The thing to remember about trade secret law is that it comes from the courts. Even with the Uniform Trade Secrets Act ("UTSA") and the Defend Trade Secrets Act ("DTSA"), judges continue to sculpt this category of intellectual property. And it's critical that they get it right, because for hyperconnected, data-driven businesses, secrecy is the primary method of protecting their most valuable and vulnerable assets.
That's what makes it so hard today to imagine how, fifty years ago, we came close to losing it all. I still remember the day when, in my first full year of practice, I noticed one of the senior partners hunched over his desk reading from the advance sheets. Because it was unusual for this partner to be reading cases at all, I asked him what had captured his attention. "Trade secrets," he said. "The Supreme Court says they're okay."
The case was Kewanee Oil Co. v. Bicron Corp., and indeed the Court held that state law on trade secrets survived a preemption challenge based on federal patent law. Viewed from today's perspective, the outcome may seem evident, the challenge even a bit absurd. But the decision wasn't unanimous; Justices Douglas and Brennan dissented, observing that the patent system hinged on encouraging disclosure and that secrecy's "conflict with the patent laws is obvious."
This article's focus is on the past fifty years, the era of what we might call "modern trade secret law." But before we examine the exciting developments of the current period, it's important to understand how we managed to get to that day in 1974 when a whole body of law was on the line, and we could not be sure how it would turn out.
We talk more about patents, but it is our secrets that we should be worried about. Control of confidential information has been key to business success for centuries. Long before patents were − so to speak – invented in Venice in the 15th century, China had a lock on the production of silk, which at the time was more valuable than gold. The Industrial Revolution brought a focus on the factory, guarding formulas and processes for transforming raw materials into commercial goods. But it has been the Information Age, in which data is the raw material, that has made us fully appreciate the critical importance of trade secrets. Indeed, while companies have always gathered data about how to improve their business, these days data collection and analysis are forming the core of their business models – think Amazon and its algorithmic understanding of your buying habits.
According to a 2021 report from the National Science Foundation, businesses view trade secrets as more valuable than patents, by a significant margin. Across enterprises of all sizes and industries, 23% consider trade secrets as important, while utility patents lag far behind at 8%. You might say that is because the sample includes businesses that have no real interest in intellectual property. But when you sharpen the focus on companies that engage in R&D, the preference for secrecy remains, with 76% seeing trade secrets as very or somewhat important, and just over 50% assessing patents that way.
This does not mean that patents are fading away – there is nothing quite as powerful as the ability to exclude others from using your invention. But over the last 15 years in the United States, we have experienced an erosion of patent enforcement through court decisions, along with a lift for trade secrets from the America Invents Act. That statute effectively removed the requirement that an inventor reveal the ‘best mode’ of an invention, allowing implementation details to be retained as a trade secret without risking the invalidation of the patent. The law also expanded prior user rights to all areas of technology, making it safer for a company to choose secrecy for technology that might later be patented by someone else. These developments have helped shine a light on trade secrets – not necessarily as an alternative, but certainly as a more robust companion to patent protection.
Although we now recognize these information assets as extremely valuable, how to manage them is not so obvious. Many people inside and outside a company must have access to these assets, usually through electronic systems for storage and communication that are inherently insecure. Therefore, if you are faced with this challenge, a lot of your effort will be spent simply on not losing control of what you have. But equally, sensible management requires that you realize the potential of your data to enhance enterprise value, by ensuring that managers focus on putting it to work in the business.
Fine, you might say, but how do I do that? I am comfortably familiar with the registered rights, I know what they are, I can count them, and there are accepted ways to value them and to sell the ones I do not need. In contrast, managing information sounds like tying string around a cloud. Where do I start?
First, some good news: the legal requirement for establishing a trade secret aligns very well with achieving the corporate purpose of protecting and exploiting it. The basic law expressed in Article 39 of the TRIPs Agreement requires only "reasonable steps" to maintain secrecy of information that provides some commercial advantage. National laws reflect this fundamental policy to protect information so long as the business has taken reasonable measures to keep it confidential. But what does 'reasonable' mean? One recognized implication is that perfection is not required, otherwise any act of misappropriation would prove that you had failed to do enough. The law accepts that you cannot anticipate every kind of mistake or misbehavior by those whom you have trusted with access.
In effect, the law expects what the company's board expects: that management will exercise ordinary prudence under the circumstances to protect assets of the business. That means that you identify and analyze the risks and make a thoughtful determination about how to eliminate or reduce them. In other words, the framework for proper handling of trade secrets is nothing more than an application of classical risk management. One useful example of this sort of risk-based approach can be found in the Cybersecurity Framework published by the National Institute of Standards and Technology. Although originally directed at protection of critical infrastructure such as the financial system and energy grids, the institute's framework has been used as a general information security guide by businesses of all sizes in a variety of sectors.
