It’s getting pretty rough out there for employers who want to control their employees’ behavior. Think back to March 2020, when the pandemic was just beginning and we took a look at this new phenomenon of widespread remote work. We imagined managers wistfully recalling the Renaissance, when artisans could be imprisoned, or even threatened with death, to make sure they didn’t breach confidence. Well, in modern times at least, companies can use noncompete agreements with departing employees to avoid messy and unpredictable litigation over trade secrets.
Maybe not for long. As we learned last month, the FTC is on the warpath about noncompetes, and it may not be long before the entire country is forced to emulate California and just do without. Whatever happens with the FTC proposal, it’s pretty clear that noncompetes are also under attack by the states, where new laws limit their effectiveness.
So, it’s probably wise to at least prepare ourselves for a world in which noncompete agreements, at least for the rank and file, are forbidden. Welcome to sunny California, where we’ve been living under that regime since 1872, thanks to a statute that prohibits contracts “by which anyone is restrained from engaging in a lawful profession, trade, or business of any kind.” When you can’t prevent staff from jumping to the competition, what does a business have to do to maintain control over its trade secrets?
We’ll get to that, but first let’s console ourselves with the recognition that maybe life without noncompetes wouldn’t be so bad. First, noncompete agreements are not a perfect solution for protecting a company’s confidential information. Where they are allowed, courts often limit coverage to what is “reasonable” in duration, geography and subject matter, to the minimum required to protect the company’s interest. And some courts require the employer to continue to pay salary during the noncompete period, while the former employee prepares plans to open a competing business the day that the restriction expires.
Second, noncompete agreements can introduce resentment and contention into the company’s relationship with its workforce. This can have the perverse effect of increasing risk to confidential information, as employees search for workarounds to evade legal restraints. Third, administering a system in which these agreements have varying effect in individual states or foreign countries can be a nightmare for the HR department. And fourth, too-heavy reliance on noncompetes can lead the company to neglect the important task of managing the confidential relationship (more on that below).
In California, we don’t have to worry about those issues, and some would say that the state has done pretty well, creating the world’s fourth largest economy, largely resulting from innovation produced by Silicon Valley. True, there is general recognition that a lot of valuable information is compromised through the free movement of high-level managers and engineers (the euphemism applied to that loss is “spillover effects”). Still, the general assumption is that the resulting information flows provide a rising tide that lifts all boats. Lest we forget, California also leads the nation in trade secret litigation, which should come as no surprise – take away noncompete agreements and a lawsuit may be your only ultimate tool.
Well, at least we can rely on the old standby of the employee non-disclosure agreement (NDA), or Confidentiality Agreement. Sorry, but I have a bit of bad news on that front. As we know, the FTC has proposed a “functional test” for banning NDAs that are the equivalent of a noncompete because the effect is to block the employee’s ability to find competitive employment. But the FTC didn’t pluck this idea out of thin air, and even if its proposed rule never becomes law, we’re still going to have to deal with the risk that a “garden variety” confidentiality agreement could be struck down, or even made the basis of a claim that the company is engaged in unfair competition.
How can this be? Employee NDAs are built on the noncontroversial assumption that the law already implies an obligation of confidentiality when an employee is entrusted with sensitive information. The contract simply reinforces that notion, providing notice and helping to demonstrate that the company has exercised “reasonable efforts” to protect its trade secrets, a required showing in any lawsuit to enforce its rights.
The problem stems from how companies define the information that employees are required to maintain in confidence after they leave. Naturally, these definitions are a bit broad and vague, because at the outset of the relationship it’s impossible to know exactly what secrets the employee will be exposed to. But some companies (rather, their lawyers) have decided that it’s a good idea to expand the scope of the NDA in ways that actually do have much of the effect of a noncompete. Two cases illustrate the riskiness of this approach.
In the first one, TLS Management v. Rodriguez, the employee worked for a tax planning and consulting firm, leaving to engage in his own tax practice. The employer sued to enforce his NDA, which covered “all information . . . regarding TLS business methods . . . any other information provided to” the employee, and “any other information” he might learn during employment. The only exception was for information disclosed by TLS to the general public. The court struck down the agreement because it extended to the employee’s “general knowledge” and other information that was publicly available.
More recently, a California appellate court, in Brown v. TGS Management, reversed an arbitrator’s decision enforcing an employee NDA that similarly defined “confidential information” to include anything “used or usable in, or originated, developed or acquired for use in, or about or relating to” the employer’s business. The exceptions provided in the contract were so narrow (for example, information previously known to the employee “as evidenced by Employee’s written records”) that the court saw them as proof that the NDA was designed to block legitimate competition.
What should companies do to preserve the utility of confidentiality agreements and avoid their being interpreted as noncompetes? First, look carefully at the definition of covered “Confidential Information” and make sure coverage is directed at information of the company or its customers that deserves the label because it provides some sort of commercial advantage. Second, clarify the definition with exceptions that acknowledge the employee’s control over their own skill and general knowledge. Third, include language that allows a judge, when enforcing the agreement, to adjust its restrictions as necessary to make it reasonable (sometimes called “blue penciling”).
But these mechanics of drafting the NDA are only a part of the effort. While they may be necessary to avoid reclassification as a noncompete, they are not sufficient to establish and maintain control over your trade secrets. Having the new employee sign a restrictive contract is just an initial step in managing the relationship for clarity and understanding about confidentiality.
Whatever is in your contract, you will be entrusting this individual, perhaps over many years, with access to some of your most competitively sensitive information. The contract alone can’t bear the weight of that continuing responsibility when the employee leaves. The perfect NDA will not help you much if by that time you have not communicated well and frequently what that sensitive information is, and how you expect your employees to behave to protect it.
In between the contract at onboarding and the exit interview at departure is where the trust-building happens. Although “Confidential Information” can’t be defined with specificity in the NDA, the company can, through thoughtful training and guidance, help the employee to understand what sort of secrets are most important to the business. That understanding, consistently reinforced, becomes the foundation for a “culture of confidentiality” in which employees who leave are prepared to do what’s right, rather than argue over the wording of their NDA.
We can find surveys showing employees willing to share their employer’s confidential information – but this usually results from misunderstanding and mixed signals, not malicious intent. So, the ultimate solution to reduce risk to a company’s information assets is in nurturing the relationships it forms with those who have access. If you can’t use noncompete agreements, you also can’t file a trade secret misappropriation lawsuit against every departing employee. Your primary protection comes instead from their clear appreciation of the trust that has been placed in them.
“He is led by an invisible hand to promote an end which was no part of his intention.”
— Adam Smith
When Adam Smith spoke about an “invisible hand,” he was talking about a good thing – the way that free markets harness the laws of competition, supply and demand and self-interest to improve the economy. But he also could have been thinking of another law. The law of unintended consequences: that actions of people, and especially of governments, always have unanticipated effects. Sometimes these effects can be perverse, reflecting a profound failure of “second-order thinking” (in other words, thinking ahead about “how could this possibly go wrong?”).
On January 5, 2023 – a day that may go down in IP infamy – we saw two bold actions. First, the “Protecting American IP Act” became law; and second, the Federal Trade Commission (FTC) proposed a new rule that would invalidate noncompete agreements across the United States. But wait, you might say, that actually sounds great! What’s the problem with protecting American IP, and making the rest of the country join California in unleashing talent to go where it likes? Well, don’t be too hasty. Stay with me on this, and you will see just how shortsighted our government can be.
First, let’s look at the legislation. The generic name is S.1294, and it requires the President to impose sanctions on foreign entities or persons involved in “significant” theft of U.S.-owned trade secrets, as well as others who support them. The new law calls for the President to report to Congress in July (and annually thereafter) identifying “foreign persons” who have “knowingly engaged in, or benefited from, significant theft” of trade secrets, if the activity is “likely to result in . . . a significant threat to the national security, foreign policy, or economic health” of the U.S. The report must also name foreign persons who provide “significant” financial or technical support to, or act on behalf of, the direct offender, including an entity’s CEO and board members. We are given no definition of what the oft-repeated word “significant” means, although possibilities range from “non-trivial” to “considerable” to “large.”
