“Risk comes from not knowing what you’re doing.”
— Warren Buffett
At this moment, there is a fellow riding a bus in London who will determine the fate of your secrets. To be more precise, he’s on the Clapham bus; but he has no name. In fact, he’s a fictional character originally imagined by 19th Century journalist Walter Bagehot, who thought that “public opinion” was best described as the “opinion of the bald-headed man at the back of the omnibus.” The idea was picked up by the English courts as a metaphor for the “reasonable person” standard that is applied in all sorts of cases, from criminal to personal injury to contract interpretation. It also has special application to trade secrets, which we’ll get to in a minute.
First, a bit more about the hypothetical “reasonable person.” As the UK Supreme Court explained in a 2014 decision, the “Clapham omnibus has many passengers. The most venerable is the reasonable man, who was born in the reign of Victoria but remains in vigorous health.” Others include the reasonable parent, the reasonable landlord and the “fair-minded and informed observer, all of whom have had season tickets for many years.” The point is for the judge or jury to put themselves in the mind of this fictive but “reasonable” person, for guidance on what the actual person in the case should have done.
If this strikes you as a vague and maybe unpredictable cop-out by judges who can’t come up with a more precise standard for acceptable behavior, you wouldn’t be alone. But at least it’s objective, in the sense that what’s reasonable is what that anonymous guy on the bus would think about the behavior of someone in similar circumstances. It’s not about what the person being judged thinks is sensible or right. In effect, being dim is no defense.
What does this have to do with trade secrets? Under modern law, as established by the states under the Uniform Trade Secrets Act (UTSA) or the federal Defend Trade Secrets Act (DTSA), a business that wants to protect the integrity of its confidential information has to provide evidence of “reasonable measures” to prevent the loss. This means that before you can get help from the courts you must have helped yourself by taking actions “reasonable under the circumstances” to maintain secrecy of your data. In other words, your preventive efforts will be judged under the “reasonable person” standard.
It wasn’t always like this. Back in the days when the rules came from the common law (individual decisions of judges), trade secrets were treated as a part of tort law, and the emphasis was on the confidential relationship between the business and those it had to share secrets with. Courts focused more on the defendant’s bad behavior in taking or misusing the secret than they did on whether the information deserved to be protected at all. This perspective found expression in the 1939 Restatement of Torts, which defined trade secrets in reference to a set of six factors to be weighed as the judge saw fit. One of those was “the extent of measures taken by [the trade secret owner] to guard the secrecy of the information.” That left a lot of room for judges to just do what felt right. Defendants who had been caught behaving badly had little luck in arguing that the plaintiff should have done a better job protecting its secrets from misappropriation. One judge compared the argument to the car thief that complains about the driver leaving his keys in the car.
Things began to shift in the 1980s. Trade secrets were viewed more like property rights, with owners being expected to draw boundaries and provide warnings. As more states adopted the UTSA, with its specific requirement (no longer just a factor) that the trade secret owner prove that it had exercised “reasonable efforts,” judges started to express more skepticism about those efforts, and that trend picked up with the adoption in 2016 of the DTSA, which allows most trade secret cases to be brought in federal court. Thirty years ago, trade secret claims were only rarely dismissed before trial based on a failure of reasonable efforts. Now, according to a recent study by the law firm Winston & Strawn, it happens in 11% of trade secret disputes. The “reasonable person” standard is now the “reasonable business” standard, and it really matters.
A recent case decided by the Second Circuit Court of Appeals, Turret Labs USA, Inc. v. CargoSprint, LLC, illustrates how things have changed. Turret had developed a software program for use only by freight forwarders operating at airports, but licensed the product to airlines, in this case Lufthansa. CargoSprint was alleged to have gotten access through Lufthansa by falsely presenting itself as a freight forwarder, acquiring secret algorithms and other information it used to create a competing product. Turret alleged that Lufthansa had “protocols” in place to ensure proper access, but it did not recite what provisions of its license required the airline to apply them. It also alleged various network security measures such as servers in locked and monitored cages, with data in transit secured by encryption. The appellate court affirmed the trial judge’s order dismissing the complaint for failure to describe reasonable efforts. Based on the allegations in its complaint, Turret had given full authority to Lufthansa to control access, but apparently without requiring it to do so. That basic surrender of control to a third party rendered irrelevant all of the technical measures that had been applied to secure the IT system.
Turret, and cases like it, teach us four important lessons. First, businesses have to pay close attention to trade secret management. That’s mainly about preventing loss or contamination of those assets, which these days represent the lion’s share of a company’s sustainable value. But it’s also about being ready in case you have to go to court to protect your rights. These cases often come at you very fast, after you’ve discovered that a departing employee or unreliable business partner threatens to abuse a trust. When that happens, you need to be prepared to explain not only what your trade secrets are, but also all the steps you have taken to demonstrate to the court that you have acted prudently to maintain control over these valuable assets. That means designing your relationships and transactions with a keen eye to this dimension of risk.
Second, the trade secret statutes require you to prove both that your secrets have competitive value and that you have exercised reasonable efforts to protect them. Don’t conflate those two related but distinct issues. Your secret process or other confidential information may appear to give you a significant advantage over the competition; but you also have to signal that special value to those who have access to it. Robust training for employees and careful contracting with third parties will be part of the story you may have to tell about how you made sure that everyone understood what your secrets were and how they were supposed to protect them.
Third, in designing your protection program, don’t fall into what I call the “checklist trap.” You can find lots of lists of protective measures culled from judicial decisions about what judges found to be sufficient in a particular case. More often than not, those decisions will be on motions to dismiss or summary judgment, where the court is making a narrow ruling, preserving for the jury the ultimate decision on what is or isn’t “reasonable.” What some other company has done may be interesting, but it’s not particularly relevant, unless they are protecting the same kind of information that faces identical risks. The question is what’s reasonable to maintain the secrecy of your unique secrets, in the light of the unique (and usually dynamic) risk environment they live in. Remember that Turret had apparently constructed a fairly secure framework against external attacks, but none of that mattered because it transferred access control to its licensee without limitations.
Fourth, approach the issue the same way that you would any other major area of business risk, by performing a classical risk analysis. Consider carefully the value of the information you want to protect as well as the security risks that it faces on a day-to-day basis in the business – with particular emphasis on the “internal threat” of uninformed or careless employees as well as the full range of third-party access through supply chains and collaborations. Examine what you can do to efficiently mitigate those risks, which will normally come down to careful relationship management, through contracts, communications and education. (For a thorough discussion of trade secret management, see the draft Sedona Conference Commentary on “Governance and Management of Trade Secrets”).
Your primary objective always is to maintain control over your data assets so that they don’t migrate or get infected. But if you ever have to go to court to protect them, resolution of the “reasonable efforts” issue will be driven mainly by whether or not your secrecy efforts taken before the litigation appear to be consistent with the high value you assert in the courtroom. Sitting in judgment on that question will be that bald-headed fellow on the Clapham omnibus.