By Stefan Dittmer, Partner, Dentons, Germany, and James Pooley, Professional Law Corporation, USA, Members of the ICC Commission on Intellectual Property, International Chamber of Commerce (ICC)
Most kinds of intellectual property (IP), such as patents, copyrights, trademarks and designs, are rights granted by a government. But there is another right that depends only on the choice of an individual business: secrecy. The law protects someone who shares information in confidence with another, but does not require that it be registered with any agency. If there is a dispute, the legal system will sort it out.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage. While other forms of IP are carefully limited to creative works that meet a very specific set of requirements, protection for secrets applies broadly to any information that is secret, that has some commercial value, and that the owner has taken some steps to maintain in confidence.
It is this breadth and flexibility of secrecy that make it so attractive, in particular to smaller organizations that may not have the budget to build a portfolio of registered IP rights. Every restaurant can have its secret recipes. Every beauty salon has its customer list and knows the individual preferences of its patrons. Every furniture maker has “tricks” to increase the efficiency or quality of the finished goods. More recently, secrecy has been identified as a means to protect unstructured data, for example, machine data produced in large quantities and used to fuel automation, or algorithms, another key component of the digital industry.
Trade Secrets: the other IP right, featured in an earlier edition of the WIPO Magazine, offers an introduction to trade secrets.
The laws of most countries, following the standards laid down in the Agreement on Trade Related Aspects of Intellectual Property Rights (the TRIPS Agreement) protect obligations of confidentiality in business transactions. The reality of continuing relationships means that the vast majority of those obligations are respected by the participants.
In the United States, trade secret laws had traditionally been a matter left to the individual states. A Uniform Trade Secrets Act was proposed to the states in 1979 and since then has been widely adopted, but with varying provisions that made enforcement on a national scale fairly complicated. In 1996, the federal government enacted the Economic Espionage Act, but it was limited to criminal remedies. Twenty years later, the US Congress passed the Defend Trade Secrets Act of 2016 (DTSA), which for the first time, gave trade secret holders the option to file civil claims in federal court, offering a number of procedural advantages over state courts.
Trade secrets have been part of commercial transactions for centuries, as a common and practical way for a business to maintain a competitive advantage.
In effect, the DTSA has harmonized the rules that apply to trade secret disputes, and the number of cases brought in federal court has surged. As is true in other areas of commercial litigation in the United States, a claim can be made based on circumstances that “plausibly” infer that the defendant has misappropriated a trade secret. After that, a broad array of “discovery” methods, including extensive document production and pre-trial taking of sworn testimony from witnesses, is used by both sides to uncover the relevant facts. Although this easy availability of discovery allows trade secret holders to more effectively enforce their rights, it makes litigation in the United States generally more expensive than in any other country. Coupled with the sometimes-uncertain outcomes and generous damage awards due to the availability of civil lay juries, this environment can be intimidating for companies from other jurisdictions that are used to the more modest cost and predictability of the civil law framework that does not allow for discovery or juries.
Almost at the same time as the DTSA was adopted in the United States, the Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets) against their Unlawful Acquisition, Use and Disclosure (Directive (EU) 2016/943 of 8 June 2016, or “EUTSD” for the purposes of this article) entered into force.
Before that, the national laws of EU member states, similar to the laws of any major economy, protected trade secrets one way or another. However, the fragmentation of the legal landscape across the EU was identified increasingly as an obstacle to cross-border technology transfer and R&D or, more generally, innovation.
Pressure from industry and business associations, but also growing political support for the idea of harmonization, not the least the “Europe 2020 Flagship Initiative Innovation Union,” paved the way for adopting the EUTSD. It has been implemented by EU member states. Although full harmonization was not intended or achieved, companies doing business in the EU can expect to find national legal regimes in the member states that are reasonably identical or similar across the entire EU.
Inevitably, the process of introducing the EUTSD reignited the discussion as to whether secrecy is an IP right, after all. It is, in many aspects, an academic issue because even those who question the quality of secrecy treat it in many respects like an IP right. Contrary to the prevailing legal doctrine in the United States, the EU decided against qualifying secrecy as an IP right. As a consequence, Directive 2004/48/EC on the enforcement of intellectual property rights, better known as the Enforcement Directive, does not apply. While individual EU member states, notably Italy and Slovakia, decided otherwise, the practical relevance of this inconsistent approach is limited in that the EUTSD stipulates an enforcement regime quite similar to that of the Enforcement Directive.
This seemingly coordinated effort on both sides of the Atlantic to improve trade secret enforcement was the subject of a study by the International Chamber of Commerce published in 2019.
Recent reform and upgrading of trade secret laws has not been limited to the EU and the United States. In 2018 and again in 2019, China made significant amendments to its Anti-Unfair Competition Law to expand the definition of a protectable trade secret and to increase penalties for theft, including the availability of punitive damages. China further refined its law to address the trade secret owner’s challenge of developing sufficient evidence by declaring a “preliminary” showing of misappropriation sufficient to trigger a requirement that the defendant prove independent development of the information.
