One of the uniquely fascinating aspects of trade secret disputes is that they are laced with unbridled emotions, accusations of treachery, and actors who angrily disagree over basic facts. In other words, they provide a perfect metaphor for the year 2020.
Let’s take a look back at the cases this year that are worthy of comment, either because they involved some unusual set of facts or because they provide useful guidance for behaving better in 2021.
First, this year brought two massive verdicts in trade secret cases. February’s Chicago jury verdict in Motorola v. Hytera came in at $764 million, of which $418 million was for punitive damages. Then, in October, a jury in the New York case by Cognizant against Syntel awarded $854 million, including $570 million in punitives. Even more remarkable, the same trial counsel represented the plaintiffs in each case. Congratulations, Kirkland & Ellis! See, some people had a very good year in 2020.
A big award in another case got reduced, in Epic v. Tata, 971 F.3d 662 (7th Cir. 2020). The jury had awarded $240 million in compensatory damages and $700 million in punitives. The trial court reduced the damages to $140 million and limited the punitive award to twice that amount under the Uniform Trade Secrets Act (UTSA). On appeal, the 7th Circuit held that constitutional due process required a further reduction in the punitive award to $140 million. Still, the case is another reminder that unethical behavior (here, accessing a competitor’s data by misleading a customer) can lead to enormous awards.
In Ajaxo v. E*Trade, 48 Cal.App.5th 129 (2020), the court confirmed that it was acceptable to use the “Georgia-Pacific factors” from patent law in order to inform the damage analysis in a trade secret case.
One of the lingering questions since enactment of the Defend Trade Secrets Act (DTSA) in 2016 has been whether the pre-existing provisions of the Economic Espionage Act establishing jurisdiction over foreign misappropriation would apply to civil cases as well. The first decision analyzing this question came in January, in Motorola v. Hytera, 436 F.Supp.3d 1150 (N.D. Ill. 2020), ruling that the statute did apply where at least one act in furtherance of the “offense” occurred in the U.S. That ruling enabled the large verdict referred to earlier; but its continuing impact is potentially much broader, given the international character of many business relationships. And just to sharpen the point, the court in vPersonalize v. Magnetize, 437 F.Supp.3d 860 (W.D. Wash. 2020) ruled that the “act in furtherance” need not have been committed by the defendant.
To qualify information as a trade secret, the owner must show “reasonable efforts” to keep it confidential. Increasingly, courts are unwilling to excuse what looks like sloppy behavior by the plaintiff. In Amgen v. California Correctional, 47 Cal.App.5th 716 (2020), the court said that merely putting the word “confidential” on an email blast to 170 people wasn’t enough. And in a real sign of our times, the contents of a Zoom meeting among franchise owners lost confidentiality protection because the organizers did not require passwords or keep accurate track of who gained access to the call. Smash Franchise v. Kanda, 2020 Del.Ch. LEXIS 263. On the other hand, in Ultimate Timing v. Simms, 715 F.Supp.3d 1195 (W.D. Wash. 2020), the court found that an email request to treat information as confidential was sufficient.
The DTSA defines an owner as one who has rightful possession of a secret, such as through a license. So mere possession is enough to establish standing to sue, even though the plaintiff had developed the information under a “work for hire” contract that gave title to a third party. Advanced Fluid v. Huber, 958 F.3d 168 (3d Cir. 2020). But merely claiming ownership of a patent improperly derived from a trade secret does not invoke a question of “inventorship” under the Patent Act, so removal on that basis to federal court is improper. Intellisoft v. Acer, 955 F.3d 927 (Fed.Cir. 2020).
Taking someone else’s secret by “improper means” is unlawful. Back in the 1970s, aerial surveillance of a construction site was condemned by a judge as a “schoolboy’s trick.” The same expansive view of unethical business behavior animated the finding in Compulife v. Newman, 959 F.3d 1288 (11th Cir. 2020) that using “bots” to “scrape” information from the plaintiff’s publicly accessible website that was designed to provide data only to individual humans amounted to “improper means.” That said, in the more common circumstance of departing employees, early intervention by lawyers can help their clients avoid liability. In Flatiron v. Carson, 2020 U.S. Dist. LEXIS 48699 (SDNY), counsel advised, and the client adopted, a plan to reduce the risk of misuse of secrets by a former employee. As a result, the court rejected the plaintiff’s claim of “threatened misappropriation.”
Employee confidentiality agreements are typically viewed as fair and non-controversial. But if the employer gets aggressive and limits post-employment use of publicly available information, the nondisclosure agreement can be analyzed under the rules applicable to noncompete contracts, and declared unenforceable. TLS Mgmt. v. Rodriguez-Toledo, 966 F.3d 46 (1st Cir. 2020). In California, employee noncompete agreements have long been outlawed. But oddly for the first time this year, a California court ruled what should have been obvious, that the prohibition does not apply during the term of employment, when duties of loyalty justify imposing that restriction. Techno Lite v. Emcod, 44 Cal.App.4th 462 (2020). In another case dealing with California’s ban on noncompetes, the court held that strict application of Business & Professions Code § 16600 is applied only to employee agreements, not to contracts between businesses, which are examined under a rule of reasonableness. Ixchel Pharma v. Biogen, 9 Cal.5th 1130 (2020).
Because trade secret claims often come as a surprise to the defendant, and early procedural moves such as preliminary injunction applications can consume counsel’s attention, it is possible to overlook some of the finer points about litigation holds and other aspects of evidence preservation. But turning off an autodelete function on the defendant company’s email server is not viewed as one of the fine points. In Weride v. Kun Huang, 2020 U.S. Dist. LEXIS 72738 (N.D. Cal.), the resulting destruction of evidence justified terminating sanctions and a fee award. So, pay attention; you have been warned.
As we in the trade secret bar are fond of saying, ours is the only area of intellectual property where the subject matter is not laid out in a government document, and where a dispute may be the first time that anyone is required to articulate what the thing is. But even if a plaintiff as part of its sensible trade secret management program has made a list, you can be sure that it will be challenged in litigation as insufficient to inform the defense. Indeed, identification of trade secrets has become one of the most hotly contested aspects of any claim. There are legitimate competing interests at stake, and one of the positive developments in 2020 was the publication by the Sedona Conference of a Commentary addressing this singularly challenging issue.
While everyone is reading this helpful guide, the cases keep coming. In Jabil v. Essentium, 2020 U.S. Dist. LEXIS 24371 (M.D. Fla.) the court held it sufficient to define secret software by providing file names and paths for 16,000 files. Sometimes litigants use experts to explain that because they can understand the description, the court should approve it. But the expert’s elucidation itself has to be understandable. In Calendar Research v. StubHub, 2020 U.S. Dist. LEXIS 112361 (C.D. Cal.), the court rejected what it characterized as “a circuitous path of unexplained jargon.” By comparison, the judge in Caudill Seed v. Jarrow, 2020 U.S. Dist. LEXIS 94821 (W.D. Ken.) allowed the plaintiff to broadly claim a “knowledge base” derived from years of R&D.
Finally on this subject, I refer to the recent opinion in Inteliclear v. ETC, 978 F.3d 653 (9th Cir. 2020), not because it creates new law on identification, but only because some people think it does, and I respectfully disagree. The case is highly unusual because on the first day of discovery the defendant filed a motion for summary judgment directed at the insufficiency of the trade secret description. In opposition, the plaintiff provided additional information about its claim, but the trial court granted the motion anyway. On appeal, the Ninth Circuit held that the dimension of the plaintiff’s trade secret was an issue of fact that couldn’t be resolved summarily. The only real lesson of this case is never to challenge an initial trade secret description by an early motion for summary judgment; file a request for protective order instead. The case does not, as some have suggested it does, represent some new federal standard regarding identification of trade secrets.
