introduction of patent laws, which at the time rewarded whoever was first to import useful technology into the country. No need to be an inventor; just find something new and hurry back to your home country’s patent office.
When I was working at the United Nations in Geneva, we encouraged developing countries to adopt strong IP laws. Their diplomats often took pleasure in reminding me that the United States had launched its industrial revolution with textile technology stolen from England. (You can find the real story of Samuel Slater’s 18th century escapades here.)
By the middle of the 20th century, America had become an economic superpower, and it witnessed Japan rebuilding its economy with cheap knockoffs of U.S. merchandise and some outright trade secret theft. However, over time, Japanese industry innovated, and laws protecting intellectual property followed. The same natural progression based on self-interest in domestic innovation happened in South Korea, which now has a very strict set of laws protecting trade secrets.
For China, going from industrial copycat to tiger (or more appropriately, dragon) has followed a similar path. For example, starting from scratch in the 1980s, China took only 30 years to build the largest and one of the most respected patent systems in the world. This was possible only because the government established domestic innovation and the intellectual property to accelerate it as top strategic priorities. And it has made considerable progress in harmonizing its laws, as I have recently explained.
But China is a special case when it comes to risk of information loss. Not only is it roughly the same size as the U.S. market, but its economy blossomed during the global transition to the information age. That means that secrets are much easier to acquire than back when everything was on paper. And given our dependence on global networks for the transmission of critical data assets, it’s easy to see why Huawei, building the gear to drive those networks, seems like a serious threat. This is so even though the company is privately owned and insists that it will not obey any orders from the government to tap into the systems it is building; after all, critics point out, China’s economy is controlled by the Communist Party.
This begs the question of what to do about the problem. The Trump administration has decided that China has more to lose than the United States in a trade war, and so it has turned to tariffs, and the banning of Huawei, as a way to squeeze the Chinese and force them to stop stealing, reform their laws and open their markets. Coercion can sometimes work, I suppose (unlike the president, I have not written a book on how to make a deal). But history, and the fundamentals of negotiation, point to serious danger.
When one party to a transaction raises the stakes to existential levels to get attention, it risks that the other party will be driven away, not just from the transaction, but also the relationship. Here, the Chinese show more signs of digging in than backing down. Within days of the tariff announcement, China’s president, Xi Jinping, together with the vice-premier responsible for U.S. trade negotiations, paid a very public visit to a large factory processing rare earths, the ingredients essential to lithium ion batteries and other modern technologies. China controls 90% of the world’s supply. And the chosen factory happened to be located in Jiangxi, where in 1934 the Communist Party began its famous “Long March,” a 4,000-mile strategic retreat in painful preparation for its eventually successful fight against the Nationalist forces of Chiang Kai-shek.
The message could not have been weightier or clearer. China is preparing its government and people for a long struggle against the increasingly adversarial United States. It has vowed to “take all necessary measures” in response to the blacklisting of its national champion Huawei, which could result in reinforcement of Huawei’s position in markets not controlled by the United States. According to the company, it has stockpiled critical components as it prepares to manufacture its own semiconductors, freeing it from reliance on U.S. manufacturers.
While it’s possible that the U.S. strategy may produce some sort of agreement in the short term, it’s at least as possible that another result will be the long-term “decoupling” of the Chinese and U.S. economies. That outcome would cause significant harm not only to U.S. industry, which continues to see China as a growing market (trade between the two countries tripled from 2004 to 2018, reaching $660 billion), but also to the global technology-based economy, which relies on common standards and accessible markets.
While the concerns around trade secret theft are real and need serious attention, we should be considering ways to address them that don’t create so much risk of collateral damage. We should accept that China is a controlled economy and that certain aspects of its governance will not change to match our own. As we have done in the past—most notably beginning with the 1994 negotiations leading to the TRIPS Agreement—we should engage in multilateral diplomacy to establish new agreements for the robust enforcement of intellectual property rights, including trade secrets. And we should use our current technological advantage to develop a new generation of encryption tools and other measures to detect and prevent espionage. This would mimic the framework for trade secret protection in our own country, where we provide strong enforcement mechanisms but also require that companies exercise their own “reasonable efforts” to reduce their information security risk.
U.S. industry has invested decades of effort and billions of dollars in securing footholds in the Chinese market, which holds enormous promise over the long term. Our domestic companies have come to rely on global supply chains, most of which run through China. It would be very difficult to disentangle and relocate all those supply relationships. And in the meantime, China has the power to cause our businesses a world of hurt. It’s not just about rare earths. China provides 95% of the world’s fireworks. Think about that during the upcoming Independence Day celebrations.