Having identified all these foreign actors and supporters, the President is required – unless he files a written waiver justified by the national interest – to impose “5 or more” from a list of sanctions, including (1) blocking property transactions, (2) placing on the “entity list,” (3) denying financial assistance or access, (4) disqualification from selling goods or services to the U.S., and (5) banning U.S. sources of investment. Individuals can be denied visas or have their existing visas revoked. Notably, there is no avenue for appeal to any court for relief from the President’s determination.
If this law sounds vaguely familiar, then congratulations, you’ve been paying attention! In June 2021, we published an article about the rush to “decouple” the United States from China. It included several examples of pending bills at the federal and state level that I mocked for their obvious ineffectiveness. One of them was an earlier version of S.1294. Back then, I thought it was silly to think that legislation requiring the President to choose “5 or more” sanctions, like picking dishes from a menu, could actually become law. How naïve I was!
One thing hasn’t changed, however; it should be apparent that this statute won’t really deter trade secret theft. We already have a law, the Economic Espionage Act, that provides up to 15 years in federal prison and $10 million in fines (plus restitution). Trade sanctions don’t amount to much if you’re ready to risk going to jail.
But hold on, you might say—even if S.1292 is ineffective, at least it can’t do any harm, right? Well, that’s where the law of unintended consequences comes into play. I will pause here for a brief digression into how that law has come to be known as the “cobra effect.” During colonial times, the British governor of Delhi was concerned about an infestation of cobras. So he offered a generous bounty on cobra skins, assuming this would reduce their numbers. Instead, people saw a business opportunity and started breeding thousands of the snakes just to kill them and cash in. Horrified, the governor rescinded the bounty, and so guess what? All those breeding farms released their stock, which slithered into the city.
Here, the statute makes no exception for “foreign” entities that are actually subsidiaries of U.S. companies, so we may end up with sanctions applied to U.S. assets. But the bigger worry is that this law, which provides no incremental benefit, becomes inspiration for copycat legislation in other countries. We would hardly be in a position to complain about China arresting U.S. executives (or impounding data belonging to their companies) based only on a government “finding” made without due process.
Okay, let’s hope that remains just a scary risk that never comes to pass. Now we will turn to the other unwelcome news from Washington, the FTC’s new proposed rule that would ban noncompete agreements. Noncompetes are also something we’ve examined before, when the White House asked the FTC to perform a study, following public outrage over contracts being foisted on summer camp counselors and sandwich makers.
Here’s the background: noncompete agreements are (mostly) not allowed in California, while almost all other states permit them under a strict “reasonableness” filter that limits their time, subject matter and geographic coverage. Businesses like them because it’s hard to know when secrets are being used by a departed employee, and trade secret litigation is expensive and unpredictable, for both sides. To address the worst abuses, individual states have considered specific fixes. According to Russell Beck’s scorecard, 11 states have enacted laws that prohibit noncompetes for low-wage employees, and many other states are currently considering similar legislation.
The FTC rule would immediately wipe out all that state-level activity, based on its conclusion that all noncompetes are “unfair,” and that outlawing them would, according to economists, result in higher wages. The FTC justifies much of its logic and confidence on California’s experience; but the causal connection between that state’s restriction of noncompetes and the success of Silicon Valley has never been proven. One thing we are sure of: California leads the nation in trade secret litigation. That should come as no surprise, since its businesses have no other tool to protect their confidential information. It’s fair to question whether a surge in lawsuits in the rest of the country would be acceptable, or whether that outcome was even considered at the FTC.
But the FTC rule does not just copy California. It seems to go out of its way to introduce more uncertainty, burden and risk for industry. For example, consider that California permits noncompetes for someone who sells their interest in a business. This is sensible, because no one would buy a business if they couldn’t be assured that the seller would not open a shop down the street. But the FTC would only allow this “goodwill” exception for a “substantial” owner, which it defines as holding at least 25% of the company. Think about that. Any business with more than four equal shareholders would be unable to guarantee the buyer protection for goodwill, even if everyone agreed that it was necessary. What would that do to the potential liquidity of businesses, not just on Wall Street, but also on Main Street? Did anyone try to add up how many deals would never get done, or the reduced price for sellers not allowed to protect the sale with a noncompete?
And there’s more. The term “noncompete clause” is defined by the FTC to include any nondisclosure agreement that “is written so broadly that it effectively precludes the worker from working in the same field.” Employee nondisclosure agreements are widely used across most industries because they make it possible to share confidential information and trust that it won’t leave in the heads of departing staff. And because no one knows at the outset exactly what that shared information will be, the agreements must be drafted broadly. How many of them will be challenged as “de facto” noncompete contracts? The uncertainty and cost – including years of litigation – that this would impose is impossible to calculate, but it would be – ahem – “significant.”
Well, at least there will be a transition, right? Wrong! In fact, the FTC’s rule would not only take effect on day one, but it would be retroactive, requiring employers to give “individualized” written notice that the contract clauses have been “rescinded.” And the notice has to go not just to current “workers” (a term that includes independent contractors), but all past workers at their last address.
The ability of the United States to remain competitive in global markets requires that it enable and encourage innovation. Businesses today rely largely on information assets, but to commercialize those assets, companies have to provide confidential access to hundreds or thousands of employees with the assurance of a robust set of laws to protect trade secrets. For decades, the United States has been promoting that framework to the rest of the world. Now, the federal government seems blind to the ultimate consequences of what seems to some people like a great idea. Watch out for the snakes.
Trade secret jurisprudence, originally conceived in the common law of torts as a way to enforce confidential relationships, now has a sharper focus directed at the property interest of businesses in the data that forms the major portion of their asset base. In the process, trade secrets have taken their place of respect alongside the “registered rights” of patents, copyrights, trademarks and designs. But just because we now enjoy statutory guidance through the Uniform Trade Secrets Act (“UTSA”), enacted with some variations in every state but New York, and national uniformity in federal courts through the Defend Trade Secrets Act of 2016 (“DTSA”), the law continues to evolve much as it did a century ago—that is, through the opinions of judges deciding individual cases on their facts.
What follows is a selection of those decisions from the past year which, in my estimation, provide guideposts regarding important aspects of trade secret law and practice.
First, however, we should consider the recent efforts of The Sedona Conference Working Group 12 on Trade Secrets, a volunteer think tank of over 200 judges, attorneys and other professionals, who have produced a series of commentaries representing consensus views on various subjects. Because courts routinely cite to the Sedona Commentaries as authoritative, they represent a valuable resource for counsel. You can access the commentaries here. .
This is where every case begins. The information has to be a secret, meaning you can’t find it through public sources like the internet. The legal expression of this simple idea requires that the information not be generally known or “readily ascertainable” – that is, easy to discover – through “proper means.” In Masimo Corp. v. True Wearables, Inc., 2022 U.S. App. LEXIS 1923 at *12 (Jan. 24, 2022) (non-precedential), the Federal Circuit rejected in concept the argument that any publication of the claimed secret necessarily would destroy secrecy, regardless of the circumstances. Elaborating in dictum, the court explained that “the fact that the trade secret has been revealed in some publication somewhere does not necessarily compel a finding that the information cannot maintain its status as a trade secret for a party in an entirely different field from the one to which the publication was addressed.”
A particular species of trade secret consists of a “combination” of various bits of information, each of which might not separately be secret but which taken together form a unique whole. A simple example would be the recipe for a unique dish composed of certain amounts of commonly available foods and spices. However, it may be possible to deconstruct the combination and establish that its parts are so obvious and common that it cannot plausibly be claimed as a secret. This was the result for a bread recipe in Bimbo Bakeries USA, Inc. v. Sycamore, 39 F.4th 1250, 1259-64 (10th Cir. 2022) (analysis of “the individual elements of [plaintiff’s] compilation” showed that no reasonable jury could find it not generally known or readily ascertainable).