Protecting trade secrets in litigation is a concern in many kinds of cases where sensitive information has to be presented and the parties confront the tradition and constitutional requirements regarding public access to courts. Those requirements are not absolute, of course, but proper balancing of interests requires careful observance of court procedures for sealing. In Uniloc v. Apple, 964 F.3d 1351 (Fed. Cir. 2020), the party filing its sealing motion was hardly discriminating; it asked the trial court to seal almost everything in the parties’ briefs, “including citations to case law and quotations from published opinions,” along with a number of exhibits containing publicly available information. When that motion to seal was denied, the litigant came back with a more restrained request, but the court denied it, and the order was affirmed on appeal. The lesson: on motions to seal, which can consume a great deal of the court’s time and effort, get it right the first time. And by the way, be scrupulously aware of variations in rules among district courts. In the Western District of Washington, for example, the sealing rules state that a request to withdraw material in case the motion is denied must be made at the time the motion is filed; asking for return of the material once you get a ruling is too late, and the information will be placed in the public record. Rydman v. Champion, 2020 U.S. Dist. LEXIS 51101 (W.D. Wash.).
It’s been a long, and occasionally very frustrating, year. Having made it through 2020, we can all use a bit of comic relief. Sometimes it shows up in trade secret cases, usually unintentionally. In PB Legacy v. Am. Mariculture, 2020 U.S. Dist. LEXIS 62947 (M.D. Fla.) we learn that trade secret protection extends to . . . shrimp. Who knew?
“The single biggest problem in communication is the illusion that it has taken place.”— George Bernard Shaw
The conversation begins,
“Can you keep a secret?”
“Yes, of course,” they say.
What happens next? Naturally, you tell them what it is that you are going to trust them with.
That’s the way it happens in personal relationships. In business, it’s usually more complicated. And it depends a lot on who you’re talking to.
Let’s first consider the employee confidentiality agreement. In some smaller businesses, especially in the “low tech” economy, employee non-disclosure agreements (NDAs) may not be necessary, because workers neither create nor are they exposed to company secrets. But if you’re making things from a private recipe, or if employees learn sensitive information about customers, it’s a good idea to have these contracts. And if you’re in a knowledge-based industry, they’re more or less essential.
With the NDA (and related agreements like invention assignments) in place, the employer feels comfortable sharing all the information that the employee needs to know to do their job. But what do these agreements actually say about what the confidential information is? In other words, what do they tell the employee about what it is that they’re supposed to be protecting?
The answer usually is “not much”. Crafted by lawyers or copied from a form, employee NDAs can be hilariously broad, citing categories of data that have no relationship to what the person is actually doing. It’s common to see a definition of “confidential information” that “includes but is not limited to” 30 or more topics ranging from “ideas” to “techniques” to “samples” to “know-how” to “sketches” to “formats” to “business models” to “documentation” to “research”. Got it? I didn’t think so.
Despite the ubiquity of employee NDAs, and their usefulness – in the abstract – as a reminder that the relationship is confidential, some courts have started reading them closely and finding some that sweep too broadly to be enforceable. After all, unless restrained by a noncompete agreement, an individual should be free to take another job and use their accumulated general knowledge and skill. And yet, it’s not possible as a practical matter to customize the NDA for each of hundreds or thousands of employees whose job responsibilities are likely to change over time.
So, what’s an employer to do? The answer lies not so much in the contract – although there’s probably room to increase clarity of expression. Instead, the most appropriate way to communicate to employees about what they are expected to protect is through training. This instruction can take many forms, including published rules, online tutorials and in-person lectures and role playing. The goal is to imbed understanding of what kinds of information provide the company with its competitive advantage, the security risks that the business confronts, and what employees can do to reduce those risks.
Ideally, training extends beyond early orientation and continues, in varied contexts, throughout the period of employment. Well informed about what the company believes to be its most important data assets and how they may be threatened, the employee will be far more likely to proactively protect those assets. And they will be less likely to confuse the employer’s secrets with the personal skill they are entitled to take to the next job.
But it’s not just the workforce that needs clear communication about secrets. In the modern economy businesses have to entrust sensitive information to vendors, for example, to enable design and manufacture. And customers may be given early access to unreleased products. In these relationships, we find some of the same communication problems as can occur with employees. But instead of the definition of what’s confidential, the issue is more often about what they’re supposed to do with the information.
One of the more common provisions of a commercial NDA requires the party that receives the secret simply to protect its confidentiality in the same way that it protects its own. That sounds good, but way too often the disclosing company has no idea what the recipient’s information protection program is, or how well it is executed. So rather than just accept the “boilerplate” language and assume that everyone treats their secrets as you do, it may be more prudent to state specifically what controls you expect them to use, and what mechanism (such as an audit) you can invoke to ensure compliance.
And then there is the collaboration partnership or joint venture, where two organizations have swooned over their compatibility and the synergies that promise a successful outcome to the project. The mutual infatuation can lead to dangerous assumptions about division of responsibility and particularly about ownership and control of innovations, or at least credit for them. Remember that these relationships are designed to be temporary, and the inevitable divorce has to be negotiated at the same time as the impending marriage. It helps to be clear-eyed about these things and to discuss them in advance.
But by far the most common sources of misunderstanding are potential acquisitions and license transactions. Here, the parties have a legitimate need to share information in confidence, but an equally legitimate basis to fear that it will lead to trouble. For the acquisition target or potential licensor, there is the risk that the suitor will take a close look at the technology and then walk away in favor of another target or an internal project. And on the other side there is always concern that looking too closely at these external opportunities will contaminate your best engineers or scientists with unwanted information, making it difficult for them to prove that what they develop later was done independently.
The level of risk, on both sides, varies with the intensity of the due diligence that is required to inform the transaction. And this is where robust communication comes in. It’s to the advantage of both participants to discuss risk openly, and to explore ways in which they may be able to reduce it, for example by exposure to the secrets in small steps. If a no-go decision can be made based on access to a smaller dataset, then the two sides can more easily part ways without the threat of litigation.
\The common theme in all these situations is the need to work towards a clear and common understanding. Even in a close, trusting personal relationship we know it’s a mistake to assume that our partner knows what we’re thinking. In business, if you’re going to allow someone access to important information, it is usually a good idea to help them understand what it is that you consider to be sensitive.
In the wake of urban unrest in the early 1960s, local governments imposed nightly youth curfews, and a Massachusetts legislator suggested that all radio and television stations begin their 10:00 evening programming with an announcement: “It’s 10:00 PM. Do you know where your children are?” The phrase was quickly picked up across the country and became a common (and sometimes mocked) cultural artifact of the era.
The idea that parents need to be reminded of their responsibility for their children’s safety and well-being may seem quaint or silly. But parents can get distracted, and there’s little harm in prompting someone to pay attention to a risky circumstance.
For modern business, if you can indulge the metaphor, we may think of data assets as the children of the enterprise, at least in the sense that valuable information is vulnerable to loss or compromise. Reminding companies of the need to be vigilant makes a lot of sense.
That is exactly what the Securities and Exchange Commission has tried to do with its December 2019 Guidance on “Intellectual Property and Technology Risks Associated with International Business Operations.” Although specifically directed at public companies, the advice is equally applicable to private corporations and startups, since management always has a fiduciary obligation to care for corporate assets.
The document begins with an observation applicable to almost every business. “The increased reliance on technology, coupled with a shift in the composition of many companies’ assets from traditional brick-and-mortar assets towards intangible ones, may expose companies to material risks of theft of proprietary technology and other intellectual property, including technical data, business processes, data sets or other sensitive information.”
These risks, the SEC points out, are particularly acute when doing business in foreign countries or dealing with foreign partners. However, the underlying concern is comparable for many domestic transactions, where information has to be shared with others in order to extract value from it. We might expect that the SEC will at some point broaden its guidance accordingly.
In the meantime, having been reminded that it’s a dangerous world out there and that our trade secrets need careful monitoring, how do we even begin to think about it? In other words, how do we know what secrets we have in the first place? And since we’re talking about any competitively useful information, how do we get our arms around the potentially millions of bits of it that help drive the success of any single company?