What does all of this legislative activity directed at strengthening trade secret laws mean for SMEs? There are two general consequences. First, the subject of protecting competitive advantage by secrecy has received more attention than ever before, with the result that more resources are available to assist SMEs in managing this often-overlooked aspect of intellectual property. Second, businesses of all types and in all countries are challenged to take advantage of this easy-to-use approach, not only to protect their own data, but to avoid unwanted exposure to the trade secrets of others.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy. Legislation poses virtually no limit to the kind of information that can be claimed as a trade secret; it can be any kind of information, as long as “it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question” (the TRIPS Agreement, Article 39), and derives from its secrecy some actual or potential commercial value. Of course, the information must be distinct from individual skill, which is outside the scope of legal protection.
Protecting an SME’s competitive advantage by using secrecy requires awareness of what information needs to be protected to retain that advantage, and of the measures available to reduce the risks to its secrecy.
The more challenging aspect is to identify and apply security measures that are “reasonable,” since every control brings with it a certain cost, either in money or efficiency or both (consider, for example, the annoyance of dealing with two-factor authentication, in which you have to wait for a unique code to be sent to your phone). What is reasonable under the circumstances will be decided ultimately by a court taking into account a company’s risk environment, the value of the information, the threat of loss and the cost of measures to mitigate the risks.
To identify its most important trade secrets, the business should consider the value of the information, measured by the investment made to develop it, the potential advantage it provides over the competition, the potential damage from loss of control, its exposure to any form of reverse engineering (which is, in principle, allowed in most jurisdictions), and/or the likelihood that a competitor might independently discover or develop it.
Once information has been identified as a valuable trade secret, the company needs to carry out realistic risk assessments to determine appropriate security controls. Introducing different classes of information with corresponding security measures can be useful to structure the process of managing trade secrets. Other parts of this process may include labeling the information in accordance with its classification, restricting access to those with a need to know, applying other physical and electronic safeguards and using properly drafted confidentiality (or non-disclosure) arrangements in situations where information must be revealed to a supplier or other business partner.
In the EU, the adoption of Regulation (EU) 2016/679 (General Data Protection Regulation) helped to raise companies’ awareness for data security. Technical and organizational measures, mandatory under the General Data Protection Regulation (GDPR), Article 32, to protect the secrecy and integrity of personal data, can also be “reasonable steps under the circumstances” to preserve the confidentiality of trade secrets.
SMEs, for the very reason that they often rely on secrecy rather than registered rights to protect their IP, are particularly prone to the threat of becoming targets of industrial espionage. For them, it is essential to not only apply high levels of cyber security, but to update and upgrade them regularly to remain on top of technical developments. After all, what is “reasonable under the circumstances” is subject to change due to technical progress and the relative value and threat variables, which may change over time.
While cyber-crime is on the minds of many businesses, the most prevalent threat to the preservation of secrecy are individuals who, while employed by the company (or by a trusted supplier), legitimately hold or have access to the information, but leave the company and carry the information to their new employer. In addition to contractual confidentiality obligations that should be standard in any employment agreement, IT surveillance within the limits of employment and data privacy legislation, frequent training on applicable duties, and a diligent exit process, including exit interviews, can help mitigate the risk. So can an established and well-communicated practice of strict enforcement in cases of security breaches. And not to forget that third party information illegally brought into the company by new hires also poses a threat to the company’s position, making it important that recruiting and on-boarding processes are reviewed.
Thanks to recent improvements in trade secret laws around the world, SMEs have more options and opportunities to increase enterprise value and prevent loss of data assets by using the IP right that is entirely in their control: trade secrets.
On May 11 2016 President Obama signed into law the Defend Trade Secrets Act (DTSA), capping several years of hearings and negotiations that eventually led to an almost-unanimous vote in Congress. The primary aim of the statute was to provide industry with the option of asserting civil claims for trade secret misappropriation in federal courts. Although trade secret law had traditionally been the province of the states, their varying rules and procedures were seen as increasingly mismatched to the needs of businesses that operate in the global, information-based economy. Allowing cases to be filed in federal court was expected to increase the effectiveness of protecting data assets.
The basic approach was to adopt the standard definitions and remedies provided in the Uniform Trade Secrets Act (UTSA), which since 1979 had been embraced (although with variations) by 47 of the 50 states. As a result, the new law also aligns very well with Article 39 of the 1995 Agreement on Trade-Related Aspects of Intellectual Property (TRIPS), which also was patterned on the UTSA. As with most legislative efforts, however, some special concerns led to the enactment of unique provisions.
The most hotly debated of these was a procedure to permit ex parte applications for orders to seize items that contain a trade secret. In an environment where valuable data can be downloaded to a small device and taken across borders, industry wanted a quick remedy when evidence surfaced that such a theft was threatened. But adapting a process that has worked well in the context of counterfeit goods turned out to be awkward, since separating the improper from the legitimate is harder to do with information. In the end, Congress agreed on a number of strict requirements and limitations designed to prevent abuse, looking much like the restrictions which over the years have been placed on the use of Anton Piller orders.