Closely related to the concept of secrecy is the requirement that the trade secret owner exercise “reasonable efforts under the circumstances” to protect the information that it claims as a trade secret. In effect, courts will not step in to help if the owner has failed to help itself with security measures that match the business risk. Under the old Restatement (First) of Torts definition of a trade secret, reasonable efforts was only one of six factors for a court to consider in deciding whether information should be treated as a trade secret. But both the UTSA and the DTSA specify it as a required element, along with secrecy and value. Even so, the early tendency of courts was to apply a rather forgiving standard, and seldom to dismiss a case on that basis. That inclination seems to have disappeared, with courts taking a more skeptical view of the measures claimed by plaintiffs as enhancing the security of their confidential information, which often consist of little more than a list of standard techniques used to protect the company’s IT systems. A good example of the more recent judicial attitude is the Second Circuit’s opinion in Turret Labs USA, Inc. v. CargoSprint, LLC, 2022 U.S. App. LEXIS 6070 at *7 (2nd Cir. March 9, 2022) (unpublished), affirming a trial court’s grant of summary judgment at 2021 U.S. Dist. LEXIS 27838 at *16 (E.D.N.Y. February 12, 2021). Turret had developed a software program for use only by freight forwarders operating at airports, but licensed the product to airlines, in this case Lufthansa. CargoSprint was alleged to have obtained access through Lufthansa by falsely presenting itself as a freight forwarder, acquiring secret algorithms and other information it used to create a competing product. Turret alleged that Lufthansa had “protocols” in place to ensure proper access, but it did not recite what provisions of its license required the airline to apply them. It also alleged various network security measures such as servers in locked and monitored cages, with data in transit secured by encryption. But Turret had given full authority to Lufthansa to control access, without requiring it to do so. That basic surrender of control to a third party, the court explained, rendered irrelevant all of the technical measures that had been applied to secure its IT system.
To similar effect, see Altman Stage Lighting, Inc. v. Smith, 2022 U.S. Dist. LEXIS 22699 at *12-13 (S.D.N.Y. Feb. 8, 2022), where the plaintiff alleged in its complaint that it had told its engineers working on the relevant project that they were not to discuss it with anyone else. Noting that the pleading was “silent as to any security measures or confidentiality agreements,” the court dismissed the DTSA claim.
One of the unique aspects of trade secret law, in comparison to other forms of intellectual property, is that the boundaries of the right are not specified in a government-issued grant. As a result, a preliminary – and usually consequential – question in every trade secret case is: what exactly is the trade secret information that’s being claimed? Usually, companies have not made an inventory of their information assets, and even if they have, the specific data involved in any given dispute is unlikely to have been described with precision before litigation begins. As a result, identification of the subject matter – and when and how to do it – has become a frequent early battleground in trade secret litigation.
Of course, the publicly-filed complaint should not have to describe the secret information, because that would destroy the right that the action tries to protect. But merely reciting “vague and broad categories that do not allow [the accused party] to determine what the boundaries of the secrets are” is insufficient to withstand a motion to dismiss. Dong Phuong Bakery, Inc. v. Gemini Soc’y, LLC, 2022 U.S. Dist. LEXIS 54958 at *17-18 (E.D. La. Mar. 28, 2022) (secrets defined as “comprehensive strategies for new and emerging markets, . . . roadmaps to focus sales and marketing efforts . . . and other confidential business information.” That said, individual judges may differ on what is ”vague and broad.” Compare Bureau Veritas Commodities & Trade, Inc. v. Cotecna Insp. SA, 2022 U.S. Dist. LEXIS 57408, at *14-18 (S.D. Tex. Mar. 29, 2022), where a complaint alleging misappropriation of “business plans” and “customer lists” was found sufficient to withstand motions to dismiss and for a more definite statement.
Because those who misappropriate trade secrets would like to keep their actions, well, secret, it’s often difficult to find direct evidence of theft, and plaintiffs must prove their case with circumstantial evidence. However, there is a real (if indeterminate) difference between permissible inference and impermissible speculation, and so it is important to marshal as much convincing circumstantial proof as possible. Sometimes the sheer audacity of a competitor’s recruiting efforts will be enough to justify the claim. That was true in Suzhou Angela Online Game Tech. Co. v. Snail Games USA Inc., 2022 U.S. Dist. LEXIS 20164 at *24 (C.D. Cal. Jan. 31, 2022), where 60 employees hired by defendant in one year came from the plaintiff.
Where the plaintiff’s alleged secret consists of a “combination” of elements which may exist individually in the public domain (see the Bimbo Bakeries reference earlier), the defendant might assume that misappropriation requires implementation of the entire combination as it was created by the plaintiff; but that would be wrong. As with other types of secret information, the question is whether the defendant has “used” it even indirectly, which can be reflected in evidence of an accelerated development program. See Caudill Seed & Warehouse Co. v. Jarrow Formulas, Inc., 2022 U.S. App. LEXIS 31246 at *27-28 (6th Cir. Nov. 10, 2022), where a key researcher left to join a competitor with a collection of thousands of published papers which he had curated for many years as the basis of the plaintiff’s formulation. The defendant relied on differences with its own product, but the court explained that misappropriation of a combination secret does not require that the defendant’s product be identical. Otherwise, “a trade-secret thief could misappropriate a research process, design a competing product in far less time than it would have otherwise taken, and avoid liability because it did not debut the same product as its victim-competitor.”
Finally, where a plaintiff asserts misappropriation by a departing employee, it has to provide proof of real misbehavior, not just fear of “inevitable” misuse. In CAE Integrated, LLC. v. Moov Techs., Inc., 44 F.4th 257, 262-263 (5th Cir. 2022), the employee discarded any customer lists before arriving at his new job. The plaintiff pressed for an injunction, arguing that he still knew all the relevant information. Denying the injunction, the judge cited the relevant provision of the DTSA, 18 U.S.C. § 1836(b)(3)(A)(i)(I)), which prohibits injunctions against an individual unless based on actual behavior that indicates a threat of misappropriation.
Assuming trade secret misappropriation has occurred or is threatened, the question becomes what to do about it. In many cases, the urgency of avoiding continuing damage leads the plaintiff to request a preliminary injunction. But because that remedy is “extraordinary,” the requirements can be difficult to meet. Chief among these is specificity. As noted above, trade secret cases present a particular challenge as compared to other forms of intellectual property like patents, where the boundaries of the right are to a great extent defined by the terms of a government grant. When it comes to fashioning a pretrial remedy for which a violation is punishable by contempt, it’s understandable that the courts will insist on clarity and precision of the order.
Nevertheless, the Court of Appeals of Texas in Dey v. Seilevel Partners, LP, 2022 Tex.App. LEXIS 1911 at *17-19 (7th Dist. March 23, 2022) approved a preliminary injunction that broadly prohibited use of the plaintiff’s “confidential or proprietary information,” because the language was taken “almost verbatim from the language in the temporary restraining order to which Dey agreed.” Defense counsel should take note that early efforts to appease the plaintiff by stipulating to a TRO may come back to bite in this way. It may be wise to include in any agreed temporary orders a suitable proviso preserving objections to the terms of any subsequent order.
As for damages, a couple of cases this year serve to remind us that causation is an inherent element of any damage analysis, and that while judges may allow circumstantial proof of misappropriation that skirts the edge of speculation, and while the amount of damage may be established in the face of uncertainty, the same flexibility may not be available when it comes to plaintiff’s proof that it has in fact been harmed. For example, in Geometwatch Corp. v. Behunin, 38 F.4th 1183, 1205 (10th Cir. 2022), the court affirmed summary judgment on a claim that the defendant’s misappropriation led to a collapse of a planned venture to commercialize a satellite-based weather sensor system. It emphasized the plaintiff’s failure to present actual evidence, as opposed to speculation, that the venture was abandoned due to the alleged misappropriation.
One damage theory that almost always deserves early attention is the royalty measure, in which the defendant’s unjust enrichment is established by what it would have been willing to pay, in a hypothetical negotiation, for honest access to the secret information. In Airfacts, Inc. v. Amezaga, 30 F.4th 359, 367-368 (4th Cir. 2022), the court of appeals reversed a ruling by the trial court that plaintiff could not recover royalty damages because there was no proof that the defendant had ultimately “used” the trade secrets in commerce. Emphasizing the UTSA’s authorization of royalty damages “[i]n lieu of damages measured by any other methods . . . for a misappropriator’s unauthorized disclosure or use of a trade secret,” the court concluded that it was not possible to “condition such awards on a defendant putting a trade secret to commercial use.”
For a similar perspective, we should consider PPG Indus. v. Jiangsu Tie Mao Glass Co., 47 F.4th 156, 162 (3d Cir. 2022), where the defendant had engaged in an obviously deliberate theft, but argued that it didn’t benefit from it because it never actually manufactured a relevant product. Nevertheless, the court explained, the secrets had been “used” to avoid extensive research and development, enabling immediate preparations for manufacture; therefore it was appropriate to use evidence of the plaintiff’s cost to develop the information as a proxy for the benefit that the defendant derived from the misappropriation, even if it was unable to carry out its plan.