This is where the parent/child metaphor becomes a bit challenging to apply. Measured against most of the rest of nature, humans tend to have just a few offspring, making it relatively easy to keep track of them. The most fecund of invertebrates, the ocean sunfish, can produce 300 million eggs at a time, although only a tiny fraction of them are fertilized. But consider the African driver ant, where a single queen can lay 3 to 4 million eggs a month, most of which actually hatch. How can she possibly know where they are, no matter what time of day it is?
Let’s leave this fascinating metaphor by recognizing that businesses don’t need to specify each discrete piece of data, but only the ones that matter, what we often refer to as the “crown jewels.” When thinking of trade secret management, don’t fall prey to the notion that you have to identify everything that could prove useful to the business. Even a hardware store doing inventory doesn’t count individual nails. You can count all of your patents, but not all of your secrets – at least not comprehensively.
In an earlier article, we looked at a process of risk analysis to inform a company’s trade secret program, balancing value, threats and mitigation options. That process naturally begins with understanding the dimensions of the property that you’re dealing with. So how do you do that?
A number of tools have appeared in recent years to help companies create a secure “catalog” of secrets. For example, “WIPO Proof,” offered by the World Intellectual Property Organization, provides the ability to time stamp a file to later prove its existence, using blockchain technology. Other services add forms and checklists to enable a company to sort its secrets by priority. But I believe that the most promising emerging methodology consists of a guided process for creating a flexible catalog that describes assets sufficiently to communicate real value, but without disclosing them.
One example of this approach is the Trade Secret Registry. (Disclosure: I have helped to design this system.) Assets of the “crown jewel” variety are defined through a descriptive label tagged permanently to a file that contains the details and remains undisclosed. Relative values are established in a way that does not compromise future litigation. Room is provided for additions and modifications that reflect product lifecycle management.
Ideally, a trade secret catalog should establish the basis not just for informed decisions about access and other risks, but also about unlocking the value of the asset through internal development or other commercialization. We are past the time when the classical corporate patent committee passed innovations only for patenting, leaving trade secrets on the scrap pile. Now, systems for tracking secrets need to enable proactive management to be sure that commercial value is realized.
One dimension of these more robust systems is the ability to bring previously nebulous trade secret information into a category of “recognized” assets that can be insured and also used as collateral for loans. Specifically, companies that certify the integrity of the cataloging process can also act as intermediaries to procure insurance against trade secret loss or liability. And they can deploy the same assets to procure non-dilutive debt financing.
Do you know where your trade secrets are? Finding out may put you ahead of the next SEC bulletin. And it may actually be easier than tracking your own kids.
When people say that “data is the new oil,” they’re talking about new ways of creating wealth. No matter what business you’re in, success today depends on learning everything you can about your customers and competitors. And there’s so much information sloshing around the internet, every industry—from restaurants to manufacturers to sports teams—is busy extracting insights from “big data” analysis.
But, like drilling for oil, prospecting for data sometimes gets your hands dirty. Recently, a court ruled that a startup company providing life insurance quotes to consumers had created its database – the engine of its busines – by taking data from an existing company (Compulife) that had built theirs from scratch. The new company didn’t break in and steal the whole thing. Instead, it used robotic software to “scrape” the information from Compulife’s website, by pretending to be a member of the public – actually by pretending to be 43 million members of the public, which is how many rate quotes they were able to extract in only four days.
Having pumped out all that data, they were able to understand the competitor’s system and replicate it. When hauled into court, they shrugged their shoulders and pointed out that the source website was open to the public and they were just gathering what was readily available. Surely, they argued, this couldn’t be trade secret misappropriation because the information wasn’t secret. Not so fast, said the court. Compulife expected that real individual people, not swarms of automated “bots,” would be using their website. The data, it concluded, had been acquired by “improper means.”
Peter Toren, a fellow trade secret practitioner, recently penned a two-part article lamenting this decision. While I very much respect Peter’s views, on this one I firmly believe he was wrong and the court was right.
Whether or not information can be gathered from the internet this way is obviously important. But the issue is not so much about bots and data as it is about your Mom.
Stay with me here, you’ll see what I mean.
Back in 1970, the DuPont company was building a new chemical plant. If a competitor could get into the building site and examine the layout it could understand important aspects of DuPont’s secret processes. So, DuPont erected a fence around the perimeter, with guards and no-trespassing signs. One day the construction manager noticed a plane making multiple passes at an altitude low enough to read the registration number. It turned out that a rival company had hired the pilot to fly over the site and take pictures.
Faced with a lawsuit, the competitor claimed that the construction was in “plain view,” and it had broken no laws. The judge wasn’t impressed. DuPont shouldn’t have to erect a tent over the worksite to prevent what it called “a school-boy’s trick.” This should be no surprise, he explained, because “our ethos has never given moral sanction to piracy” and the “marketplace should not deviate far from our mores.”
Four years later, the U.S. Supreme Court relied on the DuPont case in describing why we enforce trade secret rights. It said that the “maintenance of standards of commercial ethics and the encouragement of invention” are the twin policy pillars of trade secret law, reflecting the “necessity of good faith and honest, fair dealing” in business.
Five years after that, the first version of the Uniform Trade Secrets Act was published, and it defined theft as including acquisition of information by “improper means.” The identical standard applies under the more recent federal law, the Defend Trade Secrets Act. And both of those statutes say that “improper means” “includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means.”
In much of the IP world, we love bright lines and sharp edges. For example, to attack a patented invention for lack of novelty, it’s enough to find an academic paper covered with dust in an obscure library. Publication is sudden death. Predictability is highly valued.
Perhaps that’s why some IP lawyers find trade secret laws to be uncomfortable, because they are so, well – flexible. Perhaps this is why my friend Peter misread the Uniform Trade Secrets Act (UTSA) and Defend Trade Secrets Act (DTSA) as restricting “improper means” to a closed set of behaviors, rather than providing a list of examples, which the official comments to the UTSA describe as “a partial listing.” Perhaps that’s why he claimed that the Compulife case was the “first appellate decision in more than 50 years that has relied upon” the DuPont case, when the Supreme Court had leaned on it so firmly back in 1974.
Trade secret laws in the U.S. grow from our common law tradition, in which judges wrestling with novel arguments end up adding bricks to the edifice of principles. The foundation of it all, as the Supreme Court said, is the idea that business behavior should be ethical. And as we all know, ethics is highly contextual and situational. Faced with trying to regulate our own personal conduct, we have to be content with suggestive questions, such as “would you be comfortable with this appearing in the front page news tomorrow morning?” or – this is my favorite, and what I promised you earlier – “what would your mother think if she were looking over your shoulder right now?”
It’s not just the idea of “improper means” that imposes flexibility on trade secret law. Other key concepts are similarly driven by context. For example, we require that the trade secret holder have exercised “reasonable efforts” to maintain control over information it claims as a trade secret. We disallow protection for information that is “readily ascertainable,” but only when it can be ascertained “by proper means.” And we approve of reverse engineering (taking something apart to discover how it works), except when the thing was acquired unfairly.
None of this should be particularly troubling in the abstract, since we all (or the vast majority of us) want to be ethical actors. But the law keeps us on our toes with its ambiguity. Saving space to condemn creative thieves means that we risk getting in trouble if we go too close to the line, such as it is. This risk is made more complex by changing context. Today, DuPont would be out of luck trying to keep its construction site private, what with Google Earth and other satellite imagery.
Indeed, with rapid advances in technology we regularly introduce not only useful innovations to serve society, but also tools that can be used to capture another’s competitive advantage. The public-facing website resting on a large database gives us a good example of the conundrum. How do we balance the rights of those who want to make useful information available in limited ways against those who claim the right to use what can be found in plain sight?