A second special feature was the creation of an exception for whistleblower disclosures, by granting immunity under state or federal trade secret law to any individual employee, contractor or consultant who reports in confidence to the authorities information about wrongdoing within an organization. This provision was animated by a lack of reliable protection under current laws, whose ambiguity tended to discourage reporting of crimes. But its focus on law enforcement stood in contrast to the near-simultaneous adoption by the EU of a much broader whistleblower exception in the Trade Secrets Directive.
Another change from the UTSA, reflecting a concern about labour mobility, places a limitation on what sort of injunctive relief judges can issue against departing employees. The so-called “inevitable disclosure doctrine,” under which an employee might be blocked from taking on an identical job for a direct competitor, was rejected. Instead, federal courts may place conditions on a new job – such as working in a different area of the company – but only based on evidence of the employee’s behaviour from which it can be inferred that the former employer’s secrets are at risk of misuse.
What can we observe from the first year’s experience with this new option for trade secret litigation? In general, the law appears to be performing as intended, although in some areas, such as whistleblower protections, it has been rough going. Ex parte seizures have not proved the scourge that critics feared. While federal filings are popular, state courts remain even more so, and probably for good reason. And some intriguing and impactful questions remain so far unanswered.
Since the DTSA came into effect there have been over 300 cases filed, with a few dozen rulings on early-stage issues. Because direct filing in federal court was not previously available, there are no comparative statistics. But most experienced practitioners observe that the take-up has been substantial, confirming the assumption that businesses would often choose federal protection if they had the choice. However, many more cases continue to be filed in state courts, where localised disputes – imagine an insurance agent moving across town to another brokerage, for example – are handled effectively.
In general, the law appears to be performing as intended, although in some areas, such as whistleblower protections, it has been rough going
Indeed, the generally enthusiastic early adoption of the DTSA may not continue for the long term. Although cases involving actors and witnesses in other states or countries will usually benefit from a federal forum, due to common rules and nationwide service of process, federal courts are not always the best place for a plaintiff to file a trade secrets claim. In part this is because in the federal system a case is assigned to a single judge for the duration, so the judge tends to focus on early disposition. In contrast, most state court systems divide and distribute their work, and early motions tend to be resolved by one judge letting the case continue through to a trial before a different one.
In trade secret cases, at the outset the plaintiff typically has more speculation than evidence about what has happened and the extent to which its information is in peril. Since the US has a tradition of very broad discovery rights, courts long ago settled into an approach for handling this information asymmetry by allowing cases to be filed based on a reasonable suspicion that misappropriation has occurred, with discovery left to fill in the gaps. When the DTSA was new, concern was expressed that federal courts might apply a “heightened pleading standard” required typically in cases of fraud. That fear has not played out, however, as the few courts where initial pleadings were challenged on that basis have rejected the argument and confirmed that a short statement of facts demonstrating a “plausible” theory of liability is enough.
In other ways, however, the tendency of federal courts to closely examine pleadings has shown up in the early DTSA decisions. In one case, a motion to dismiss was granted for failure expressly to plead that the trade secrets related to a product or process in interstate commerce, which is practically speaking a low bar but nevertheless a jurisdictional requirement under the statute. In another case, however, a judge dismissed a complaint for failure to plead in sufficient detail the basis for the plaintiff’s assertion that it had made “reasonable efforts” to protect its secret information. While that is also a necessary element under state laws, most state courts have allowed plaintiffs to plead it with very little evidentiary support.
To date we have not seen the courts address in any comprehensive way the basic question of how trade secrets – which are the only IP right not described through a government registration process – are to be defined in litigation. Because the scope of discovery depends to a great extent on understanding exactly what is the subject matter of the dispute, we can probably expect this issue to emerge over time as a common subject for early case management.
Since the DTSA came into effect there have been over 300 cases filed, with a few dozen rulings on early-stage issues
On one aspect of DTSA pleading there seems to be clear agreement: when a complaint alleges misappropriation that was complete before the statute became effective, the DTSA does not apply. However, if the complaint alleges new acts of misappropriation in the same transaction, the DTSA will apply to those acts, while the prior acts will be covered by relevant state law.
While the legislation was pending before Congress, some opponents, primarily academics, expressed concern that the provisions for ex parte seizures would become “routine” and subject to abuse by powerful trade secret holders to extract unjustified settlements. In actual practice those fears have not been realised. Very few plaintiffs have even requested this extraordinary form of relief, and it has been granted publicly in only two cases, with another two reportedly under seal.
Indeed, because one requirement of the procedure is that “normal” injunctive relief provided under Federal Rule 65 is demonstrably insufficient, the effect seems to have been to focus attention of the courts on that process. It turns out that Rule 65 in practice is broader and more flexible than some had imagined. As some DTSA cases have shown, where the proof is strong, plaintiffs may be able to secure the functional equivalent of an ex parte seizure under pre-existing authority: judges can issue immediate orders to restrain misuse and disclosure, and even to require surrender of devices containing secrets.