Last year saw a highly impactful decision on the CFAA from the U.S. Supreme Court in Van Buren v. United States, 141 S.Ct. 1648 (2021), settling a conflict among the circuits and holding that an “authorized” user of a computer system does not violate the statute when he uses that authorized access for an improper purpose. This year the Ninth Circuit has provided another level of assurance about the CFAA, dealing with the scraping of data from a publicly accessible website. In hiQ Labs, Inc. v. LinkedIn Corp., 2022 U.S. App. LEXIS 10349 at *30-36 (9th Cir. Apr. 18, 2022), the court considered whether LinkedIn, whose business model requires open access to its website, could nevertheless effectively block hiQ from scraping data by serving it with a letter stating that it was not authorized to do so. Affirming an injunction based on a claim of tortious interference, the court explained that the CFAA could not apply to preempt hiQ’s claim, because when the “default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of ‘authorization.’” Id. at *32.
“There must be 50 ways to leave your lover."
— Paul Simon
It was February 2017 when Waymo, Google’s self-driving car unit, sued Uber in what would become the biggest trade secret case of the century. Waymo alleged that its former manager, Anthony Levandowski, had organized a competing company while still at Waymo, and before leaving had downloaded 14,000 confidential documents. As it turned out, Uber had known about this when it agreed to pay $680 million for Levandowski’s brand new startup; and we’ve already looked at how the hubris of that hasty transaction provides lessons for hiring in new markets driven by emerging technology.
But what about Waymo, the left-behind company? Is there anything to be learned from how it handled the matter? To be sure, it scored points for putting on a convincing case in court. After just a few days of trial, to the disappointment of hundreds of journalists, the dispute was settled, with Uber paying $245 million in stock. Levandowski was forced into bankruptcy and found criminally liable, saved from a jail term only by President Trump’s pardon. It certainly seemed as though Waymo had “won.” But would it have been even more successful if it had avoided the dispute entirely?
Waymo’s complaint, which you can find here, implies that it was in the dark about what Levandowski was up to when he left, despite the fact that while still employed he had downloaded all those documents describing its proprietary sensor technology. Over a month later (in late January 2016), after having established his deal with Uber, Levandowski resigned. In May, his new company, Otto Trucking, emerged from “stealth mode” and by August had been acquired by Uber. In the meantime, several other Waymo employees had left to join him, and on their way out of Waymo had also downloaded a few proprietary documents.
It wasn’t until December, almost a year after Levandowski’s massive collection, that Waymo claimed to have evidence that Otto/Uber was using its secret technology. This came in the form of an email from an Otto vendor attaching a circuit diagram, sent by mistake to Waymo instead of Otto. This drawing, according to the complaint, bore a “striking resemblance” to Waymo’s proprietary technology. It was the “smoking gun” that Waymo was waiting for to file the case.
But let’s pause for a moment and consider that if Waymo had known more of the facts at an earlier time, it might have been able to intervene to prevent Uber’s acquisition of Otto, or at least to limit the damage from whatever information Levandowski may have passed on to the Uber design team. What if, at the time he resigned his position, Waymo knew that he had taken the 14,000 files and was planning to start a self-driving truck company? It doesn’t take much imagination to conclude that the whole unfortunate drama could have been prevented.
Why didn’t Waymo realize that its trade secrets had been compromised immediately after the download? At the very least, considering Levandowski’s extensive access and knowledge, you would have expected the company to insist on questioning him before he left. That process, which is widespread among companies of all types and sizes, is referred to as an “exit interview,” and as we will see it can be a critical step for any business that is losing high-level talent.
But here’s the problem. Exit interviews traditionally are designed and executed by the Human Resources function. And HR professionals see them in a very limited way. Just take a look at any of the literature and you will see that the purpose of the exit process is to find out what made the employee decide to leave. Even if they are being let go, feedback from the interview might improve the company’s people management through insights from those who, because they are on their way out, will be brutally honest about perceived problems.
According to an article in the Harvard Business Review, the objectives of an exit interview are directed inward at the company being left, for example “gaining insight into managers’ leadership styles” and “soliciting ideas for improving the organization.” A leading HR association promotes exit interviews as “giving the company a unique perspective on its performance and employee satisfaction.” And there’s even a Wikipedia article on the subject, suggesting that they can be helpful to “reduce turnover . . . and increase productivity and engagement.” No one ever talks about the interview as a tool to reduce loss and maintain control over information assets.
In reality, the exit interview process forms a vital part of any trade secret management program. It represents the company’s last clear chance to both assess the risk represented by the employee’s leaving and to clarify expectations about how they should behave to protect the sensitive information they’ve been exposed to. Indeed, it is only by directly confronting the departing employee about their plans that the company can reach any useful conclusion about the risks and make informed decisions about reducing them. So don’t limit it to ticking off some boxes on a form, but insist on a thorough discussion. There’s a reason it’s called an “interview.”
Collecting relevant information doesn’t necessarily depend on getting straight, fulsome responses. Sometimes body language speaks loudly, and a direct “I don’t have to tell you that” can lead to an elevated concern and trigger a more intensive inquiry. If a high-level engineering manager claims that he’s leaving to start an ice cream shop with his cousin, you may be excused for thinking that something is not quite right and digging deeper. One way to do that is a forensic examination of the employee’s computer and recent history of system usage, including – ahem – unusual or excessive downloading of files.
A security-focused exit interview will certainly inquire about the sources of any discontent, but not merely to gather suggestions for improving the workplace. Instead, reasons for leaving can provide clues about what the employee intends to do. For example, if they were disappointed that the company didn’t immediately embrace their idea for a new product or process, they may think that they are free to use it themselves. That kind of misperception needs to be corrected, and this may be your final opportunity to do it.
Indeed, another critical part of the process is confirming and reinforcing the employee’s obligations to return all company devices and information. Usually, this discussion revolves around some sort of written termination statement by the employee acknowledging those obligations and confirming that all security policies have been complied with. They should specifically assure that they do not possess any company information, including in personal email accounts or in private cloud storage platforms like Dropbox. Any refusal to sign such a document should lead to escalation to relevant managers.
Having received both verbal and written assurances that the employee will leave behind all company devices and data, the interviewer should explore the risk represented by what the employee will be carrying in their head when they leave. That assessment requires a robust discussion of the new employment and how doing that job might pose a threat of even inadvertent disclosure or misuse of secret information. Frequently, this kind of concern can be addressed with the direct question: “Please help me understand how you will be able to do what you’ve described at the new job while respecting the confidentiality of the information you’ve been exposed to in this one.”
A final area of emphasis is not about gathering information but instead delivering a message about the integrity of your property. As we’ve already noted, this is the last practical chance to put a point on the employee’s continuing obligations after departure. If the company has provided a robust training program that emphasizes the role of the workforce in protecting trade secrets, this will be a straightforward reminder. Conversely, if the company has not invested in regular communication around these issues, then you will have to step up the intensity of messaging at the time of departure, perhaps extending to formal letters to the employee and their new employer.
The best time to deal with risks is before they have matured into reality. It’s not very efficient to discover and mitigate a harmful misappropriation later, when it could have been prevented at the outset.
“I think it is right to refresh your memory…”
— Henry David Thoreau
I was recently reminded of a contest that we often played in Scouts, called Kim’s Game. Derived from a story in Rudyard Kipling’s 1903 novel Kim, it gave you a few minutes to stare at a tray full of diverse objects you might find in a junk drawer – things like a key, pocketknife, nickel, compass, button, crystal. At the end of the allotted time, you were challenged to write down as many as you could remember.
My recollection was triggered by a court order. Silicon Valley startups Wisk Aero and Archer Aviation have been slugging it out in trade secret litigation over “flying taxis” that are designed to take off and land like helicopters but fly with wings and propellers. The basic technology has been around for quite a while but making it practical as a battery-powered (and ultimately autonomous) taxi service demands a lot of creative engineering. Wisk, a joint venture between Boeing and a company owned by Google founder Larry Page, has been developing its models for more than a decade. Aero, which has a relationship with United Airlines, is a more recent entrant, and ramped up its workforce by hiring away 17 of Wisk’s engineers, including its vice president of engineering. For more salacious details, see this piece in Fast Company.