What is at stake in this trade war animated largely by intellectual property is nothing less than the life blood of global trade. Innovation is like growing fruit trees. You get the best results from cross-pollination. While we should not tolerate theft of our intellectual capital, neither should we give up the chance to find mutual benefit from old-fashioned diplomacy and negotiation. We worked hard to interest China in joining the World Trade Organization and other multilateral institutions so that we could all enjoy the synergies of free trade; we should consider making more use of those institutions and relying less on unilateral boycotts.
Laws to support trade secret rights are critical to the information economy. It may seem counterintuitive, but by enforcing confidential relationships through trade secret laws we make it possible to disseminate and commercialize innovation. Erecting a new iron curtain that separates technology markets and standards between Chinese and American spheres of influence would seriously diminish that effort.
Yes, it’s important to stand up against theft of IP; but creating new barriers may not be the best way to do that. As Denzel Washington said in the 2014 film The Equalizer, “When you pray for rain, you gotta deal with the mud too.”
In 1994, the United States was winding up the Uruguay Round of trade negotiations leading to the establishment of the World Trade Organization (WTO). Tucked in among the toothbrush and rice tariffs was the Agreement on Trade-Related Aspects of Intellectual Property. The TRIPS Agreement was seen as a breakthrough, setting common standards for protecting IP, including provisions on trade secrets that closely aligned with U.S. law.
Twenty years later, I visited a friend at the WTO to find out what had actually been happening as a result of TRIPS. I was especially interested in what countries had done since 1994 to bring their national laws into harmony with the trade secret requirements. Because each member of the WTO was supposed to submit reports on its compliance, I asked about them. Yes, we have them, my friend told me. They were in boxes in the next room. But no one had ever read them.
Just months before my visit, the European Commission had received an industry report lamenting the legal chaos facing companies that tried to enforce their trade secret rights in Europe. Although every one of the 27 member states of the EU was also a signatory to the TRIPS agreement, virtually none of them was in compliance. In response, the Commission issued a “Directive,” instructing all member states to (finally) harmonize some basic aspects of their trade secret laws.
At about the same time, business interests in the United States were pushing Congress to enact the Defend Trade Secrets Act, and it passed almost unanimously. As part of the bill, Congress expressed deep concern about foreign misappropriation of American secrets, demanding regular progress reports.
It seems that governments have been waking up to the serious challenge of trade secret theft.
To better inform its members about this emerging phenomenon, the International Chamber of Commerce in 2017 established a Task Force on Trade Secrets, which has just issued its report, available here. I was privileged to serve as co-chair of this effort, along with Stefan Dittmer of Dentons in Berlin. Although the primary focus of our study was the push for new laws in Europe and the U.S., it includes observations and lessons relevant to leaders and policymakers across all jurisdictions.
One key aspect of our analysis focused on the challenge of dealing with trade secret disputes in countries with a civil law tradition, which is to say most of the world outside the U.S., the U.K. and the Commonwealth. Trade secret theft almost always happens without the victim’s knowledge, and so to present its case the owner needs access to evidence of what happened. But civil law jurisdictions do not provide for information exchange between parties to a lawsuit. Since changing their basic legal framework (and especially embracing the U.S. civil discovery system) is not an option, countries attempting to address the problem have to find other solutions.
The most promising of these involves shifting the burden of proof in cases where the circumstantial evidence seems strong—such as the development of a similar product in an unusually short time after access to the plaintiff’s secrets—and requiring the defendant to prove independent development. This was considered in China last year as an amendment to its Anti-Unfair Competition Law (AUCL), but didn’t make it into the final version. However, very recently—perhaps influenced by ongoing trade negotiations with the United States—China has announced that this provision has been approved as part of new Article 32 of the AUCL, along with the right to seek quintuple damages as a deterrent. (Thanks to Jill Ge of Clifford Chance for the update). Although we need to see how the new law will be applied in practice, it is a very encouraging development.
Countries can also turn to a more classical approach by treating trade secret theft as a crime, which allows the state to gather evidence through a seizure. In 2013, Taiwan added criminal remedies to its trade secret statute, and in 2016 Japan expanded the scope of its existing criminal law to theft of Japanese secrets committed outside of Japan. Both of those changes came as a result of highly publicized civil cases brought by leading domestic companies.
Back in the United States the Trump administration has recently signaled an increased enthusiasm for criminal investigations involving foreign actors. In November 2018, UMC, a leading semiconductor company in Taiwan, was indicted along with a Chinese partner Jinhua, for allegedly stealing secrets from U.S.-based Micron. For the first time since the Economic Espionage Act was passed in 1996, the government also requested an injunction barring imports of certain devices. And in January 2019, the Justice Department indicted China’s Huawei for stealing trade secrets from T-Mobile, even though a jury in the civil case brought by T-Mobile had declined to award any damages. In addition to trade secret theft, the government charged obstruction, based on Huawei’s having engaged in a “bogus investigation” of the incident.