Federal statutes are presumed to operate only within US territory unless it clearly appears that Congress intended otherwise. The DTSA legislation did not contain an express statement of extraterritorial effect. But anyone reading the bill as it was passed would probably conclude that Congress wanted it to apply to foreign misappropriation of domestic commercial secrets. The bill included a section on the “Sense of Congress” stating that “[t]rade secret theft occurs in the US and around the world, and, wherever it occurs, harms the companies that own the trade secrets and the employees of the companies.” Another section required regular agency reports on the “scope and breadth of the theft of trade secrets of US companies occurring outside of the US” and what can be done to “reduce the threat of and economic impact caused by” such foreign theft.
Because the scope of discovery depends to a great extent on understanding exactly what is the subject matter of the dispute, we can probably expect this issue to emerge over time as a common subject for early case management
As an alternative to considering those strong but indirect statements from Congress, courts might turn to a portion of the pre-existing Economic Espionage Act of 1996 (EEA), the federal criminal statute that was amended to allow for the provisions of the DTSA. The EEA includes a provision expressly declaring its extraterritorial effect, but only when an “act in furtherance of the offense” occurred in the US or the “offender” was a US citizen or permanent resident. Because these terms are normally used to apply only to criminal laws, one could argue that the section does not apply to civil claims, or that if it does the reach of the DTSA is similarly restricted by required connections to the US.
So far only one court has touched on the issue of extraterritorial effect of the DTSA, and it read the EEA provision as applying equally to the civil claim. However, it was a collateral issue in the case and did not receive close analysis. Given the prevalence of foreign misappropriation, coupled with the potentially more powerful remedies now available in federal court, we can expect this issue to be squarely addressed before long. Answering the question whether the DTSA applies fully, conditionally, or not at all to conduct outside the US could have a profound effect on cross-border litigation over trade secrets.
The DTSA’s limitation on judicial power to restrain departing employees from accepting a new position has so far received close attention in only one case, but with clear effect. An executive working for a defence contractor took a job with a competitor serving the same government agency. When his former employer sought an injunction that would prohibit his doing business for that agency, the court found that such a restriction in theory would not amount to an impermissible restraint on accepting employment. And although the DTSA also forbids injunctions in conflict with state law protecting labour mobility, the applicable state rule provided an exception when necessary to protect trade secrets. The court’s order granting injunctive relief stands as an example of the DTSA’s effective balance of legitimate, competing interests.
The vast majority of cases filed so far under the DTSA have coupled that claim with a parallel misappropriation claim under the law of the state in which the federal court sits. In some cases the two laws may have meaningfully different standards, depending on the extent to which that state’s law varies from the DTSA. A common example would be the limitations period, which is three years under the DTSA but can extend to as long as five or six years under some state laws. Other variations include the availability of royalties as an alternative to injunction, the definition of what constitutes a trade secret, and allowable damage theories. No federal court has yet expressed that this simultaneous assertion of different laws to cover the same claim is problematic; however, we are still in the early stages of most DTSA cases, and as they proceed closer to trial we can expect to see courts require elections or otherwise resolve the conflict.
It turns out that Rule 65 in practice is broader and more flexible than some had imagined. As some DTSA cases have shown, where the proof is strong, plaintiffs may be able to secure the functional equivalent of an ex parte seizure under pre-existing authority
Other state laws are often asserted along with a trade secret claim. Enforcement of a noncompetition contract or other restrictive covenant is a common example. But where alternative legal theories can be asserted under state law for what amounts to the theft of information – business torts such as conversion, breach of confidence and unfair competition – the issue becomes potentially more complicated. That is due to a section in the UTSA that declares the “displacement” of such claims in favour of the single statutory cause of action. Most states have interpreted this section broadly, making it impossible in those states to assert the alternative claims. When the DTSA was being considered, some commentators speculated that federal courts hearing DTSA claims might allow the displaced theories because the DTSA itself has no similar “displacement” provision. But in the only case that has directly confronted the issue, the court reasoned that alternative claims displaced by the law of the relevant state could not be revived merely by bringing them together with a DTSA claim in federal court.
Protection for whistleblowers under the DTSA was expressed as “immunity” from liability under any state or federal trade secret laws. That term has special significance under US Supreme Court decisions, requiring that district courts promptly determine whether a defendant enjoys the privilege and if so dismiss the case. However, most immunities are immediately apparent by a person’s undeniable status, such as a government official. DTSA immunity is qualified not only by the requirement that the individual disclose information in confidence to law enforcement or to an attorney, but that the disclosure be made “solely” for the purpose of “reporting or investigating a suspected violation of law.”