Like all lawsuits that require an exchange of confidential information, this one included a “protective order” that allows each side to designate documents and testimony as available only to the other side’s lawyers, with strict limitations on what can be done with it. But those restrictions actually lubricate the exchange, because the disclosing company knows that its information is only being seen by the lawyers. That is, until those lawyers perceive a specific need to share some of it with their clients. In the Wisk lawsuit, Archer’s lawyers petitioned the judge to allow each of the departed engineers to see the highly confidential trade secret description produced by Wisk, claiming that they needed their clients’ advice on how to defend the claim. Wisk adamantly opposed, arguing that the disclosure would serve to refresh the engineers’ memory about information they had (or should have) left behind two years ago, causing additional harm to Wisk.
The judge thought this argument had merit, but in the end modified the protective order to allow the requested access – up to a point. The engineers could only see the secrets that they had worked with at Wisk, and could not take notes; their lawyer had to chaperone the viewing; and their time was “restricted to no more than 15 minutes total per trade secret” (that’s what triggered my recollection of Kim’s Game). To reinforce the seriousness of the exercise, the judge ordered each individual to agree to the protective order, and to provide a sworn affidavit describing what they had looked at and for how long. (the order is available here). You might imagine that Aero viewed the 15 minutes as arbitrary and insufficient, while Wisk saw it as an invitation to steal all over again.
My purpose is not to get into the pros and cons of this particular order, but to shine a light on how judges in general, but especially in trade secret litigation, are called on to make judgments that allocate risk among competing legitimate interests. In this example, the main issue was the risk to the very same confidential information that Wisk filed the lawsuit to protect. Certainly, that’s a compelling interest, and it’s backed up in the relevant statute, the Uniform Trade Secrets Act, which directs that “a court shall preserve the secrecy of an alleged trade secret by reasonable means.” But pushing back against it is the defendant’s interest in defending itself by having access to information that might prove, for example, that the claimed secrets really don’t qualify for protection. The judge in this case acknowledged both perspectives and tried to find a creative way to manage the risk to each side.
Trade secret disputes are packed full of these competing interests. At the outset, the parties often engage in a tug of war about the subject matter of the lawsuit. This isn’t a problem with patents, copyrights or trademarks, where the dimensions of the right are laid out in a government certificate. But trade secret law in effect extends to protect any confidential information that helps a business define its competitive edge. And unlike most other commercial cases, the trade secret plaintiff has only a vague idea of what the defendant might have done to imperil the integrity of that information. Trying to discern exactly what portion of a vast collection of data might have been compromised is often difficult and sometimes impossible without discovery into what the defendant has done. But defendants reasonably argue that their own secrets shouldn’t be put at risk through the discovery process before the plaintiff has defined its claims, lest those claims be fashioned to match what is found in the defendant’s files.
As a result, judges in many trade secret cases are faced with trying to resolve whether the plaintiff should be required immediately to define its trade secrets with particularity, and then decide whether its attempt is sufficient. These decisions can require sophisticated understanding of the relevant technology, which judges typically don’t have at their fingertips. And it’s not just the parties that have a stake in the outcome; the court itself needs to understand the subject matter in order to make sensible rulings as the case goes on. Fortunately, judges have developed a general approach to this conundrum, in which they credit the views of a plausible expert offered by the parties and leave the boundaries of the secrets to be clarified through the discovery process.
A second area that requires careful balancing relates to employee mobility, in the sense that an employer’s interest in protecting against the risk of disclosure or misuse by a departing employee must be balanced against the basic right to seek new employment. In states like California, which have a strong public policy against noncompete agreements, courts naturally tend to be solicitous of the leaving employee; but in most other states, where noncompetes are accepted, they still are assessed for their reasonableness. Many judges want to see the hardship imposed on an employee reduced by payments from the former employer or narrowing of restrictions.
Closely related to this general tension around the free mobility of labor is the critical difference between information that qualifies as a trade secret and that which represents the individual’s skillset. A just-graduated software engineer in her first job learns how to write code efficiently, with fewer steps. When she leaves, she is entitled to take that learning with her, but has to leave behind the specific algorithms created for the employer. But where do you draw the line when, in her next job, she creates code that looks similar to what she had done before? Separating general industry knowledge and skill from genuine trade secrets is difficult—all the more so because the employee and employer each have reasonable concerns to address.
A fourth area demanding judicial judgment lies in deciding whether to issue an injunction early in the case, before there’s been a trial to resolve the contested facts. Typically, the plaintiff will claim some form of “irreparable harm” unless the court stops the defendant from finalizing some transaction or marketing some product, ostensibly to “maintain the status quo” pending the trial. But for a defendant, such an order could seriously harm its business, before it has had a chance to fully present its defense at trial. And in some cases – for example, the release of a new medical device or therapy – the public also has an interest in the outcome.
Finally, there is the trial itself, where the ultimate questions of secrecy and misappropriation get determined. But in this country, we have a tradition of public access to the court system, including civil cases. Where the dispute is about trade secrets, judges have to rule on whether documents should be sealed from view or even whether the public should be barred from portions of the trial. Today’s courtroom technology, where what is shown on the monitors can be limited to the judge and jury, makes this a bit easier; but with hotly contested or high-visibility cases, the court has to exercise extreme care to balance the need for secrecy with the imperative of an open court.
All of this is extremely complex, and there are no bright lines or clear, objective markers to guide judges through the resolution of these colliding interests. Instead, they must do the best that they can, using common sense and the inclination towards justice that drew them to the bench to begin with. In my experience, judges try very hard to avoid doing harm to any litigant. The best of them ignore the noise of excessive advocacy and emotionally charged rhetoric (all too common in trade secret disputes), and they try to sort out the real risks from the imagined ones. What we get from that are decisions which reflect sensitivity to these positions in tension, dealt with in a framework of ethical standards which represent the bedrock of trade secret law.
If while reading you’ve been thinking that this is really hard to do, you’re right. It’s not like the umpire who declares whether the ball is in the strike zone; it’s more like the quarterback faced with a rush, who has to quickly assess the available options and act. Indeed, judges, often with hundreds of contested matters on their docket, are squeezed for time while the lawyers are getting paid for it. Sometimes they have less than 15 minutes available to make a decision. In spite of that, they usually get it right. We should all be grateful.
“What’s in a name?”
— William Shakespeare
One of the most frustrating questions I get from clients asks “what is the difference between ‘confidential’ and ‘proprietary’ information?” Or, “how do I help employees distinguish between either of those terms and real ‘trade secrets?’” Then there are people, including some judges, who trivialize the importance of some useful business information by saying it doesn’t “rise to the level of a trade secret.” That last one makes no sense these days, as we’ll see shortly. But first let’s identify the source of this nomenclature problem: it’s an outfit you’ve probably never heard of called the American Law Institute.
The ALI is a volunteer organization of law professors who read, discuss and then “restate” the law in a form that courts can usefully refer to and consider authoritative. As with standards in other areas affecting the public (the internet protocol, railroad tracks, fire hydrant connections, food additives), it makes sense to try to harmonize the law so that we’re all reading from the same sheet of paper. But if it’s going to be a national standard, you’ve got to get it right. When it came to trade secret law, the ALI failed us terribly. To understand this story, we’re going to have to put on our history hats.
The year was 1939, and with everything else that was going on in the world at the time (Germany invading Poland, Russia invading Finland, and the release of both Gone with the Wind and The Wizard of Oz), maybe the professors were distracted. And in their defense, it should be pointed out that trade secrets were just one small part of the “Torts” (that is, wrongs done by one person to another) section of their work, which included eight other equally weighty sections like Contracts, Judgments and Trusts. So, they were very busy.
Nevertheless, they should have been aware that over 100 years before, trade secret law had been introduced into the United States, adopted from the English common law that imposed judicial oversight on commercial behavior. This first case, Vickery v. Welch in 1837, involved the sale of a chocolate factory, and the Massachusetts Supreme Court held that the seller’s promise to keep confidential the secret recipe was enforceable, even though it could be called a “restraint of trade.” Vickery v. Welch, 36 Mass. 523 (1837).