We’ve come a long way since the 1994 TRIPS Agreement, which didn’t seem to generate much interest in trade secret laws. Now, with industry’s increased reliance on data and the willingness of international businesses to plead their case to policy makers, governments around the world are recognizing trade secrets as an asset class that demands special treatment. The Report of the ICC Task Force on Trade Secrets provides a checklist of leading issues to inform efforts to improve domestic laws: (1) give trade secrets their due as a form of “intellectual property;” (2) provide the victim access to proof of misappropriation; (3) ensure that secrets are protected during litigation; (4) award full damages and costs; and (5) avoid creating broad exceptions to trade secret rights.
It’s unfortunate that no one read any of those TRIPS reports years ago. I urge you to take a look now at the ICC report. You’ll come away with a better understanding of how data assets, which travel the world at the speed of light, demand a coordinated approach from governments and industry
We all talk about the importance of data as business assets, but when it comes to buying and selling the companies that own them, we seem not to pay much attention. My anecdotal survey reveals that colleagues who focus on mergers and acquisitions confess to a lack of focus on trade secrets.
This may seem odd, even crazy, given the increasing percentage of industrial property represented by intangible assets—up from 17% in 1975 to 84% in 2015. The problem appears to start with the fact that secret information, no matter how central to the success of the business, is mysterious. Unlike the “registered rights” of patent, copyright and trademark, there are no government certificates defining secrets; and valuing them is hard. Add to that the imperative to get deals done faster and cheaper, and it’s easy to see how secrecy may have become the blind spot of transactional IP.
And there are plenty of opportunities to miss things. The statistics for 2018 reflect 49,000 M&A deals worldwide, accounting for $3.8 trillion (yes, trillion) in cumulative value. Given what we know about the extent to which industrial assets are intangible, and given the well-known preference for using secrecy to protect innovations, we would expect that the “due diligence” review for most transactions would include an intense examination of the target company’s trade secret assets and liabilities.
But that’s not what’s happening. I have spoken to quite a few lawyers who participate in this work, and have also reviewed dozens of due diligence “checklists” they typically use to guide their investigations. In many cases I was surprised to learn that trade secrets are not even on the list, crowded out by the “registered” IP rights—patents, trademarks and copyrights—that can be counted and (presumably) more easily valued. And where trade secrets are included, it tends to be a cameo appearance, usually just a note to ask the company how it protects its proprietary information from disclosure. Sometimes, I was told, the “momentum” of a deal leads to a reduction of even these minimal inquiries.
Inattention can have serious consequences. For the target of an acquisition, there is the almost existential risk of exposing core secrets to a suitor who ultimately walks away from the deal and goes into direct competition. But the potential buyer also faces a broad array of hazards, including exposure to information that could compromise its own internal development, failure to uncover liabilities from access to third party data, and ultimately a lack of preparation for the post-closing integration of different confidentiality cultures and processes.
Let’s first consider the target company. It may seem strange, but the target’s first priority should be the risk of success: if the deal goes through, it will have to provide very extensive “reps and warranties”—essentially, guarantees about the security of its information assets and freedom from third-party claims. The target needs to start preparing for this moment early in the process, by revisiting its trade secret protection program as well as its compliance with outstanding nondisclosure agreements (NDAs).
And then there is the more classical risk of the acquirer abandoning the deal after having had a close look at the target’s secret technology, strategies and other data. The best way to address this risk is through what I call progressive incremental disclosure: starting with a non-confidential exchange, and then working gradually through increasingly sensitive information as trust and confidence build. Ultimately, the target needs an NDA with maximum protections, including a broad definition of confidential information and protection for verbal disclosures. Beware of time limits and exceptions like the “residuals clause” (see below).
For the potential acquirer, the primary objectives are to keep options open and avoid unnecessary contamination by the target’s data. That risk is particularly fraught when the company already has an internal development program in place and is going to the market to consider alternatives. The biggest mistake is to include in the deal team people who are also involved in the internal project. Some situations are so sensitive that the potential acquirer may hire a third party to do the due diligence and provide only recommendations, without revealing any of the target’s technology.
The ideal NDA for the suitor is different than for the target, and that initial contract should be very carefully considered and negotiated. To limit administrative burden, obligations of confidentiality should expire after a set time. Verbal disclosures of the target’s secrets, if not forbidden, should be subject to a strict documentation requirement. And where the company has enough leverage, it should insist on a “residuals clause” that allows any use of the target’s information that is “retained in the unaided memory” of the individual participants after all the documents have been returned.