As I’ve already explained, from the legal perspective, I think that the court in the Compulife case got it right, because what the startup did seemed unfair and improper. But how do we translate this modern version of the DuPont case into some guidelines for handling data in the age of ubiquitous data? What can owners of collections of useful data do in order to keep control of their competitive advantage?
First, where the commercial relationship is business to business, rely on carefully drafted contracts to limit the risk that the other party may misuse the information to which they’ve been given access.
Second, in a more public-facing environment, use not only restrictive EULA’s (end user license agreements) but also technical measures to make data extraction difficult, at least where this is possible without degrading the usefulness of the product or service being offered.
Third, make it obvious to any user that you don’t want your data misused. Provide warnings that are impossible to miss, like the “no trespassing” sign hanging on the fence. If this ever turns into a legal fight, the court will likely be impressed by evidence that the defendant must have known he was stepping over a line.
And what about those of you who are looking for creative ways to gather data? Whatever you’re thinking of doing, know that Mom is watching.
Tuning in to the recent sentencing of Anthony Levandowski for criminal trade secret theft, I was reminded of the wise observation about relationships, that remembering the ending is a way to forget about the beginning. But while that way of thinking can be a salve for the heart, it’s not so helpful when it comes to the kind of critical self-analysis that we need to improve our behavior, or at least certain outcomes, in business.
It’s natural for us to be attracted to the drama of trade secret litigation. These cases typically involve claimed treachery of some kind, contrasted against an alternate narrative of entrepreneurship and helpful market disruption. Indeed, as I have often remarked to my students, trade secret cases are a trial lawyer’s dream, because you are dealing with the kind of emotional issues that can draw in a jury and make it easy to keep attention focused on the story you’re trying to tell.
So it was with Mr. Levandowski and his fall from grace as the wunderkind of autonomous vehicle technology. Having led Google’s project since its founding in 2009, he was the primary target of interest for another high-profile young Silicon Valley founder, Travis Kalanick of Uber. Even though Kalanick knew that Levandowski had taken confidential Google documents when he left, they went ahead with an almost $1 billion acquisition of Levandowski and his truck startup. When Google sued, Uber claimed it was clean, but Levandowski refused to testify, and so we all were assured of some riveting theater. Indeed, until the case settled four days into trial, it was the hottest ticket in San Francisco, with spectators lined up around the block.
And the drama didn’t end when the two corporations reached a deal giving Google $240 million in Uber stock. The judge referred the case to the U.S. Attorney, who charged Levandowski with criminal trade secret theft. In what appeared to everyone as the denouement of a Silicon Valley tragedy, Levandowski finally spoke, describing his regret to the judge, who sentenced him to 18 months in federal prison (delayed so he wouldn’t be exposed to Covid).
Although trade secrets are ubiquitous in almost every modern business (think about data as an asset class), we tend to focus our attention on the disputes, especially the ones involving departing employees. But that’s not really where most of the action is— certainly not the action that matters. While the high-visibility cases can provide teachable moments (and Levandowski’s is a good example), they can also distract us from the everyday transactional work we do for our clients.
Having in mind that it is so much better to avoid litigation than to win it, let’s take a look at some typical business transactions that in my experience are the most common source of problems, even though usually less dramatic than what happened with Uber.
Where can lawyers have the greatest impact in preventing trade secret disputes? I believe it is the lowly confidentiality agreement, or NDA. This kind of contract is so widely used in information sharing that we tend to think of it as a simple form, rather than something important to negotiate. My NDA or yours? It doesn’t matter; let’s just get this part done so we can start looking at what you’ve got.
Where are the risks? Initially, it’s in becoming exposed to something radioactive without knowing in advance what it will be. One way to address this is to begin without any secrecy, insisting that the discloser give you enough information for “free” so you can make an informed judgment about how dangerous it might be to see some aspect of the secret design or process. In that case, you should confirm in writing that the exchange is non-confidential.
If you decide to get exposed, your primary risk is in the scope of what is agreed to be confidential. The “form” NDAs simply say that there will be an exchange of information considered by each side to be confidential. Especially if you are likely to receive a lot of information, it’s in your interest to be as specific as possible about what it will be. Besides the usual exceptions – publicly known, later disclosed without fault, previously (and probably) known to the recipient, or later learned without fault – there may be ways to limit exposure, perhaps through stages of increasing disclosure, pausing to assess risk (on both sides) before you go on.
Most securely, all confidential information should be expressed in a document with a prominent label. But typically, a significant portion of it will be transferred in meetings, and so you should negotiate how that will be handled. If you agree that verbal disclosures must be confirmed in writing within a certain time, then the discloser has to ensure that document is prepared and delivered, and (this is where a lot of trouble happens) the recipient has to be ready to review it and object where the description is not accurate.
What is the recipient going to do with your data? The typical form just says it will be used only to assess a potential transaction. But are there more specific ways that you can maintain control, such as limiting exposure to specified individuals? Should those people be required to sign separate NDAs? Are there other handling instructions that might be negotiated to reduce the risk of misuse or disclosure? For the disclosing side, beware of the “residuals clause” that allows those who are exposed to use any information “retained in unaided memory,” which amounts to a license to your data. Some large organizations may believe they need this protection, but you should be aware of the consequence.
The issues to negotiate are almost limitless, as the discloser tries to maintain maximum control and the recipient tries to avoid unnecessary restrictions on its future plans. The point is to treat this as you would any other commercial transaction and be clear about issues such as term and termination, choice of law, choice of forum and remedies.
One specific area of negotiated confidentiality that often leads to litigation is in mergers and acquisitions. Whether the objective is to acquire a company or a license to some technology, the terrain is treacherous, because so much is at stake. The acquisition target or potential licensor is in an obviously precarious position, because a large part of its value may consist of secret information, and if that’s disclosed to inform a transaction that never happens, it has been harmed by an undefinable loss of control over that asset. As for the other side, an honest attempt to assess value may end up exposing some of its best people to secrets that limit their freedom to operate if the deal isn’t done. Legal counsel acts as the choreographer of a very delicate dance through the “due diligence” process, attempting to identify and mitigate a range of risks.
Meanwhile, the client wants to get the deal done (or withdraw and move on), putting a premium on speed. This external pressure can lead to sloppy behavior. For the target/licensor, it usually means excessive disclosure and access by more people; and for the acquirer, it most often means bringing people into contact with the deal team who were supposed to be walled off. Here, in contrast to the basic NDA situation, the issues are mostly about execution, not negotiation of confidentiality. Litigation results when the deal is terminated, with one side feeling jilted and the other infected with information it may wish it didn’t have. Preventing trouble consists of anticipating those outcomes and reducing the peril by focusing on strict compliance, recordkeeping and robust communication.
Closely related to the acquisition is the potential collaboration. In this transaction, each side feels that it has a lot to offer and a lot to gain from the relationship. Indeed, like a romance, both may tend to be a bit infatuated and as a result overlook some of the ways in which the transaction can hit the rocks. In my experience this happens most often through a casual attitude about ownership: that is, who owns what the venture has created, which side (or individuals) get credit for it, and where lies the boundary between that creation and what each company brought to the party, in terms of pre-existing technology. Again, part of this is about providing for these stresses and risks in the contracting phase, anticipating that this relationship will end at some point. But equally important – and an opportunity for counsel to add value – is the management of the effort, to help prevent misunderstandings and ensure that records are clear and consistent.
Finally, a great deal of trade secret litigation can be avoided through careful onboarding of high-level employees. This brings us back to Uber and Levandowski. The latter’s star shone so bright that Uber was prepared to do almost anything to bring him over. One reflection of that intense interest was its granting Levandowski an indemnity – that is, a guarantee that Uber would shoulder the risk – for what the deal documents called his “Bad Acts” in having downloaded all those confidential documents. (Yes, they actually defined his behavior in the contract as the “Bad Acts,” with initial caps.) But they went even further, and gave Levandowski another indemnity, this one for any use he might make of “information . . . retained in [his] unaided memory.” Recall the “residuals clause” that some companies try to get in an NDA to give them a free pass? In effect, Uber gave that pass to Levandowski to use any of Google’s secrets he happened to remember.