In 1868, the same court addressed the need to share secrets with factory workers. Peabody v. Norfolk dealt with an employee who left with secrets for manufacturing gunny cloth. Peabody v. Norfolk, 98 Mass. 452 (1868). Approving an injunction, the opinion set out many of the principles that would guide development of the law for decades to come: trade secrets are a form of property, just like patents and trademarks; but they depend on the trust of those who are given access to the secret information. So long as that trust is enforced, the secret may last forever – or until someone else independently discovers it. These notions about manufacturing secrets were extended to customer information in the 1913 case of Empire Steam Laundry v. Lozier, where the California Supreme Court held that a wagon driver’s knowledge of the location and preferences of his employer’s customers was a protectable trade secret. Empire Steam Laundry v. Lozier, 195 Cal. 95, 130 P. 1180 (1913).
Up to this point, no one questioned whether the theory of the law was more about the information as property, or more about the confidential relationship, or whether that even mattered. In fact, it seemed as though both ideas fit neatly together, since the property could be protected by enforcing the confidence.
But by the 1930s, a sense of disquiet had arisen within the legal academy, as some professors, used to the idea that all “property” had to be exclusive in order to deserve the name, focused on the fact that trade secrets were non-exclusive; in fact, more than one company in an industry could possess and protect the same secret formula. This couldn’t be justified, they thought, and the law had to be quietly “adjusted” in the direction of limiting the scope of the trade secret interest.
They found justification in DuPont v. Masland, a three-paragraph 1917 opinion of the U.S. Supreme Court, authored by Justice Holmes. DuPont v Masland, 244 U.S. 100 (1917). The decision approved of a trial court’s order that claimed secrets could be revealed to the defendant’s lawyer but not to a third-party expert. In explaining his reasoning, Holmes said, “The property may be denied, but the confidence cannot be.” Yanked from its narrow factual context, this dictum became the central reference point for those who sought to re-cast trade secret law more narrowly than the courts had been applying it.
The Restatement of Torts was issued by ALI in 1939, and it declared that “trade secrets” were strictly limited to “a process or device for continuous use in the operation of the business,” judged according to a non-exhaustive list of six abstract factors. Explicitly excluded was “information as to single or ephemeral events in the conduct of the business” such as secret bids, unannounced policies or products, financial information, “plans for expansion or retrenchment,” and presumably the entire record of a company’s experimental research leading to a protectable process or product. That kind of information, even if “confidential,” was protected only against deliberate espionage. Even information coming within the cramped definition of a trade secret would be unprotected against “innocent” possession by a third party who had changed its position before learning that the information was tainted.
Without apparent consideration of the contrary view expressed long before in Peabody v. Norfolk, the drafters of the Restatement flatly rejected the property rationale of trade secret law and deliberately distanced it from other forms of intellectual property by declaring that “protection is not based on a policy of rewarding or otherwise encouraging the development of secret processes or devices. The protection is merely against breach of faith and reprehensible means of learning another’s secret.”
The most consequential of these pronouncements was the shunting off into a separate category all “confidential” information that was not “in continuous use” in the business. This orphaned class, as we can appreciate from the perspective of the 21st century information age, contains some of a company’s most valuable data assets, including all of the records of experimentation leading to the launch of a successful product. The authors of the Restatement simply waved it away by observing that they weren’t dealing with it, unless there had been deliberate espionage. This maltreatment of “merely confidential” information naturally and understandably led courts to find other theories to justify its protection. This is how we came to use the law of “misappropriation” or “unfair competition” to try to protect information that doesn’t “rise to the level” of a trade secret.
If only everyone had waited until 1974. That happened to be my first full year of practice as a lawyer, and it was when the U.S. Supreme Court decided Kewanee v. Bicron, confirming that the state “common law” on trade secrets was consistent with, and not preempted by, federal patent law. Kewanee v. Bicron, 416 U.S. 470 (1974). The idea that it should be preempted had been promoted by a group of commentators – suspiciously thick with law professors – who saw supporting secrecy as antithetical to the patent law’s goal of public disclosure of innovations. No, said the Supreme Court, trade secret law in fact enhances innovation by ensuring continued control over secret processes, and it avoids hoarding and enables dissemination through licensing; in any event, it’s been around a long time (remember that chocolate recipe?), and Congress has not raised an objection. It is in fact a form of intellectual property.
Kewanee v. Bicron ushered in the modern era of trade secret law. We got the Uniform Trade Secrets Act beginning in 1979, the Economic Espionage Act in 1996, and the Defend Trade Secrets Act in 2016. All of these frameworks – along with the new (third) Restatement from ALI in 1995 – embraced an extremely broad definition of what could be a trade secret. Virtually any information that gives business some sort of advantage can qualify, as long as it’s not generally known and the business uses “reasonable efforts” to keep it secret. It applies to what the original Restatement authors disparaged as “ephemeral” information like bids or an unannounced product (making possible all those dramatic unveilings by Steve Jobs), as well as the “negative” secrets accumulated during a long and expensive process of experimental research and development.
So, as a practical matter, the phrase “not rising to the level of a trade secret” should have as much meaning as “it’s your nickel” (sorry, millennials, that’s from the time of coin-operated phones and it means “I’m ready to listen to you”). And realizing that “trade secret” now encompasses this vast sea of important business information that used to be treated separately, we can stop making the distinction, right?
Unfortunately, habits die hard, and there’s a lot of inertia built into the old nomenclature. Many companies insist on “confidential” as a separate category of data, distinct from secrets. And in fairness, businesses handle some personal information about individuals that has to be protected even though it doesn’t belong to the company. But for most organizations, there is a real benefit to treating “secret,” “proprietary,” “company private,” “confidential,” and other similar terms as just synonyms describing information for which the business wants to control access.
That doesn’t mean that you shouldn’t use “confidential information” as a broadly defined term in your contracts. It also doesn’t eliminate classification systems that distinguish among various kinds of information according to their sensitivity by using some of these terms like “private” or “restricted” or “top secret” to signal different levels of required care. But try to avoid suggesting to the workforce that there is a meaningful difference between the company’s “confidential information” and its “trade secrets,” because that might be interpreted to say that the former is not entitled to the same legal status as the latter.
Shakespeare’s question, posed by Juliet, was meant to be rhetorical – whatever name you pick (e.g., Capulet, Montague) doesn’t affect the essential quality of a person. You can’t say the same for valuable business data, because we have a lot of people dealing with it, and we don’t want them to be confused or to misunderstand. Modern trade secret law gives business very wide discretion about how to maintain control over its information assets. We should be careful not to surrender any of that discretion through misuse of terminology.
“Risk comes from not knowing what you’re doing.”
— Warren Buffett
At this moment, there is a fellow riding a bus in London who will determine the fate of your secrets. To be more precise, he’s on the Clapham bus; but he has no name. In fact, he’s a fictional character originally imagined by 19th Century journalist Walter Bagehot, who thought that “public opinion” was best described as the “opinion of the bald-headed man at the back of the omnibus.” The idea was picked up by the English courts as a metaphor for the “reasonable person” standard that is applied in all sorts of cases, from criminal to personal injury to contract interpretation. It also has special application to trade secrets, which we’ll get to in a minute.
First, a bit more about the hypothetical “reasonable person.” As the UK Supreme Court explained in a 2014 decision, the “Clapham omnibus has many passengers. The most venerable is the reasonable man, who was born in the reign of Victoria but remains in vigorous health.” Others include the reasonable parent, the reasonable landlord and the “fair-minded and informed observer, all of whom have had season tickets for many years.” The point is for the judge or jury to put themselves in the mind of this fictive but “reasonable” person, for guidance on what the actual person in the case should have done.
If this strikes you as a vague and maybe unpredictable cop-out by judges who can’t come up with a more precise standard for acceptable behavior, you wouldn’t be alone. But at least it’s objective, in the sense that what’s reasonable is what that anonymous guy on the bus would think about the behavior of someone in similar circumstances. It’s not about what the person being judged thinks is sensible or right. In effect, being dim is no defense.
What does this have to do with trade secrets? Under modern law, as established by the states under the Uniform Trade Secrets Act (UTSA) or the federal Defend Trade Secrets Act (DTSA), a business that wants to protect the integrity of its confidential information has to provide evidence of “reasonable measures” to prevent the loss. This means that before you can get help from the courts you must have helped yourself by taking actions “reasonable under the circumstances” to maintain secrecy of your data. In other words, your preventive efforts will be judged under the “reasonable person” standard.