Once confidentiality obligations have been settled, due diligence can begin in earnest. And at least as to trade secrets, this needs to be more than a box-checking exercise. What are the target’s most valuable data assets, how vulnerable are they, and what has the company been doing about that vulnerability? Deploying cybersecurity controls is good but only addresses a fraction of the problem, since the vast majority of losses occur through employees or contractors, or through trusted external relationships. Systems and procedures for managing information risk need to be thoroughly examined.
All of this learning informs not just the decision whether or not to acquire the target company, but also the inevitable challenges that will confront the acquirer after closing the deal, as it attempts to integrate a new group of colleagues who may have been operating under a very different confidentiality regime, or perhaps none at all. The transition plan should account for the policy and process gaps discovered during diligence together with a robust training program to reinforce the new access and security regime.
Participants in the M&A mating dance should not let their enthusiasm for the deal get in the way of a clear understanding of the assets being acquired. There are more than enough business risks to go around, and secrecy management can always be improved. But you have to pay attention to it.
"When I use a word, it means just what I choose it to mean, neither more nor less."
— Humpty Dumpty (to Alice)
It seemed like a trade secret trifecta when Congress in 2011 passed the America Invents Act (AIA). Although the statute was aimed at patent reform, it made three helpful changes in how trade secrets are treated. First, companies could hold onto secret information about an invention without risking invalidation of their patents for failing to disclose the “best mode” of implementing it. Second, the “prior user right” that guarantees continuing use of a secret invention, even if someone else later patents it, was extended to cover all technologies. And third, the law would no longer deny a patent simply because the inventor had already commercialized the invention in a way that didn’t reveal it to the public.
Or so we thought. That last change depended on how you read the legislation. The long-standing requirement that an invention could not be “on sale” or “in public use” more than a year before filing a patent application was still there. But Congress added a qualifier to 35 U.S.C. §102: there would be no patent if the invention had been “in public use, on sale, or otherwise available to the public . . . .”
Before the AIA, the courts were strict about the consequences of choosing trade secret protection over patents. If the inventor used the invention for commercial purposes, the patent clock started ticking, even if the use was behind closed doors and did not inform the public about the invention itself. The same was true of a commercial sale of a product that used the invention, even though the contract of sale was confidential. The only real exception was for “experimental use” to refine the invention before it became ready for patenting. But even getting a prototype tested under a nondisclosure agreement could fail to qualify if there were other terms implying commercialization, like payment to the inventor.
The logic behind this interpretation of “public use” was explained eloquently by Second Circuit Judge Learned Hand in Metallizing Engineering Co. v. Kenyon Bearing & AP Co., 153 F.2d 516 (2d Cir. 1946). An inventor may indefinitely “practice his invention for his private purposes of his own enjoyment and later patent it.” However, once an invention is “ready for patenting” the inventor may not “exploit his discovery competitively” for more than the one-year grace period; otherwise “he forfeits his right regardless of how little the public may have learned about the invention.”
The insertion in the AIA of the phrase “or otherwise available to the public” indicated that Congress intended to change this rule and to provide that only uses or sales that informed the public of the invention would bar a patent. This seemed apparent just from normal standards for interpreting English, in which “otherwise” should be understood to refer to the terms coming before it. In addition, during consideration of the legislation, sponsors of the bill had taken the floor of the Senate to express their views that the new phrase would have the effect of limiting patent forfeiture to situations where the public had been informed of the invention and not just enjoyed its outputs.
Most commentators (myself included) embraced this interpretation of the AIA. And so did the U.S. Patent and Trademark Office (USPTO), which in its official regulations concluded that new section 102 “does not cover secret sales or offers for sales.” It seemed as though companies considering patenting would be able to engage in a variety of transactions to bring the benefit of their innovations to the public without risking their right to patent, so long as they didn’t publicly reveal the specifics of their invention.
Alas, assuming this is what Congress intended, they weren’t clear enough about it. In a case that tested the assumptions of the IP community, the Supreme Court recently decided that the law on public use and sale had not changed with the AIA. In Helsinn Healthcare v. Teva Pharmaceuticals, the owner of a new drug gave exclusive marketing rights to another firm, more than a year before applying for a patent. The agreement itself was publicly announced, but the dosage information claimed in the patent was kept confidential. Although something like a “sale” had taken place, the invention had not at that point been “available to the public.”
No matter, said the Supreme Court. Citing to its opinions going back as early as 1829, the court emphasized the significance of a public “sale” that effectively put the invention in commerce and beyond the ability of the patent system to pull it back. Judicial decisions about public use and sale never required that the invention itself be revealed to the public; and such a long-standing and clear interpretation could not be overturned by the “oblique” language of the AIA.
So where are we now? First, it’s still true that trade secret protection received a big boost from the AIA, through its changes to the “best mode” doctrine and the broad extension of prior user rights, which allow a company that had been practicing an invention in secret to keep using it in spite of a later patent (so long as the location and scope of use don’t change). These amendments removed a significant amount of the “trade secret anxiety” that had been created by patent law.