Rarely does an act of onboarding senior talent become that reckless. But it stands as a clear lesson that a great deal of trade secret litigation is much more easily prevented than won. At the transaction stage, the risks may seem distant, but disciplined thinking and careful management will pay dividends. The trade secret trial may be a fascinating morality play. But let it be someone else’s drama.
Back in ancient times, in this case 1990, John Gray, an obscure “relationship counselor” with a correspondence degree in psychology, was perplexed. The communication problems of the heterosexual couples he worked with were so serious that he couldn’t explain them by individual circumstances. His clients seemed to be talking past each other, almost as if they were coming from different planets. With that tired metaphor in mind, he penned the book Men Are from Mars, Women are from Venus, generalizing what he thought were the universal, contrasting communication styles of the sexes.
Rarely has a book so widely panned by critics been so successful. Despite its obvious stereotyping, indeed sexism, sales have exceeded 15 million copies in 43 languages. The book spawned a Broadway show, a TV sitcom, and innumerable weekend seminars. Mr. Gray has continued to plumb the shallow depths of his thesis with several follow-on volumes. In effect, he has become rich by talking about how incompatible men and women are, despite eons of evidence to the contrary.
In our world of intellectual property, it once was like this between patents and trade secrets. The early common law concept of trade secrets, summarized in the 1939 Restatement of Torts, appeared to limit coverage to machines or processes run behind closed doors. But as courts began to embrace the idea that any valuable business information deserved protection, some academics raised the alarm that secrecy was moving on to the turf previously reserved for patents. How, they asked, could the same innovations be regulated simultaneously by a system that encouraged public disclosure and another that enforced private confidentiality?
The conundrum was especially difficult because of the very different pedigree of patents and trade secrets. While the former system was governed by a federal statute and grounded in the Constitution, secrecy was nothing more than the collective observations of judges expounding on notions of state law. Indeed, trade secret law was a mongrel, with parentage vaguely traceable to principles of tort, contract, employment and unfair competition law. Surely, the academics argued, there was no room in our carefully crafted federal system for this state-law carpetbagger. Patent law must preempt it.
A few judges agreed, and the issue eventually made its way to the U.S. Supreme Court, which in 1974 issued its opinion in Kewanee Oil Co. v. Bicron Corp. I can recall the day when as a relatively new lawyer I saw a partner sitting at his desk reading the advance sheets with unusual intensity. I asked him what was up, and he said, “The Supreme Court has said we can still have trade secret law.”
I came to study that opinion very carefully over the years, and it remains for me one of the best examples of a decision reaching the right outcome for a wrong reason. Basically, the court said that the federal patent system was not losing any business to trade secret protection. If someone with an invention that was obviously or likely unpatentable, the public lost nothing if it was kept secret. And while patents grant the right to exclude, trade secrets are “weak” because of the risk of independent invention. Therefore, the court assumed, anyone with a clearly patentable invention would never choose secrecy, so there was nothing in this parallel form of protection that would interfere with the integrity of the federal patent system.
The assumption that no one in their right mind would choose secrecy for a patentable invention was, and is, demonstrably wrong. Process technology, for example, has classically been protected as a trade secret, largely because it is so difficult to detect infringement by a competitor.
In any event, one of the concurring judges pointed out, patents and trade secrets had been in coexistence for almost 150 years, with Congress occasionally amending the patent laws without ever muttering a word about secrets.
So, we are allowed to simultaneously enjoy a disclosure-oriented patent law alongside a separate system that enforces secrecy. This is where we come back to the theme of Mr. Gray’s book. While generalizations about the sexes may be neither accurate nor appropriate, patents and secrets are so different in so many ways that it seems remarkable to me that they work in parallel, not to mention that they can each contribute to a company’s IP strategy.
Understanding the differences can help us appreciate the complementary relationship and make better use of each. Here are some observations that should be useful.
Patent law is legislated, while trade secret law is constructed by judges. This is less true than it was 40 years ago with the introduction of the Uniform Trade Secrets Act, but only slightly less so. The UTSA official comments declare that it was designed to codify the common law. The model statute, like the more recent federal Defend Trade Secrets Act which was based on it, is very short, certainly relative to the patent statute. If you want to understand trade secret law, you have to read the cases, because the foundation was built on individual judgments about ethical business behavior.
Patents are rules-based, while trade secrets are principles-based. This difference is closely related to the first. The reason the UTSA is so short is that the balancing of competing interests – for example, between employer and employee – inherently requires interpretation of ambiguous circumstances and application of ethical and moral judgments. With most patent cases, the path to a decision can be laid out in a flowchart. Which is not to say that patent cases are easy; but they are more predictable.
Patents are not about fault, while trade secrets are all about fault. As an attorney, preparing a patent case for trial to a jury can be challenging, as you search for the human-interest element that will sustain attention through an otherwise fairly dry presentation. In stark contrast, almost any trade secret case will capture the jury with its inherent focus on themes like treachery, abandonment, jealousy and revenge. No problem keeping everyone awake for that.
Patents are narrow and specific, while trade secrets are broad and vague. I sometimes use the metaphor of a large storage room, filled up to the ceiling with a physical representation of the data assets that help distinguish any business – R&D, financial plans, secret processes, road maps, customer preferences – and point out that, for most companies, the relative size of its patentable inventions might be equivalent to a grapefruit or maybe a basketball. There’s a lot there that potentially deserves protection, and the trick is in discerning what matters most, and then managing to maintain control over its integrity.
Patents are defined, while trade secrets are assumed. With a patent you get a government-approved description of the invention. You can show patents to investors. You can count them. You can flaunt them, to keep competition at bay. But secrets are usually not defined until you have to do it because (most often) you are in litigation over them and a judge tells you to. This is not ideal, of course, and in recent years I have seen this difference narrowing, as businesses pay closer attention to proactive management of secrets. What used to be the Patent Committee is now the Innovation Committee, and the most sophisticated companies are implementing specific business systems to identify and manage their critical information assets.
Recognizing all these differences should help us exploit them, to find synergies that can supercharge our IP strategies. Remember, all patents start out as secrets. And you don’t necessarily have to choose one or the other exclusively, as there are aspects of most products that suggest using both (as well as other forms of IP). Yes, patents and trade secrets come from different planets, but they are joined in a valuable, and creative, orbit.
“Although China has for some time now shown interest in trade secret reform, this week’s trade secret draft Judicial Interpretation undoubtedly was motivated in part by recent trade negotiations, including the Phase One Agreement. But this most recent pronouncement seems in some respects to go beyond what was required.”
It happened to Japan in the 1950s. Then it happened to Taiwan, and then Korea. Rapidly-developing countries started out relying on copying foreign technologies to drive their economies. But as growth increased and investments in education led the way to domestic innovation, each country found that a framework of strong intellectual property (IP) laws was necessary to sustain economic expansion.
For many years, the relationship between China and the United States (as well as other Western countries) around IP has felt like pulling uphill on a very heavy wagon, as we tried to convince, cajole and threaten, often demanding reforms as part of trade negotiations. The relationship with China was further weighed down by the perception that the government was itself involved in misappropriation and that in general it was a proponent of weak IP protection. This past January, in the midst of a tariff war, China signed the “Phase One Agreement” that promised certain improvements in its trade secret regime in return for the United States dialing back some of the trade pressure.
Given this history of adversarial trade negotiations, it came as something of a surprise when on June 9 China’s Supreme People’s Court (“SPC”) issued an extensive draft “Judicial Interpretation” (“JI”) of the country’s civil trade secret laws. (It released two other JIs at the same time, related to internet IP and e-commerce platforms.) JIs are quasi-legislative enactments of the SPC that can have the force of law. In a number of areas, the new trade secret pronouncement not only went beyond what had been promised in Phase One, but included some provisions that seem more creative and sophisticated than the analysis we might find in many U.S. court decisions.