It wasn’t always like this. Back in the days when the rules came from the common law (individual decisions of judges), trade secrets were treated as a part of tort law, and the emphasis was on the confidential relationship between the business and those it had to share secrets with. Courts focused more on the defendant’s bad behavior in taking or misusing the secret than they did on whether the information deserved to be protected at all. This perspective found expression in the 1939 Restatement of Torts, which defined trade secrets in reference to a set of six factors to be weighed as the judge saw fit. One of those was “the extent of measures taken by [the trade secret owner] to guard the secrecy of the information.” That left a lot of room for judges to just do what felt right. Defendants who had been caught behaving badly had little luck in arguing that the plaintiff should have done a better job protecting its secrets from misappropriation. One judge compared the argument to the car thief that complains about the driver leaving his keys in the car.
Things began to shift in the 1980s. Trade secrets were viewed more like property rights, with owners being expected to draw boundaries and provide warnings. As more states adopted the UTSA, with its specific requirement (no longer just a factor) that the trade secret owner prove that it had exercised “reasonable efforts,” judges started to express more skepticism about those efforts, and that trend picked up with the adoption in 2016 of the DTSA, which allows most trade secret cases to be brought in federal court. Thirty years ago, trade secret claims were only rarely dismissed before trial based on a failure of reasonable efforts. Now, according to a recent study by the law firm Winston & Strawn, it happens in 11% of trade secret disputes. The “reasonable person” standard is now the “reasonable business” standard, and it really matters.
A recent case decided by the Second Circuit Court of Appeals, Turret Labs USA, Inc. v. CargoSprint, LLC, illustrates how things have changed. Turret had developed a software program for use only by freight forwarders operating at airports, but licensed the product to airlines, in this case Lufthansa. CargoSprint was alleged to have gotten access through Lufthansa by falsely presenting itself as a freight forwarder, acquiring secret algorithms and other information it used to create a competing product. Turret alleged that Lufthansa had “protocols” in place to ensure proper access, but it did not recite what provisions of its license required the airline to apply them. It also alleged various network security measures such as servers in locked and monitored cages, with data in transit secured by encryption. The appellate court affirmed the trial judge’s order dismissing the complaint for failure to describe reasonable efforts. Based on the allegations in its complaint, Turret had given full authority to Lufthansa to control access, but apparently without requiring it to do so. That basic surrender of control to a third party rendered irrelevant all of the technical measures that had been applied to secure the IT system.
Turret, and cases like it, teach us four important lessons. First, businesses have to pay close attention to trade secret management. That’s mainly about preventing loss or contamination of those assets, which these days represent the lion’s share of a company’s sustainable value. But it’s also about being ready in case you have to go to court to protect your rights. These cases often come at you very fast, after you’ve discovered that a departing employee or unreliable business partner threatens to abuse a trust. When that happens, you need to be prepared to explain not only what your trade secrets are, but also all the steps you have taken to demonstrate to the court that you have acted prudently to maintain control over these valuable assets. That means designing your relationships and transactions with a keen eye to this dimension of risk.
Second, the trade secret statutes require you to prove both that your secrets have competitive value and that you have exercised reasonable efforts to protect them. Don’t conflate those two related but distinct issues. Your secret process or other confidential information may appear to give you a significant advantage over the competition; but you also have to signal that special value to those who have access to it. Robust training for employees and careful contracting with third parties will be part of the story you may have to tell about how you made sure that everyone understood what your secrets were and how they were supposed to protect them.
Third, in designing your protection program, don’t fall into what I call the “checklist trap.” You can find lots of lists of protective measures culled from judicial decisions about what judges found to be sufficient in a particular case. More often than not, those decisions will be on motions to dismiss or summary judgment, where the court is making a narrow ruling, preserving for the jury the ultimate decision on what is or isn’t “reasonable.” What some other company has done may be interesting, but it’s not particularly relevant, unless they are protecting the same kind of information that faces identical risks. The question is what’s reasonable to maintain the secrecy of your unique secrets, in the light of the unique (and usually dynamic) risk environment they live in. Remember that Turret had apparently constructed a fairly secure framework against external attacks, but none of that mattered because it transferred access control to its licensee without limitations.
Fourth, approach the issue the same way that you would any other major area of business risk, by performing a classical risk analysis. Consider carefully the value of the information you want to protect as well as the security risks that it faces on a day-to-day basis in the business – with particular emphasis on the “internal threat” of uninformed or careless employees as well as the full range of third-party access through supply chains and collaborations. Examine what you can do to efficiently mitigate those risks, which will normally come down to careful relationship management, through contracts, communications and education. (For a thorough discussion of trade secret management, see the draft Sedona Conference Commentary on “Governance and Management of Trade Secrets”).
Your primary objective always is to maintain control over your data assets so that they don’t migrate or get infected. But if you ever have to go to court to protect them, resolution of the “reasonable efforts” issue will be driven mainly by whether or not your secrecy efforts taken before the litigation appear to be consistent with the high value you assert in the courtroom. Sitting in judgment on that question will be that bald-headed fellow on the Clapham omnibus.
“All warfare is based on deception. There is no place where espionage is not used.”
— Sun Tzu
What does the invasion of Ukraine have to do with COVID-19? Would you believe intellectual property is the link? Stay with me on this; it’s an interesting story.
Recently, it was confirmed that the Main Intelligence Department of the Ministry of Defense of Ukraine – apparently with some help from volunteer hackers – managed to breach the network of Russia’s most guarded nuclear power facility and make off with extremely valuable trade secrets. The Beloyarsk Nuclear Power Plant contains the world’s only two operational “fast breeder” reactors. More than 20 countries, including the U.S., Japan and France, have been working for decades on this technology, which is supposed to be able to extract close to 100% of the energy from uranium, compared to about 1% for light water reactors.
In other words, this is a process that can produce large amounts of energy while completely consuming the fuel and creating virtually no nuclear waste. Whoever is able to commercialize it will make a fortune. So far, no one has come close to the Russians.
As you might expect, the Beloyarsk facility is closely guarded. But because it has to communicate with various suppliers, its network has electronic doors that can be unlocked. Ironically, at about the same time that the Russian army was in Ukraine overtaking the Chernobyl nuclear plant, Ukrainian hackers were worming their way into Beloyarsk’s business network, which in turn gave them access to control systems, parts lists, floor plans and other critical data. To the delight of power companies around the world, Ukraine has supplied this trove to a journalist who is publishing the documents on his website.
You can almost hear the public cheering for underdog Ukraine. Some commentators have suggested this hack represents the first “weaponization” of intellectual property to damage a nation. I’m not sure I’d go that far. In any event, the broader issue of “technology transfer” across borders has a long and interesting history, a brief review of which will bring us to the current pandemic.
State-sponsored commercial espionage started at least as early as the sixth century, when a pair of monks returning to Constantinople from a mission to China brought inside their bamboo staffs a colony of silkworms and in their heads the knowledge of how to breed them and weave their output. This broke China’s de facto monopoly on what had become the world’s most valuable commodity, more precious by weight than gold. Constantinople (now Istanbul) also nurtured a community of glass blowers, and when the city was sacked in the early thirteenth century, Venice welcomed them, and soon thereafter made it a crime for them to leave.
Besides beautiful glass, Venice created the first patent system, and it was emulated throughout Europe. But these patents were granted on the basis of “local novelty,” meaning that the applicant did not have to be the actual inventor, but just the first person to bring the innovation to the country. These so-called “patents of importation” were a sensible way for countries to move up the IP value chain quickly, because there were no journals or other mechanisms for rapid dissemination of new ideas, and national economies were largely independent of one another. So, what seems to us today like theft was viewed with more equanimity as a victimless act.
It wouldn’t be until 1883 that the first international treaty on intellectual property, the Paris Convention, established cross-border recognition of patent rights. In the meantime, what with the Enlightenment and empire building and all, Europe was rapidly becoming more economically interdependent and competitive. While patents of importation remained a more or less above-board way to force tech transfer between countries, there developed alongside them a system of outright economic espionage.
Government spying for commercial secrets reached its zenith in the eighteenth century, when Britain had become the acknowledged world leader in precision manufacturing. Many European rivals, particularly France, saw espionage as the way to catch up. They did this in part through “tourists” and academics gathering technical information, but they were primarily interested in the “know-how” of skilled workers, and so most of their efforts consisted of recruiting foreign artisans. As French civil engineer Trudaine de Montigny put it in 1752, “the arts [that is, technologies] never pass by writing from one country to another; eye and practice can alone train men in these activities.”