Basically, companies are free to classify and protect information assets through secrecy, even if the information closely relates to a patented invention, without fear that their patent will be invalidated. And by choosing to use secrecy rather than patenting to protect their innovative technology, executives can still sleep soundly knowing that a later patent can’t block them from continuing to use that technology.
But what about those “secret sales” and “public uses” that aren’t fully public? What can be done to stay out of trouble as the enterprise moves from invention to commercialization? How can you preserve your option to choose between secrecy and patenting as you get closer to market introduction?
One general piece of advice is to file for a patent at the earliest time. (Your patent lawyer can help you decide when an invention is “ready for patenting.”) The AIA was designed to encourage and reward early filing, and one of the best ways to keep your options open is to file a provisional patent application. That application, and the non-provisional application that follows it, remain unpublished for 18 months, giving the business time to consider the relative advantages and drawbacks of a patent over a trade secret, as well as the scope of what might go into a patent and what might be kept out. At any time during the 18-month period the application can be pulled and the information maintained in secret.
Key to avoiding patent forfeiture is to focus on the role of third parties in the process of commercializing your product. This is especially tricky for smaller companies, which can’t always afford to optimize the innovation in-house but have to depend on outsiders to test and improve it. Here, the good news is that you are in control of the risk, so long as you are keenly aware of it. To claim the benefit of the “experimental use exception,” make sure that your external testing programs are focused only on refining the product, not getting paid for it. And require that all participants sign strong nondisclosure agreements.
As your company builds and executes its go-to-market plan, you will often want to sign up distributors, resellers and other partners ahead of a product launch. There’s nothing wrong with that in the abstract, but you need to pay attention to how those transactions might affect your right to file a patent on an important invention. Even if no product has actually changed hands, you might have engaged in a “sale.” And even if no one else knows the still-secret invention you want to patent, your use of it may be deemed “public.”
Yes, this stretches the logic inherent in English grammar. But what can I say? It’s the law.
"I am willing to put the case into any shape you choose."
— Lord Ellenborough, 1816
It’s a challenge to resolve business disputes when emotions run high, which includes almost all trade secret cases. So, I was especially pleased when, in a hard-fought litigation where I had been appointed as a “referee” to resolve discovery disputes, both lawyers eventually reached out to tell me how much they appreciated my involvement in the case, which had settled.
What was it about this variation on typical legal combat—where a private party is selected to rule on some important aspects—that they found so satisfying? First, they had saved their clients a lot of time, and probably money, compared to the cost of dealing with unpredictable court calendars. And second, they felt that the decisions they received were thoughtful, balanced and practical, reflecting an understanding of the relevant business environment.
So-called “private judging” can be particularly useful in trade secret cases between companies. Confidential information of both sides can be more reliably protected. Important context gets the attention it deserves, which is often just not possible for a judge who handles a caseload of several hundred matters. And decisions can be informed by the special background and experience of the person selected to do the job.
The most popular way of getting more streamlined resolution is arbitration, in which the dispute is handed over to a trusted private party hired to hear the evidence and render a decision. A major advantage of arbitration is that it is completely private. When the dispute involves exchanging important confidential information of both companies, this feature can be compelling.
Arbitration also allows the parties to pick the decision-maker, rather than take their chances with the court system. This is about more than just choosing a reliable and experienced former judge or senior lawyer. You can select for specific attributes like industry or technical background, or specialty in an area of law. And whoever is chosen, the arbitrator will be able to devote substantially more time and attention to the matter than the typical judge.
So why don’t companies in trade secret disputes always choose arbitration? There are some systemic drawbacks. One of those is that the decision of the arbitrator (or panel of three arbitrators) is almost always final, without the possibility of meaningful review through the court system. While that expediency can be an advantage in many cases, it also can create risks in trade secret disputes, where the range of possible outcomes can be large and unpredictable.
In one recent case from Texas, an arbitrator awarded $6 million to the founder of a company who had invested only a small fraction of that amount. On appeal from that decision, the court explained that it was powerless to do anything about it, even if the arbitrator had been mistaken about the law.
Besides offering only limited review of decisions, arbitration also typically restricts the kind and amount of available discovery—that is, the ability to get information from the other side in advance of trial. This can be a serious problem for a trade secret owner. Misappropriation rarely happens in broad daylight, and usually the facts are known only to the defendant. Although reasonable suspicion of theft is enough to make a claim, the plaintiff usually needs discovery from the defendant in order to prove what actually happened.
Whether because of this asymmetry of available proof, or some other aspect of arbitration that both sides find wanting, seldom do both companies in a trade secret dispute agree to arbitrate if their contract doesn’t require it. It is just too difficult to identify a mutual interest once a major disagreement emerges. Instead, one side or the other (and occasionally both) sees it to their advantage to stick with litigation.