Until a more formal translation is available, the best resource for understanding this new development is the China IPR blog by Mark Cohen of Berkeley Law, who for years was the USPTO’s senior counsel for China and who speaks and reads Mandarin. See his post on the JI here.
Does this mean that China, like other Asian countries before it, has finally turned a corner and is now strengthening its IP system to meet its own interests, rather than being pressured to do so? Is it now pushing where we in the past have been pulling? Perhaps. But a couple of caveats are in order before we take a look at the most remarkable provisions of this JI. First, it was published as a draft for comment (the period ends July 27), so it’s likely there will be changes. Second, we are working from a preliminary translation of the JI. Third, the Supreme People’s Court doesn’t have direct control over administrative or criminal procedures where some trade secret cases are resolved. However, the recent consolidation of all technology-based IP disputes into the IP specialty court makes it likely that the SPC’s interpretation will not only be considered authoritative but may also influence the administrative and criminal trade secret enforcement agencies.
Here are the aspects of the trade secrets JI that (after consultation with Professor Cohen) I think are most interesting.
Identification of secrets (Article 1). The trade secret owner has to “clarify the specific content” of the claimed trade secret in the first level court, which may dismiss all or a portion of a claim that is not clear. The defendant can ask for greater specificity,and the court may resolve the issue by taking evidence subject to cross-examination. On appeal (where the case is essentially re-tried) the plaintiff can amend its specification. This tracks the general approach in the U.S. to force an early identification but allow refinement as the case proceeds.
Combination secrets (Article 2). Under U.S. law a trade secret may consist of a unique combination of elements each of which may be generally known. The JI similarly provides that a claim will qualify if “the information known to the public is collated and improved.”
Value from secrecy (Article 3). The U.S. rule, exemplified by the DTSA (18 U.S.C. § 1839(3)(B)), requires that a trade secret “derive independent economic value, actual or potential” from not being generally known. The JI speaks in similar terms that the plaintiff has to show “real or potential market value” that “can bring about a competitive advantage.”
Reasonable efforts (Articles 6 and 7). The SPC’s treatment of this universal requirement that the plaintiff demonstrate reasonable efforts to maintain secrecy is especially remarkable for the way that the court’s expression aligns with the practical security concerns of any information-based business. While most U.S. courts address this issue with a shallow recitation of typical practices such as NDAs, passwords, marking etc. (which the SPC also does in Article 7), in Article 6 of the JI it suggests a number of “factors” that should be considered by trial courts in making a judgment about the issue. Among these are the nature of the business and the “degree of matching of confidentiality measures with trade secrets.” In other words, while it gives a nod to the “checklist” of efforts, the JI introduces proportionality into the calculus, by pointing out the utility of tying particular measures to particular risks to particular secrets.
Shifting the “burden of proof” (Article 8). As in most civil law countries, China has no discovery, and just getting into court on a trade secret claim can be very difficult. In the Phase One Agreement at Article 1.5, China promised to implement a provision that, if “prima facie” or “preliminary” evidence of the required elements is provided by the plaintiff, the burden shifts to the defendant to prove that there was no misappropriation. The JI appears to address this promise, requiring the defendant to back up any claim of independent development with evidence.
Implied confidentiality (Article 10). The confidential relationship inherent in most trade secret claims does not require a written contract, but can be inferred from “the principle of good faith,” “trading habits,” and the like. This is consistent with China’s laws on commercial contracts.
Access to secrets by an employee or former employee (Article 13). As with the reasonable efforts issue, the JI suggests multiple factors that the court may consider in determining whether an actor had access to obtain secrets. This is interesting primarily because it reflects an embrace of circumstantial evidence, implying more flexibility in the court process.
Indirect misappropriation (Articles 14 and 15). One of the perceived barriers to effective trade secret enforcement in China has been a rather rigid view of what constitutes misappropriation that seems to require something close to copying. The JI indicates that this approach may be softening. Whether what the defendant has done is “substantially the same” should be based on consideration of a number of factors, including the “degree of similarities and differences,” whether the differences would be obvious to a skilled person, and the extent of related public information. Perhaps most importantly, the court may find that a trade secret has been “used” if it has been “modified” or if “business activities [have been] adjusted according to” the plaintiff’s secret. All of this points in the direction of U.S. law finding liability when a defendant’s project has been influenced or accelerated by exposure to the plaintiff’s secret information.
Head start injunction (Article 22). Under U.S. law, if following entry of an injunction the information ceases to be a trade secret (for example by publication of a patent application), a court may continue the injunction for a period of time necessary to deprive the defendant of the unfair advantage obtained by the earlier misuse. The JI appears to allow a court to do the same thing if the provisions of the injunction are “not enough to eliminate the unfair competitive advantage.”
Damage apportionment and punitive damages (Article 24). Again, the JI suggests a factor-based analysis for the court to determine the “proportion and role of the infringed technical information in the entire technical plan or the infringement of trade secrets.” Significantly, courts are directed to take into account the “infringer’s fault” in considering an award of damages that represents “a reasonable multiple of the license fee for trade secrets.”
Limited damages discovery (Article 26). In cases where the plaintiff has presented “preliminary evidence” of misappropriation, and “the books and materials [presumably accounting records] related to the infringement of trade secrets are mainly controlled by the infringer,” the court may order those materials to be produced.
Protection of trade secrets in litigation (Article 27). The JI requires that the trial court “take the necessary confidentiality measures” in connection with litigation and trial. However, it provides no specifics on exactly what kind of protective orders are recommended or even allowed.
Venue (Article 29). Signaling increased flexibility in permitting venue other than in the defendant’s domicile, the SPC now gives the plaintiff in a technology trade secret case a choice, initially where the infringement occurred or the defendant is domiciled. And if it is “difficult to determine” those places, the action may be filed at the plaintiff’s domicile.
Application of national law (Article 30). In what may be seen as a response to trade secret claims filed at the ITC involving trade secret infringement that occurred in China, the JI directs that any civil cases “involving foreign-related violations of trade secrets” will be determined in accordance with Chinese law.
Although China has for some time now shown interest in trade secret reform, this week’s trade secret draft JI undoubtedly was motivated in part by recent trade negotiations, including the Phase One Agreement. But this most recent pronouncement seems in some respects to go beyond what was required, and in those respects also seems to reflect an imprint of U.S. practices. Nevertheless, it will be important to watch what happens as the JI is finalized in the next few months, and what its practical impact on Chinese courts and administrative agencies might be. Perhaps we are at an inflection point with China where reform and strengthening of its trade secret protection system will become self-generating and ever closer to our own, albeit with Chinese characteristics.
“Information wants to be free.” – Stuart Brand
Stuart Brand, the creator of the Whole Earth Catalog, is famous for saying in 1984 that “information wants to be free,” which became a battle cry for anti-intellectual property activists. But this is what he actually said:
“On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.”
Not exactly a Marxist manifesto. But the shorter version of his words took on a life defined by others. In fact, it has been used in different ways. For the anti-IP crowd, it is a political expression of the idea that the benefits of information should be freely open to society as a whole, and not corralled by intellectual property laws to the benefit of a few. But it also can be taken as a neutral observation of a simple fact: once information has been transmitted to a new place outside the control of the originator, it will naturally propagate toward wide distribution, eventually into the public domain.
That process is a good thing if you are an academic trying to advance the state of knowledge and make a reputation for yourself at the same time. However, if you run a business that depends on data to drive success — and what business doesn’t these days? — this tendency of information assets to escape is a major, perhaps existential, risk. Given that those assets are handled by human beings, the management challenge can feel a lot like trying to contain . . . a virus.
