By Stefan Dittmer, Partner, Dentons, Germany, and James Pooley, Professional Law Corporation, USA, Members of the ICC Commission on Intellectual Property, International Chamber of Commerce (ICC)
Most kinds of intellectual property (IP), such as patents, copyrights, trademarks and designs, are rights granted by a government. But there is another right that depends only on the choice of an individual business: secrecy. The law protects someone who shares information in confidence with another, but does not require that it be registered with any agency. If there is a dispute, the legal system will sort it out.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage. While other forms of IP are carefully limited to creative works that meet a very specific set of requirements, protection for secrets applies broadly to any information that is secret, that has some commercial value, and that the owner has taken some steps to maintain in confidence.
It is this breadth and flexibility of secrecy that make it so attractive, in particular to smaller organizations that may not have the budget to build a portfolio of registered IP rights. Every restaurant can have its secret recipes. Every beauty salon has its customer list and knows the individual preferences of its patrons. Every furniture maker has “tricks” to increase the efficiency or quality of the finished goods. More recently, secrecy has been identified as a means to protect unstructured data, for example, machine data produced in large quantities and used to fuel automation, or algorithms, another key component of the digital industry.
The laws of most countries, following the standards laid down in the Agreement on Trade Related Aspects of Intellectual Property Rights (the TRIPS Agreement) protect obligations of confidentiality in business transactions. The reality of continuing relationships means that the vast majority of those obligations are respected by the participants.
In the United States, trade secret laws had traditionally been a matter left to the individual states. A Uniform Trade Secrets Act was proposed to the states in 1979 and since then has been widely adopted, but with varying provisions that made enforcement on a national scale fairly complicated. In 1996, the federal government enacted the Economic Espionage Act, but it was limited to criminal remedies. Twenty years later, the US Congress passed the Defend Trade Secrets Act of 2016 (DTSA), which for the first time, gave trade secret holders the option to file civil claims in federal court, offering a number of procedural advantages over state courts.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage.
In effect, the DTSA has harmonized the rules that apply to trade secret disputes, and the number of cases brought in federal court has surged. As is true in other areas of commercial litigation in the United States, a claim can be made based on circumstances that “plausibly” infer that the defendant has misappropriated a trade secret. After that, a broad array of “discovery” methods, including extensive document production and pre-trial taking of sworn testimony from witnesses, is used by both sides to uncover the relevant facts. Although this easy availability of discovery allows trade secret holders to more effectively enforce their rights, it makes litigation in the United States generally more expensive than in any other country. Coupled with the sometimes-uncertain outcomes and generous damage awards due to the availability of civil lay juries, this environment can be intimidating for companies from other jurisdictions that are used to the more modest cost and predictability of the civil law framework that does not allow for discovery or juries.
Almost at the same time as the DTSA was adopted in the United States, the Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) against their Unlawful Acquisition, Use and Disclosure (Directive (EU) 2016/943 of 8 June 2016, or “EUTSD” for the purposes of this article) entered into force.
Before that, the national laws of EU member states, similar to the laws of any major economy, protected trade secrets one way or another. However, the fragmentation of the legal landscape across the EU was identified increasingly as an obstacle to cross-border technology transfer and R&D or, more generally, innovation.
Pressure from industry and business associations, but also growing political support for the idea of harmonization, not the least the “Europe 2020 Flagship Initiative Innovation Union,” paved the way for adopting the EUTSD. It has been implemented by EU member states. Although full harmonization was not intended or achieved, companies doing business in the EU can expect to find national legal regimes in the member states that are reasonably identical or similar across the entire EU.
Inevitably, the process of introducing the EUTSD reignited the discussion as to whether secrecy is an IP right, after all. It is, in many aspects, an academic issue because even those who question the quality of secrecy treat it in many respects like an IP right. Contrary to the prevailing legal doctrine in the United States, the EU decided against qualifying secrecy as an IP right. As a consequence, Directive 2004/48/EC on the enforcement of intellectual property rights, better known as the Enforcement Directive, does not apply. While individual EU member states, notably Italy and Slovakia, decided otherwise, the practical relevance of this inconsistent approach is limited in that the EUTSD stipulates an enforcement regime quite similar to that of the Enforcement Directive.