But even within the framework of existing court procedures, there may be some opportunities to enhance efficiency in the interests of both sides. For example, in the case that I referred to at the beginning, I was acting as a “discovery referee” (also known in some courts as a “special master”). Basically, the judge in the case, with the approval of the parties, had outsourced the management of all pre-trial disputes over the exchange of information: document requests, depositions and the like. As with arbitration, private referees have more time to consider those specific disputes and to propose a resolution to the judge. Although more costly than using normal court procedures, a referee can move the discovery process much more quickly and efficiently, which is usually in the interest of both companies.
Several states, most notably California, even allow an entire civil case to be handled through trial by a private person, usually called a temporary judge, whose ruling can be appealed through the court system just like any other case. Unlike arbitration, however, this form of judging is private only in the sense that you get to pick (and pay for) the decision-maker; all the filings and hearings will be subject to the same rules on public access as apply to the courts.
The vast majority of trade secret disputes are resolved by an agreement of the parties, without a trial. In an upcoming article, we’ll look at the most effective way to make that happen: mediation, in which an experienced professional helps the combatants find success, often in ways they never would have discovered on their own. Mastering mediation is an art of its own.
It’s football season, so of course we should be talking about beer. Specifically, beer secrets. For fourteen years James Clark had an enviable job at Anheuser-Busch, where he had access to the brewer’s confidential recipes. For unexplained reasons he resigned. Instead of joining a competitor, he went to see a lawyer about planning a class action against his former employer for “intentionally overstating the alcohol content” of the company’s “malt beverages.”
Building his case would be a problem, however, without a copy of something mysteriously called “Page 13.” Having neglected to take this document with him when he left, he contacted a friend still working at Anheuser-Busch, who readily passed it on, even though it was obviously top secret. Apparently alerted to the disclosure, the company demanded that Mr. Clark certify, as required by his contract, that he had not used or disclosed any confidential information. He refused, and a few days later the class action lawsuit was filed. A week after that, Anheuser-Busch sued him for misappropriation of its secrets for making beer.
There are multiple ways we could now turn with this story. There’s the history of beer, which goes back over five thousand years, beginning with a wet and presumed ruined grain cellar that fermented into a happy ending. There’s the difference between corporate and craft beers. And then there’s the high cost of lawyers relative to beer.
But instead we’ll focus on civil procedure. Mr. Clark filed a motion to dismiss the company’s lawsuit, in effect suing them for suing him. This turnabout is called an “anti-SLAPP” motion, based on a California statute enacted in 1992. The law, which stands for Strategic Litigation Against Public Participation, was intended to punish those who file frivolous, but expensive, suits for the sole purpose of intimidating and silencing critics. A legitimate goal, you might say, since it protects freedom of speech. But then the First Amendment also guarantees the right to petition the government, including by filing litigation. So the legislature crafted a long, carefully worded set of instructions to judges, expecting that this would strike the right balance between competing interests.
But as happens so often, a higher law – that of unintended consequences – intervened. It turned out that far too many legitimate lawsuits were being shut down. So the legislature added a new law to cut back on the original. And then it layered on another a few years later, so that in addition to anti-SLAPP motions, we now have “SLAPPbacks” through which the frustrated plaintiff can recover its damages and fees against an over enthusiastic SLAPP-er.
Mr. Clark’s case has wound its way twice to the Ninth Circuit Court of Appeals, which is now considering whether Anheuser-Busch opposed his motion with sufficiently strong evidence that it actually had trade secrets for making beer.
In the meantime, Texas followed the lead of California and enacted its own anti-SLAPP law, called the Texas Citizens Participation Act. It applied to any lawsuit that seemed to target not just a person’s free speech, but also their constitutional right of association. In one notable case, a high-end restoration shop called Elite Auto Body sued former employees who formed a competing company, allegedly taking with them “proprietary client forms, such as payment sheets and vehicle check lists,” and unfairly using confidential information to recruit other employees. These allegations, the defendants argued, invoked their right of association among themselves and to speak freely during their recruiting.
The trial court denied the anti-SLAPP motion, but the appellate court reversed, holding that the TCPA applies in any action that involves “communications,” and that it requires the plaintiff to prove the substance of its claims – the misuse of its proprietary information – by “clear and specific evidence.” Here, the former employer, with no opportunity to take discovery, fell short. The action was dismissed and the plaintiff ordered to pay the defendants’ attorneys fees.
Cases like these are a reflection of the struggle in trade secret law to balance legitimate competing interests. For every employer that has invested in developing proprietary techniques to improve its business, there are employees that have accumulated skills on the job and would like to use them elsewhere. When they leave, the risk of disclosure or misuse may be high, but as a society we not only want to protect investment in innovation, but we also value a freely mobile workforce.