Indeed, one of the reasons that Brand’s quote went viral (sorry) is that it attributes human desire to information (it wants to be free), just as we describe a virus in anthropomorphic terms (it wants to find a home and propagate; it wants to mutate).
The metaphor is not perfect. After all, a virus, unlike bacteria, is rarely considered valuable or helpful. But I believe the comparison is apt and useful in many ways, not least as a mnemonic device to help us stay focused on the difficult but necessary discipline of caring for the integrity of the company’s most valuable property, just as we care for our individual health.
So stay with me as we look at several main areas of overlap between trade secret management and pandemic response. To begin with, let’s recognize that our concerns are not only about our own information propagating outwards, but also about blocking unwanted information from infecting our data systems. So our control systems are naturally tuned toward containment: keeping our data in and others’ data out.
Policies and procedures: your immune system. When was the last time you checked up on the health and performance of your company’s strategy and tactics for maintaining the integrity of your data assets? In fact, are you sure you know what your data assets are? Just like human systems, no two companies are exactly the same in their information security risks. As things settle in following the current crisis and we begin adapting to a new normal, this is a great time to engage in a fresh risk assessment exercise and recalibrate your systems to align with the new environment.
Employees: your behavioral system. While our body’s systems are programmed, the workforce needs training and attention to ensure that it is on alert for risks and makes good choices every day. As regards confidential information, this is a particular challenge not only because employees are distracted by other priorities, but also because they often can connect to the company’s systems through their own phones and tablets, which they then use at home to engage with social media, a system which trains them to share.
It’s not that they intend to cause problems. But just consider the two times of greatest risk with a mobile workforce: when they are coming and when they are going. New hires can be like people infected with a virus but exhibiting no symptoms: they are carriers, but in this case the source of contamination and infection is their former employer, where they were entrusted with access to valuable information that may be relevant to what you are asking them to do. And then when they leave, they carry your trade secrets in their heads as they walk out.
In between those two high-risk moments, you have the opportunity to increase their awareness through training, so that their behaviors are more cautious when it comes to handling sensitive information. As with your Fitbit, there are monitoring systems that can help you understand how well they are complying with your information hygiene instructions.
Outsiders: social distancing. As Ryan Lilly said, “For any creative thought to be contagious, it must first be worthy of a sneeze.” When senior engineers or sales people attend conferences, your company’s important information can easily be exchanged through casual contact. For more organized third-party contact, there is protection available in the form of nondisclosure agreements that permit communication at a respectful distance. But here too we have to pay careful attention, both to how those protections are designed and how they are used, to make sure they perform as intended.
Disputes: falling ill, with luck briefly. When infection with another’s trade secrets occurs, in either direction, great efforts will be made to reduce the fever and recover. The alternative is to go to the hospital (court), which ironically can risk intensifying the symptoms. Happily, almost all patients recover and use the experience to reconsider their health habits.
Misappropriation: mutation. One of the frustrations of dealing with a virus is that it can mutate rapidly to stay ahead of treatments and cures. Similarly, when secrets are stolen, the misappropriator rarely incorporates them into its own systems or process in the same way they were deployed by the victim. Instead, the information is used indirectly, to inform and accelerate development, and the original information has morphed beyond recognition. Reconstructing what happened becomes a research project of its own.
As companies grapple with the consequences of the current economic and social disruption, they will face fundamental changes in how we do business. But self-isolation is not an option. In the information economy, unlike the pre-industrial cottage shops of the 17th century, we need to share. The key is to balance that need with the risks it creates. We should expose our information only to those who need access, and who have acquired the protective gear of confidentiality agreements, training and other controls.
“Artists work best from home.” –Steve Wozniak
If while you’re reading this you are stuck at home or some other location trying to work remotely, give some thought to 18th century self-proclaimed alchemist Johann FriedrichBöttger. As a young and ambitious man living near Dresden, he was convinced that he could actually make gold from base metals, and when King Augustus the Strong (who was apparently in need of more gold) heard about his audacious claim, he had Böttger taken into “protective custody,” which turned out to be a dungeon in his castle. Böttger was to set up a lab and stay at it until he could produce the real stuff.
Unsurprisingly, Böttger produced only a lot of foul smells and the occasional small explosion, and over the next two years, earning his freedom seemed increasingly remote. In fact, he feared for his life. But the king decided instead to appoint a real scientist, Ehrenfried Tschirnhaus, to oversee Böttger’s work. Tschirnhaus was not interested in gold, but rather something that at the time was equally valuable, because it had to be imported from China: white porcelain. Böttger didn’t care about such frivolities, but he was not in a position to resist acting as a lab assistant. Eventually Tschirnhaus cracked the code for porcelain, but suddenly died. Böttger got his hands on the formula, went to the king with the good news, and that’s how Böttger came to fame and wealth as the “inventor” of Dresden china. #dumbluck
Böttger of course got a much nicer lab in the castle, with doors he was free to use. But perhaps because he had learned how much more productive one could be when imprisoned, he famously had his own employees chained to their desks and, in an early form of social distancing, prohibited them from contact with others, lest the secrets be lost. This worked for several years until one of them escaped to Vienna with the formula, which is why you can afford nice china dishware today.
One more history lesson about working outside an office. This one takes us to Venice, where the ancient Roman secrets of glassmaking had been rediscovered and perfected in the 13thcentury. If you have heard of the beautiful, multicolored Murano glass, that’s because the Venetian government in 1291 forced all the glassblowers to relocate to that neighboring island, ostensibly to prevent their furnaces from sparking a destructive fire in the then-wooden city. The real motivation was apparently to get better control over the craftsmen and their secrets, by putting them in one place and forbidding them from leaving, on pain of death. Now, there’s a serious lockdown. But the glassblowers were able to form a guild among the families and control both the secrets and their prices. So working from home turned out to be a pretty good thing.
Now fast forward to the 1970s, when I first got involved with trade secret management. Business had long before dispensed with life-threatening measures to protect secrets, but the process was fairly straightforward, because everything was on paper and there were no networks. The greatest threat to information security was the photocopier, and taking work home was seen (by the employer at least) as a good thing. Not everyone behaved, and there were plenty of lawsuits, but security was simpler.
We now enjoy networks with more or less infinite bandwidth, spread all over the planet, and supercomputers (that is, phones and tablets) in the hands of millions of employees. We have been able to produce way more valuable information much faster, but the digital world we work in also makes that data more vulnerable than ever. Thankfully, advances in technology have also made it possible for us to keep track of electronic information, both at rest and in transit, and so our sense of control around the security of trade secrets has not degraded that much. Unfortunately, people still sometimes do stupid things with data, just like they did with paper, and so the challenge of modern business has as much to do with managing behavior as with harnessing software.
And that’s the everyday challenge when most of the workforce comes into the office. But working from home increasingly is a hallmark of the digital age. We do it because we can, and it’s more convenient. And we do it because of the demands of employers, customers or clients for 24/7 availability. This means that we have to depend even more on our networks to get things done and the tools to track what we’re doing. But particularly as more people choose to, or have to, work from home, the issues around managing their behavior become more complex.
Security is a conundrum, a trade-off, a paradox. A kind of permanent tension exists between what we know is good for us and what we find more convenient. Remember the days before you had to recall passwords and PINs? Now consider two-factor authentication. Yes, it makes it really, really certain that it is you when you have to wait (after putting in your password) for a code to come to your phone. But should we have to endure that every time we want access to a file? Now, consider the use of Virtual Private Networks, or VPNs. Using these company-owned networks while at home allows us to communicate securely by using end-to-end encryption. But they’re usually slower than our personal WiFi, so when we need to send a lot of messages or move a lot of documents around, well . . . .
So working at home requires being very careful, and in normal times companies can usually manage those who need to be engaged remotely. But what about now, when almost everyone is doing it? And what about later, when we return to normal, but find out that normal includes new habits about when and where we can do our jobs? How can companies respond to the present needs, as well as prepare for the future?