This seemingly coordinated effort on both sides of the Atlantic to improve trade secret enforcement was the subject of a study by the International Chamber of Commerce published in 2019.
Recent reform and upgrading of trade secret laws has not been limited to the EU and the United States. In 2018 and again in 2019, China made significant amendments to its Anti-Unfair Competition Law to expand the definition of a protectable trade secret and to increase penalties for theft, including the availability of punitive damages. China further refined its law to address the trade secret owner’s challenge of developing sufficient evidence by declaring a “preliminary” showing of misappropriation sufficient to trigger a requirement that the defendant prove independent development of the information.
What does all of this legislative activity directed at strengthening trade secret laws mean for SMEs? There are two general consequences. First, the subject of protecting competitive advantage by secrecy has received more attention than ever before, with the result that more resources are available to assist SMEs in managing this often-overlooked aspect of intellectual property. Second, businesses of all types and in all countries are challenged to take advantage of this easy-to-use approach, not only to protect their own data, but to avoid unwanted exposure to the trade secrets of others.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy. Legislation poses virtually no limit to the kind of information that can be claimed as a trade secret; it can be any kind of information, as long as “it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question” (the TRIPS Agreement, Article 39), and derives from its secrecy some actual or potential commercial value. Of course, the information must be distinct from individual skill, which is outside the scope of legal protection.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy.
The more challenging aspect is to identify and apply security measures that are “reasonable,” since every control brings with it a certain cost, either in money or efficiency or both (consider, for example, the annoyance of dealing with two-factor authentication, in which you have to wait for a unique code to be sent to your phone). What is reasonable under the circumstances will be decided ultimately by a court taking into account a company’s risk environment, the value of the information, the threat of loss and the cost of measures to mitigate the risks.
To identify its most important trade secrets, the business should consider the value of the information, measured by the investment made to develop it, the potential advantage it provides over the competition, the potential damage from loss of control, its exposure to any form of reverse engineering (which is, in principle, allowed in most jurisdictions), and/or the likelihood that a competitor might independently discover or develop it.
Once information has been identified as a valuable trade secret, the company needs to carry out realistic risk assessments to determine appropriate security controls. Introducing different classes of information with corresponding security measures can be useful to structure the process of managing trade secrets. Other parts of this process may include labeling the information in accordance with its classification, restricting access to those with a need to know, applying other physical and electronic safeguards and using properly drafted confidentiality (or non-disclosure) arrangements in situations where information must be revealed to a supplier or other business partner.
In the EU, the adoption of Regulation (EU) 2016/679 (General Data Protection Regulation) helped to raise companies’ awareness for data security. Technical and organizational measures, mandatory under the General Data Protection Regulation (GDPR), Article 32, to protect the secrecy and integrity of personal data, can also be “reasonable steps under the circumstances” to preserve the confidentiality of trade secrets.
SMEs, for the very reason that they often rely on secrecy rather than registered rights to protect their IP, are particularly prone to the threat of becoming targets of industrial espionage. For them, it is essential to not only apply high levels of cyber security, but to update and upgrade them regularly to remain on top of technical developments. After all, what is “reasonable under the circumstances” is subject to change due to technical progress and the relative value and threat variables, which may change over time.
While cyber-crime is on the minds of many businesses, the most prevalent threat to the preservation of secrecy are individuals who, while employed by the company (or by a trusted supplier), legitimately hold or have access to the information, but leave the company and carry the information to their new employer. In addition to contractual confidentiality obligations that should be standard in any employment agreement, IT surveillance within the limits of employment and data privacy legislation, frequent training on applicable duties, and a diligent exit process, including exit interviews, can help mitigate the risk. So can an established and well-communicated practice of strict enforcement in cases of security breaches. And not to forget that third party information illegally brought into the company by new hires also poses a threat to the company’s position, making it important that recruiting and on-boarding processes are reviewed.
Thanks to recent improvements in trade secret laws around the world, SMEs have more options and opportunities to increase enterprise value and prevent loss of data assets by using the IP right that is entirely in their control: trade secrets.