When I arrived at law school in 1970, the Freedom of Information Act was only a few years old. It was supposed to increase public understanding of the workings of government by providing access to records. But the vast majority of requests for information come not from ordinary individuals, but from lawyers representing the competitors of companies who have been required to file confidential information with agencies. Those agencies need the information to do their job, and FOIA has arguably made some companies reluctant to share data with the government.
Tensions abound in the courtroom too. We need a place to resolve disputes over trade secrets; but how can we do that when the courts are supposed to be open to the public? In cases of broad interest, like regulated industries, what should we be doing to protect the public’s right to know through media access? And what about trade secret injunctions? It’s not just departing employees or whistleblowers that need protection from overreach; sometimes the public does too. In one case a judge had to consider whether to shut down an ambulance service that was operating unfairly but was also relied on by a hospital.
Judges frequently have to weigh in the balance diametrically opposed but valid interests. Although this is true in many other areas, it seems woven into the fabric of trade secret law. We should be thankful that our independent judiciary does such a good job dealing with these conflicts and finding thoughtful, fair resolutions.
I’m sure that many people find it exciting to read about U.S. college athletics, although it’s hard to imagine how that could result in any trade secrets. But consider this: Andy Bitter, a former sports journalist covering the travails and triumphs of the Virginia Tech football team, was recently sued by his former employer, a local newspaper, for trade secret theft. The violation? Refusing to turn over the login and password for his Twitter account when he left.
Never mind that the account had been given to him by a previous writer and that he had renamed it “@AndyBitterVT” to reflect his personal devotion to Virginia Tech. According to the plaintiff Roanoke Times he was obligated by the company’s employee handbook to turn over all company property, and this necessarily included the Twitter account he had used to stay in touch with his fans (more precisely “followers” of which he had about 17,000). The information associated with the account was alleged to be worth $150,000. (One fellow journalist, commenting on the story, wondered out loud how a sportswriter’s tweets about a single college team could be “worth as much as a small yacht.”)
As often happens in trade secret cases, it seems that the plaintiff didn’t think this one through before filing. After all, they call it “social” media because people tend to form communities of interest online, and those who had signed up to follow Mr. Bitter’s commentary on their favorite football team were pretty unhappy about how he was treated by his former bosses. One of the scores of reader comments to stories about the lawsuit read, “You guys are out of your minds. I follow Andy Bitter, not you.” Subscription cancellations followed.
In spite of the mess it created, the Roanoke Times has reminded us of some important questions for industry in the information age. Who owns social media accounts? What role do they play in building competitive advantage? And how should companies manage their use?
In ancient times (that is ten years ago, before Facebook, Twitter, LinkedIn and the like), businesses could control their own messaging to the public, through advertising and public relations firms. Social media, like other aspects of the internet, disrupted and “disintermediated” this structure, allowing not just traditional journalists but everyone else with a computer or smartphone to step out in public and (occasionally) be heard. Companies (and a few politicians) recognize the advantage of this direct marketing opportunity and have jumped on the bandwagon with their own accounts and campaigns.
But then there are the hundreds of millions of individual accounts, including in the hands of employees. What new challenges do employers face as a result?
One of the biggest threats is to corporate information security. Social media companies have succeeded, through incessant and automated behavioral conditioning, in convincing an entire generation of workers that sharing is a good thing. And sharing more is even better. That is what many employees do in the evening on their smartphones: reveal everything about what is going on in their lives.
And then we expect them to come into the office the next morning and use those same devices – which by the way are connected to the company’s networks and databases – with mature, sober discretion? If someone wants to brag, why not talk about the cool (but unannounced) product they’re working on? If they want to complain, why not troll management (anonymously of course) for its blunders? And if an engineer faces a knotty technical problem on a project, why shouldn’t she just post a description to a Facebook group where other engineers can see it and offer suggestions?
The inclination toward sharing, reinforced constantly by social media, represents a serious challenge that can only be addressed through training and consistent management, providing the antidote of a culture of confidentiality. Click here to read my October 2016 newsletter about training, “The Most Cost-Effective Way You Can Protect Your Trade Secrets?”.
But getting back to the more specific set of problems reflected in the litigation filed against Mr. Bitter, the good news is that managing these accounts, and separating the personal from the corporate, is straightforward. It begins with establishing and communicating a company policy about the use and ownership of social media. Accounts created by the company, which can be usefully deployed for sales and marketing purposes and to enhance the company’s image, should be designated and named appropriately, with control over credentials and content just as with company networks and data.
It may be best simply to prohibit employee use of personal accounts for any company business. But if you allow it, employees should be obligated by contract to provide access and to transfer ownership and control when asked, or at termination.