In the only case that has construed this provision, the employee had taken confidential documents and provided them to his attorney, who asserted that he was reviewing them for possible disclosure to the authorities. The employer filed for an injunction requiring the documents to be returned, and the employee moved to dismiss on grounds of immunity. The judge issued an order that the documents be surrendered to the court, and he refused to dismiss the case, noting that it was not possible on the record to conclusively determine that reporting to law enforcement was the employee’s “sole” objective.
Critics of the decision have argued that immunity must be determined as a first priority, and that it undercuts the purpose of the statute to subject a whistleblower to any litigation risk or expense. Some have suggested that courts will develop a procedure similar to that used in connection with challenges to personal jurisdiction, in which discovery is allowed only on the relevant predicate facts, which then can properly inform a motion to dismiss.
Trade secret owners and their counsel appear to have embraced the DTSA eagerly, seeing in the federal forum a familiar and more reliable environment for resolving disputes. But even though one case has already gone to trial (resulting in a verdict for the plaintiff), most cases are still in relative infancy. As they mature we can expect substantial progress in the developing federal jurisprudence. If all goes well, federal courts will influence not only each other but also the continuing development of state laws that closely align with the DTSA, leading to the greater harmony and efficiency in trade secret enforcement that Congress intended.
Published in the George Mason Law Review, Volume 23, Number 4, Pages 1045-1078
If you have strategic responsibility for intellectual property, then you may already feel the ground shifting beneath you. Patents have held sway during our professional lifetimes not only as a marker of innovation, but as the main way in which companies protect and exploit their competitive advantage. Not any more. Like an old style of dress, trade secrets are coming back into fashion and turning heads...
We’ve become used to news reports of companies and government agencies being breached by anonymous foreign hackers. But most people were shocked to learn that employees of the St. Louis Cardinals baseball team allegedly compromised the secret database of the Houston Astros, gaining access to scouting reports, player assessments and game strategies. With industrial espionage affecting “America’s Pastime,” we have to pay attention! As it turns out, there are some good takeaways here for everyone that has to supervise employees in the modern enterprise.
First, this story is a great example of how much value there is in information itself. Research proves what we suspect from looking at today’s businesses; increasingly they rely on “intangible” assets like data analytics for their competitive advantage. The most common form of protection for those assets isn’t traditional intellectual property like patents or copyrights, but trade secrets. The main reason is because the law is incredibly broad, protecting not just famous formulas like Coca-Cola’s, but any secret information that you wouldn’t want the competition to know, including strategic plans, customer preferences and unannounced products.
Second, this increasingly crucial business asset has never been more vulnerable or exposed to more threats. In part, this is because of the Internet and other technologies like smartphones and USB thumb drives that make it easier to take data where it’s not supposed to go. In part, it’s also about global competition, which leads many companies to partner with outsiders on the development of new products, increasing the risk of exposure. But one thing that hasn’t changed with the arrival of these new challenges: the single greatest threat to information security has always been, and remains, the company employee.
That’s not to say that workers are being recruited as industrial spies. Deliberate espionage — despite the headlines — is relatively uncommon within private companies. But carelessness isn’t, and that is the way that most proprietary information is lost. This is why the supervisor plays such a key role in protecting today’s most important corporate property. Good management can make all the difference. Here are some suggestions for specific steps that you can take to improve your own performance in this critical area.
If you’re going to help the company protect its sensitive data, you have to be familiar with what it is and why it’s valuable. Of course, focus on what your own department deals with, but also learn what’s important in other parts of the enterprise. Leaks don’t always happen locally inside an organization. Also, keep in mind that it’s the company’s secrets that have to be protected, not the skills and general information that employees need to do their job. If you teach someone how to be a more efficient programmer or analyst or salesperson, they are entitled to put that knowledge in their personal “tool kit” and take it with them to their next job. In managing their work, you should show that you know the difference; it will help them to respect what belongs to the company.
Managing trade secrets is just ordinary risk management applied to a specific subject. To help prevent loss, you need to know what the threats are. In some industries that are mainly customer-facing, you may have concerns about the sort of cyberhacking that has hit Target, Home Depot, Anthem and JP Morgan. The same kind of external threat looms for companies that perform a lot of research in new technologies or therapies; in fact, even the results of failed experiments can be useful to a competitor, to save them time and risk in pursuing their own development. Most businesses meet these external risks with sophisticated software tools for detecting and reacting to IT system breaches. (Even with the best tools, however, you still need good management of the people that operate them and act on their output.) But no matter how much damage might be done by outside entities, a lot more can be caused by those working for the organization. This is the “insider threat” that security experts agree is the most common source of information loss. In plain terms, this means that we all make mistakes from time to time, but carelessness when handling secret data can have catastrophic consequences. That’s because trade secrets are like a gas in a container: once you open the lid and it gets out, you can’t put it back. So while with external threats you can (and often must) rely on breach detection as much as breach prevention, where human behavior is concerned, prevention is paramount. Operationally, this means that your impact on corporate security can be measured by how well you supervise the people in your area, to keep them aware and informed.