First, focus on the basics. Review with your IT team how existing procedures and controls can operate in the dispersed environment. Companies with a lot of experience implementing mobile device management protocols and tools will mostly just need to increase resources. However, incident (i.e., breach or other security problem) reporting may not be as robust as when most people are operating in controlled surroundings, so you may need to explore how to adjust your systems to take into account those additional vulnerabilities.
Second, reinforce to all staff the importance of protecting confidential information in its various forms. Remind everyone about what kind of information is sensitive, and what your expectations are for hygienic business behavior, particularly their communications with the outside world. Tie this messaging to your existing policies and procedures, emphasizing that this effort is an extension of the company’s focus on protecting its sensitive data, an issue that obviously needs more attention when we are all in remote locations.
Third, provide everyone with sufficient cloud-based data facilities (such as Google Drive or Dropbox) that are easy to use for secure storage and transfer of information with customers, supply chain partners and other outsiders.
Fourth, encourage staff to use company-owned devices and the company’s VPN, and to continue to use company email systems for business matters. Make sure everyone knows that use of home computer systems and WiFi is not secure and that they should especially avoid using it for any sensitive communications. For those who resist (and sometimes the recalcitrant are executives), consider providing personal IT support to enhance the security of their environment.
During this unusual time, employers need to be flexible and understanding. Getting compliance with the full suite of security protocols is harder at a distance. Trade secret management is about balancing value against risk, and then measuring that risk against the cost (including inconvenience) of various measures to reduce it. One of the practical risks is that people won’t follow rules that get in the way of getting the job done, and so you need to be sensitive to their struggle and try to collaborate about finding acceptable solutions.
An essential element of trade secret protection is that the owner has made “reasonable” efforts to keep the information a secret. But as the Uniform Trade Secrets Act tells us, those efforts must be reasonable “under the circumstances.” When circumstances change, as they have recently, we need to recalibrate. In fact, when things return to whatever normal turns out to be, this will be an excellent opportunity for every organization to revisit the way in which it approaches management of its most important information assets.
“Data that is loved tends to survive.” — Kurt Bollacker
In last month’s post, Part 1 of this series,we considered the view of European academics that trade secrets are not “intellectual property” because they don’t give the power to exclude others, like patents, copyrights and trademarks do. But considering that trade secrets are treated throughout the world like a kind of property – they can be transferred and taxed, and stealing them is considered theft – we concluded that what matters is not exclusion, but control. It is the ability to control access to secret data that can give companies an advantage over others that don’t know about it.
We considered the example of an Armenian family that has managed to keep – and profit from – the secrets of making the very best orchestral cymbals for four centuries. They did this by sharing only within the family, where presumably they had available some compelling ways to enforce trust.
For the rest of us in the modern, globalized and digital economy, we have what looks like an impossible task. How do you protect the company’s secrets when they are zooming around the globe at the speed of light and accessible by thousands of employees, contractors, partners and vendors, each with a small supercomputer in their hands? More specifically, what do you do when those people go home in the evening and use those same little devices to participate in various forms of social media, where they are relentlessly instructed to share the most molecular details of their lives with hundreds or thousands of “friends”?
Before we try to answer those big questions, here’s a comforting thought. What the law expects fits nicely with what the owners of a business should expect: that management will do what is “reasonable under the circumstances.” Okay, you might say, that is just an abstraction meant to dodge the problem. But there is some instructive guidance behind the “reasonableness” standard.
It starts with recognizing that perfect security is not feasible in today’s data blizzard. The more people we trust with access, the greater the risk. But in order to compete in fast-moving markets, we can’t go it alone. Today’s innovation and commercialization usually require large teams, including external partners. So being “reasonable” means accepting that risk.
Besides the imperative to share, we also have to confront another reality of risk: security measures almost always come at a cost. It’s not necessarily about money, but about convenience and productivity. Think about two-factor authentication, where in addition to your normal password you have to wait for a special one to be generated and sent to your personal device. Now think about doing that 50 or 100 times a day, as you go through each office door and engage with each software program or database. It adds up. Most businesses can’t afford the efficiency loss that results from placing maximum protection on all forms of data.
So it’s pretty clear that we can’t have it all when it comes to information security. “Reasonable” means thoughtful management of the risk of losing control over your data, while not letting the perfect be the enemy of the good. So how does a business do that? Here are some observations grounded in the law and in sensible business management.
To begin with, recognize that “reasonable under the circumstances” refers to the unique circumstances of your business and the risks faced by your information assets. There is no one-size-fits-all checklist of “best practices” that applies across the board. If you think that checking off a list of security techniques is enough, or if you’re worried that you’re not doing everything on some list, forget that. What matters is the circumstances you are in, measured by three things: value, threat and cost.
Valuable information can be found everywhere in most companies, and we can’t protect it all with maximum effort, or the business would collapse under the weight of the effort. Instead, we have to understand where we get competitive advantage from data, and try to categorize it according to its value. This is not necessarily value in the absolute sense, measured by currency. Instead, knowing relative value will help inform decisions about what level and kinds of security are needed. The algorithm that powers a critical business process might deserve more attention than a marketing strategy.
Assessing value could be as simple as picking the top 10 or 20 trade secrets that cause you concern. To do that, you need to know what you have. But don’t be put off by fear that an “inventory” of information assets has to be a logistical nightmare, like the hardware store shutting down for several days in order to count all the individual nuts and bolts. Instead, the idea is to organize your data into categories that reflect similar kinds of value, such as tools, databases, strategies, R&D records, information about customers, financial data, and information entrusted to you by others.
The next step is to assess the threat, or risk, faced by the different kinds of confidential information you need to manage. Here there are two kinds of threat. First, there is risk of loss or leakage that can reduce or destroy competitive advantage. We can refer to this as “outbound” risk. In contrast, but often equally important, is “inbound” risk, that is the possibility that your information may become contaminated by unwanted data from outside the business. Most commonly, this sort of infection happens through hiring from competitors; but it can also come in through poorly managed confidential business relationships like a potential acquisition.
In order to thoroughly understand your risks, of course, you need to estimate the likelihood that the bad thing might happen, as well as its impact on the business if it does. Hiring an engineering manager from a direct competitor to lead an identical project will represent a substantial danger of potentially serious harm; while providing secret drawings to a trusted vendor without negotiating a non-disclosure agreement (NDA) may be more acceptable. Making these distinctions will help management focus not just on the hazards but about how much risk might be acceptable in the name of efficiency.
Once you know what you have and the array of threats you contend with, you can begin to consider where to focus your attention and allocate your resources. In this part of the process you consider the ways in which you might reduce the potential for harm, measuring the cost (in terms of money or operational friction) against the value of the information in question. In recruiting the engineering manager, for example, you might consider not only providing warnings and getting assurances about unwanted transfer, but also, if the perceived risk warrants it, providing the new hire with independent counsel to reinforce the message and to better distinguish between the skill he can apply and the trade secrets he can’t.
Many other decisions about information security will be taken in this way. Should the company adopt a labeling system for confidential information that applies multiple levels of restriction, or will a simpler system result in better compliance? Does a different risk environment in overseas facilities call for a different kind of employee training there? Should NDAs be managed centrally, or should business managers be allowed to negotiate special terms? Should access to various systems and databases be controlled for each application, or is universal access with passwords enough? Should we install software on employees’ phones to ensure they don’t share company secrets?
If you’re thinking that what I’ve described here is just classical business risk management, you’re right. The process of considering value, risk of loss and cost of mitigation techniques is how most companies approach caring for their assets and opportunities. For some, the analysis is more ad hoc than strategic, while others increasingly look outside the organization for help in designing a comprehensive data protection program.
The most important takeaway is this: your information is your property, and without due care its value can diminish or disappear. But you have control over it. Pay attention and be aware of your options. That is the “reasonable” thing to do.