Employees and contractors who are employed to create content need special attention, to ensure that what they do for you is designated a “work for hire” and that they have agreed to assign to the company all rights to the content.
A word about managing the risk of new hires. In addition to getting the usual assurances that they will not bring to the job any information that doesn’t belong to them, you may want to inquire about whether they intend to use any pre-existing social media accounts to help them in their new assignment.
As for suing departing employees over their Twitter accounts, be careful what you ask for. In addition to provoking the rage of many of his followers, the Roanoke Times was just countersued by Mr. Bitter for defamation. Remember, the emotionalism that drives trade secret litigation can take it in unpredictable directions.
It was late 2010. The technician, an American in northwestern China, was performing a software check on a wind turbine when he noticed something strange. After the diagnostic program finished running, the turbine was supposed to stop. But this time the blades kept spinning. The same thing happened at the next turbine at the wind farm. And the next, and the next.
Back at the headquarters of American Superconductor Corporation near Boston, the news confirmed executives’ worst fears. Their biggest customer, Sinovel, a Chinese wind farm company financed in part by the government, had recently refused to pay an outstanding bill and had canceled all future orders, citing what it claimed as poor quality and performance of AMSC’s software. That software had supplied the brains for Sinovel’s massive turbines, enabling an efficient flow of electricity into China’s electric power grid. But Sinovel had decided to build its own controller software and had already begun to install it.
The relationship had started out so well just four years before. Following the enactment of China’s first clean energy law, Sinovel had been launched to supply wind power to vast stretches of the country, and ultimately abroad. AMSC, originally formed to apply futuristic superconductor technology to high voltage transmission networks, had pivoted to the more mundane but still complex and profitable business of wind turbine controllers. Their agreement was heralded by the companies in a joint announcement as an“example of Sino-U.S. cooperation in the new energy area,” and both companies became wildly successful in a very short time.
As happens so often, the bilateral enthusiasm was overtaken by greed as Sinovel found a way to eliminate its partner from the business. AMSC had sent a team to China to help support Sinovel. Among them was a programmer named Dejan Karabasevic, a Croatian from AMSC’s Austrian subsidiary. Recently demoted from the design group, Karabasevic was unhappy – and vulnerable.
Sinovel encouraged him to leave AMSC, promising to pay him a million dollars over five years (along with an apartment, and, reportedly, a prostitute). His advance was only 15,000 euros, but it did the trick. Karabasevic resigned, but his supervisor asked him to stay on for a while, with full access to the company’s systems. This allowed him time to create a bootleg version of the AMSC controller software, and to transfer it to his future employer in China.
This was the software that evaded the AMSC technicians’ diagnostic tools and allowed the windmills to keep turning when they should have turned off. It would be some months before the company learned about their former employee’s treachery, but in the meantime it had lost almost 90% of its revenue, shed a billion dollars in shareholder equity, and had to lay off 700 employees.
A flurry of lawsuits followed, in China, the U.S. and Austria. Karabasevic quickly confessed and spent a year in jail but cooperated in AMSC’s pursuit of Sinovel.
In 2013 the Department of Justice joined in, indicting Sinovel and two of its Chinese employees. On January 24, 2018, after an 11-day jury trial, the defendants were convicted in Wisconsin federal court of conspiracy, wire fraud and theft of trade secrets under the Economic Espionage Act. On July 3 AMSC and Sinovel announced a settlement totaling $57.5 million, including a license for Sinovel to use the AMSC technology in its current model turbines. Within a week the judge sentenced Sinovel to a year’s probation, on condition that it pay the agreed amount.
Analysts have pointed out that Sinovel’s available cash had dwindled to less than $100 million, so the outcome was probably a good deal for AMSC under the circumstances. But after six years of litigation and proven losses of over $550 million, this was a “victory” only in a very relative sense.
What lessons can be drawn from AMSC’s experience dealing with a business partner that stole its most valuable information assets? The most obvious is probably not to let enthusiasm mask obvious risks when relying on one customer, particularly in a foreign country. When you are that exposed, your trade secret protection systems need to be proportionately robust.
Of course, you can also reduce risk of theft by continuous improvement of your technology, proving to your customer the futility of trying to compete. But for your crown jewels, you must control access as if the life of your business depended on it. Because it does.
Always remember that insiders (employees, embedded contractors and temporary workers) account for 90% of information loss. Be aware of circumstances that could turn their loyalty around, and manage accordingly. Don’t keep people on after they resign without carefully assessing the risk of their maintaining access to your systems and what you can do to mitigate that risk. More broadly, use data loss prevention software that can alert you to potential problems through real-time analysis of unusual behavior by those with trusted access.
And if you suspect actual espionage, call the FBI. There’s nothing to concentrate the mind like possible jail time.