Some people have speculated that the Cardinals/Astros hack happened because a former Cardinals executive who joined the Astros set up the same passwords to get system access at the new job as he had used at the old one. Most of us can identify with the inconvenience of having to remember a lot of passwords, but we also know that changing your passwords frequently is just smart practice. This is only one example of the many IT-related practices that, when followed regularly, can dramatically reduce risks. But since those practices are implemented (or not) by the people who work for you, it’s up to you to make sure that they are doing their best.
The same idea — that people management matters most — requires that you pay special attention to how you follow up on the security training that staff receive. Time and again, training is shown to be the most cost-effective way to prevent data loss, because it raises awareness and reduces careless behavior. But that works only if you reinforce the messages that workers have received by periodically measuring their compliance and understanding and finding ways to weave information security into your feedback sessions and performance reviews. And on a daily basis, set the example on compliance with company information policies, for example, by counseling with staff who leave sensitive information open in their work area. Your active demonstration that you care about these policies can do more than any refresher seminar.
It’s not just the loss of the company’s own secrets that keeps executives awake at night; it’s also the risk that its information will become infected with unwanted data from the outside. Many recruits mistakenly believe that they are doing their new employer a favor by keeping records from their previous jobs. So you have to make it clear from the initial interview that the company respects the intellectual property rights of others, and that unauthorized introduction of someone else’s secret information — whether physically or from memory — can result in termination. This especially applies to consultants who often promote their value based on what they know about the competition.
Nondisclosure agreements, or NDAs, are common, but people don’t pay enough attention to managing their obligations. For example, if you have a meeting where some sensitive company information is shared orally, a written confirmation has to be sent within a certain number of days. Keeping records of who gets access to what information will also help you avoid problems. Most importantly, watch out for the requirement to return or destroy shared information at the end of a project, since even keeping it stuffed in a cabinet can get you in trouble.
Once you learn that someone intends to go, the focus of your supervision has to shift. Have they been downloading an unusual amount of documents? Are they meeting with other employees and possibly recruiting for their next employer? If that happens, be prepared for the exit interview, in order to (a) learn where they are going to work and what they will be doing and (b) impress upon them the seriousness of their obligations not to use or disclose any company secrets.
What kind of intellectual property (IP) is most often relied on by business to protect competitive advantage? Most people would answer with one of the best known areas of IP: patents, copyright, trademarks or designs. But they would be wrong. The most common form of protection used by business is secrecy.
Why then do trade secrets receive less attention than the other areas of IP? There are several reasons. First, secrecy does not involve a government registration process; it is implemented as a matter of practice by each business. Second, although the general principles of trade secret law - also referred to as the law of undisclosed, or confidential, information - are established in similar ways in most countries, there are few common rules or regulations about enforcement. Third, secrecy disputes are usually secret, so they do not become part of the public debate.
Recently, however, trade secrets have shot to the top of the news, with stories of "cyber-espionage" attacks on companies throughout the world, with spies using fake email messages to get inside corporate networks and trawl for useful information. But trade secret law is also getting a fresh look for more positive reasons, as a framework that can enable collaborative innovation, often involving actors located in many different countries. Whatever the catalyst, governments and industry are clearly interested. Within the last year, major initiatives on secrecy have been launched by the European Commission as well as the US government.
Most simply, a trade secret is information that you do not want the competition to know about. The law generally protects not just secret formulas and designs, but even simple facts, such as the features that might be introduced in the next iPhone, or which country a business intends to go into next.
Secrecy has been a part of trade for thousands of years. For example, secrecy allowed a region of China to profit for centuries from clever harvesting of the silkworm's thread, and it gave a family from Armenia a 400-year lead in producing the best orchestral cymbals.
Trade secrecy is a legal regime that protects relationships of trust. Before the industrial age, innovative craftsmen would keep their "tricks of the trade" closely held through small, family-owned shops. However, as industry moved from the cottage to the factory, there was need for a legal system that would enforce an employee's promise of confidence about a secret process or piece of machinery.
It is important to keep in mind that secrecy is a legitimate tool for businesses of all sizes. Enforcing business secrets has nothing to do with lack of transparency in government. Although it may seem paradoxical, trade secret laws can enable and encourage technology transfer, because they provide a commercially reasonable way to disseminate information. Although some aspects of secrecy laws, such as data exclusivity for drug companies (Art. 39.3 of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement)), can be controversial, there is general agreement that confidential disclosure is beneficial in a modern economy. Indeed, keeping secrets - often information about customers and their needs and preferences - is the main way that small and medium-sized enterprises (SMEs) protect their business advantage.
It is easier to understand this point if you imagine what it would be like if no one could count on the law to enforce obligations of confidence. Businesses would hire fewer people, since each new employee would expand the risk of information loss. The cost of enforcing physical security - locks, fences, etc. - would increase. Perhaps most important, many licensing transactions and research collaborations would never happen, because there would be nothing to ensure that partners would not run off with the new technology and unfairly compete against its creator. The general approach would be to hoard information, slowing the progress of innovation.
Why do businesses turn most often to secrecy to maintain their advantage? First, it is cheaper than other forms of IP that require registration with a government agency, often with the expense of hiring lawyers or other professionals. In contrast, to establish your trade secret right, all you need to do is be careful with it, spending only what is necessary to keep it from becoming generally known. Usually keeping facilities secure and getting nondisclosure agreements from employees and vendors is enough.
In addition, much more information can be protected through secrecy than is possible with patents, which can only be granted for truly novel technical innovations. Secrecy covers any information that gives you an advantage, even if someone else is already using it; the only limitation is that it not be generally known.
That point reveals the downside of secrecy: there is no guaranteed exclusivity. If someone else discovers your secret without stealing it from you, there's nothing you can do about it, although for most businesses this is not a significant drawback.
Trade secret law, like other forms of IP, is governed by national legal systems. However, international standards for protecting secrets (called "undisclosed information") were established as part of the TRIPS Agreement in 1995. Article 39 of the agreement provides that member states shall protect 1'undisclosed information" against unauthorized use "in a manner contrary to honest commercial practices" (this includes breach of contract, breach of confidence and unfair competition}. The information must not be generally known or readily accessible, must have value because it is secret, and must be the subject of "reasonable steps" to keep it secret. This general formula for trade secret laws has been adopted by well over 100 of the 159 members of the World Trade Organization.
Articles 42 to 49 of the TRIPS Agreement cover enforcement, requiring that civil judicial proceedings be available to enforce all IP rights and that "confidential information" be protected from disclosure. Nevertheless, because national judicial systems, including the methods for granting access to evidence, vary greatly, enforcement of trade secret rights around the world is generally viewed as uneven.
The practical challenges of protecting secrets are more difficult to overcome than the legal ones, however. Paradoxically, the great explosion of innovation that has brought so many benefits to the world has also made it easier for thieves to steal valuable business information. For example, through a process known as "spear-phishing", commercial spies send an email using personal information gleaned from Facebook or other social media, leavÂing the recipient unaware that the message is a hoax. Once the embedded link is clicked, the thief's malicious software, known as "malware", invades the recipient's computer and through it the employer's network. Staying in the computer system for months or sometimes years, this silent invader searches for important confidential files and passwords, and sends all of it back to the hackers who use or sell the information.
Tracing the source of cyber-espionage is notoriously difficult, given the ubiquity and anonymity of the Internet. Estimating damage to businesses is likewise challenging, in part because many enterprises do not know that their systems have been compromised, and also because those who do are often reluctant to report it. Nevertheless, studies show that the problem is growing, and governments around the world are looking for ways to address it.
For businesses, the issue is not just about protecting their own valuable information, but about avoiding being infected by secrets belonging to others. In a global market characterized by easy movement of employees and complex webs of connections among companies' suppliers and customers, it takes special vigilance to avoid contamination by unwanted information. Greater competition also means that businesses have to work continuously on finding ways to exploit their secrets, either through direct commercialization, collaborations or licensing. In the meantime, the sheer volume of potentially valuable data creates its own challenges of inventory and valuation.
For businesses that rely on patent protection, secrecy is a critical part of the innovation process. Because most national patent laws require "absolute novelty", this means that until the day a patent application is filed, the invention must be completely protected from any public disclosure. Where the technology requires refinement through experimentation outside the laboratory, this can be extremely difficult. That is why discussions regarding international patent law harmonization often include the idea of a "grace period" of up to one year before filing, during which time disclosures by an inventor will not disqualify a later patent application.
It is in comparing patents and secrecy that one can most easily see the importance of trade secrets for SMEs. Patents have been key to the success of many businesses, particularly as they reach into global markets where a period of exclusivity is needed to recoup the cost and risk of innovation. That sort of advantage is greatly amplified when using the Patent Cooperation Treaty (PCT}, the international patent filing system administered by WIPO, which gives applicants up to 30 months to refine their plans and find partners and sources of funding. However, patents are not the only tool for protecting technological advantage. Secrecy can do this too, through licensing and various forms of collaboration.
Indeed, it is in the rapidly-expanding realm of international "open innovation" that trade secret laws may be turned to greatest advantage, particularly for smaller firms and individual inventors from developing and least developed countries. These actors often can leverage their special creativity and local knowledge most effectively by collaborating with large, well-established multinational corporations that are looking for fresh ideas. That kind of partnering - the building of "trusted networks" of SMEs and other innovators - is enabled by national trade secret laws that protect the integrity of shared information.
Emerging from a long period of relative obscurity, the subject of trade secrets is currently getting a lot of attention. There is good reason to be concerned about commercial espionage, because like other forms of piracy it disrupts markets and slows progress. But another reason to focus on secrecy is for what it can do to support and amplify the creative work of individuals and SMEs throughout the world, by making it possible to connect with other firms to deliver innovative solutions to the public.