In this way, the French (and other countries) were able to disrupt Britain’s exclusive control over innovation in steel production, metalwork in general, including copper sheathing of ships, and especially textile manufacturing.
It is in this latter area that the U.S. is unfairly (in my view) characterized as having built its industrial revolution through theft of IP from Britain, after Samuel Slater violated its law against emigration of skilled textile workers by leaving for New England in 1789. You can read my take on his story here. Regardless of how you interpret that murky record, there is no denying the facts about how this country organized its own patent system.
In 1790, just months after Slater arrived, Congress passed the first Patent Act, based on the authority provided by the “IP clause” of the Constitution. Alexander Hamilton strongly favored patents of importation, the traditional way to generate rapid economic growth, especially in a country that was short on labor and needed to maximize efficiency through innovation. Thomas Jefferson – who originally described any form of exclusive patent grant as an “embarrassment” to a free society – favored instead a system that would recognize the true inventor based on global, not local, novelty. Jefferson’s view prevailed. In this way, the U.S. looked to the market, rather than government muscle or spying, as the way to achieve technological progress.
The situation today might be seen as both simpler and more complicated. We have made things simpler with some powerful international agreements that have reinforced global respect for IP rights based on national law. Besides the Paris Convention, we have the Patent Cooperation Treaty of 1970, which now guarantees recognition of patent filing priority in 155 countries. And since 1995, with the establishment of the World Trade Organization, we have enjoyed the benefit of the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS), which sets minimum standards for recognition of all IP rights, including trade secrets.
In parallel with these developing international norms for the protection of IP, we have seen disturbing evidence of state-sponsored trade secret theft. Practiced mainly by countries with highly controlled economies, these efforts bring to bear the power and resources of a foreign government to target commercial enterprises around the world. The U.S. government has long issued warnings about state-sponsored industrial espionage by China, and recently, alarming messages have gone out about cyberattacks coming from Russia. Although those attacks are assumed to be directed mainly at disrupting critical infrastructure like banking and energy, once the enemy is “inside the system” they can easily gather commercial technology as well.
This now brings us to COVID-19 and efforts to ensure vaccine availability to the entire world. Here, the primary state actors are India and South Africa. At one very important level, they have spoken for the community of developing and least developed countries, properly pointing out the shameful disparity in distribution of vaccines between rich and poor nations. But as I have pointed out before (see here and here), their proposal that TRIPS protections be waived for any vaccine technology would be ineffective for the current pandemic and disastrous for the next one. And behind the proposal is a not-so-hidden agenda directed at the future enhancement of their own generic pharmaceutical industries.
The proposed TRIPS waiver is not really about patents, because the agreement allows countries to force a compulsory license during emergencies. Instead, it’s about old-fashioned tech transfer, as when the French wanted British manufacturing secrets and tried to hire skilled workers to emigrate. It’s the “know-how” that matters.
It may seem counterintuitive, but modern transfer of valuable technology from one country to another is enabled by strong trade secret laws that enforce voluntary agreements. Indeed, this fundamental truth is well illustrated by COVID vaccines, which couldn’t be produced alone by the companies that invented them. They had to find qualified commercial partners in other countries to collaborate, sending their scientists and engineers abroad for weeks or months to bring up to speed their colleagues about the “know how.”
In short, tech transfer for modern, complex technology is really hard to do, even when it’s voluntary and done according to a commercial agreement. The failed conceit of the “TRIPS waiver” project is the assumption that it’s even possible for governments to force that sort of surrender of private property.
Indeed, I think we can agree that any form of state-sponsored commercial espionage is wrong. Well okay, maybe when your country is under siege you may be excused for using whatever tools you have at hand to cause disruption to the aggressor. Also, the forced dissemination of efficient nuclear energy technology may be one of the few benefits to come out of this terrible tragedy in Ukraine.
“Trust, but verify.”
— President Ronald Reagan
Trust is getting a lot of attention these days. Of course, it’s always been important in the United States. We declare trust in God on our currency, Scouts have to be trustworthy, and we even seem to trust the algorithm behind cryptocurrencies. On the other hand, we worry about what feels like a decline, if not complete rupture, in social trust. For businesses that depend on controlling the confidentiality of data shared with employees and outsiders, these are perilous times. Our most important assets are stored and transmitted through digital systems that are imperfect; and that’s without accounting for the frailties of the people with access to those assets.
Information security has come a long way since I started my career in the 1970s. There were no networks to worry about then, no powerful computers in the pockets of employees. Data was transmitted on paper. You just needed to watch the front door and photocopier. Employees with their badges as markers of trust could go pretty much anywhere they wanted within the facility.
The internet was still a pipe dream when the United States and the Soviet Union began negotiating to reduce their frightening stockpiles of intermediate-range nuclear weapons. One thing we remember from those negotiations is the quote attributed to President Reagan: “Trust, but verify.” A very wise and relevant point; but he didn’t make it up. The phrase is translated from a rhyming Russian proverb – Doveryai, no proveryai – that basically means to validate everything even with a trusted person. It turns out that one of Reagan’s advisors told him that the Russians love to speak in aphorisms, and this was his favorite from a list she had provided him to memorize. And he used it often; by the time the deal was struck, Gorbachev complained that Reagan said it in every one of their meetings.
At that time, and continuing until recently, trust has been at the forefront (along with verification) of enterprise secrecy controls. We could usually take comfort in the fact that we knew who our colleagues were in the building. (Remember when we all worked together in an office?) That’s also where the data was, sitting in secure filing cabinets in locked offices. Then came the corporate digital network, and now, increasingly, our IT systems are in the cloud and our colleagues (often from their homes) are connected with the company’s data through their personal computers, tablets and smartphones. Meanwhile, the bad guys are constantly attacking our systems, looking for security vulnerabilities that will get them inside.
But we do have to get the work done, frequently accessing sensitive data to do it. So, who do we trust? In the classic digital environment, identity is established with a password: get it right and then you’ve got broad access to wander through the system (or some major portion of it). That kind of “implicit trust zone” can work pretty well in a small company where people know each other. It is less likely to suit a business with thousands of employees and many external relationships where sensitive information has to be shared.
In most enterprises, security is managed by distributing more or less permanent status to individual users who are given access based on their then-current job description. If the system is working properly, scope of access is adjusted when a person moves to a different scope of responsibilities. But even when those changes are perfectly accounted for, the individual is still given admission to a very broad array of data, much more than might be necessary for any specific task.
That approach may be reasonable when you have very limited entry points into the system and where job requirements are fairly static. But increasingly, the company’s assets are in the cloud and its networks are accessible through other points, a lot of them remote. In addition, many people work on projects that change over time, so their scope of responsibility is not static.
Enter “Zero Trust,” where nobody gets a hall pass, and every inquiry is by default treated as if it might be a breach. The idea is to bring access controls down to the lowest possible level of detail, so that identity is established in much the same way that we did decades ago: we know who the user is because the system, using AI and machine learning based on the user’s profile and past behavior, recognizes them with a high level of confidence. And, in the same way, it “knows” what resources in the system they should or shouldn’t need. It then provides just enough access to enable the task at hand. In effect, this automates risk-based decisions in ways that can be more efficient.
You might be excused for thinking at this point: oh no, I’ve just gotten over the annoyance of dealing with two-factor authentication; the last thing I want to deal with is heavier security! Won’t this interfere with information flows and frustrate legitimate actors from getting the data they need to do their jobs? We understand, of course. But the proponents of ZTNA (zero-trust network architecture) assure us that it’s actually going to be easier to deal with. Technology deployed to reliably identify you will in fact be so seamless that you will be able to get rid of the dreaded VPN connection!
What? How is that possible, you might say. Well, look at it this way: the VPN is a door with a lock consisting of certain credentials, and hackers go for those credentials just like they do other data – and that’s because the credentials reflect “implicit trust.” When the door no longer is opened by a key but instead by an intelligent, well-informed analysis of who is there and why they want to get in, the hacker’s job just got enormously more difficult. People sitting at their desk can sometimes be fooled by spearphishing emails based on data about them scraped from social media; but you’ll almost never be able to fool the AI machine.
Indeed, technology is what’s enabling this much more sophisticated approach to IT security. It’s increasingly possible to adjust access controls dynamically to account for changes in the risk environment. The security professionals call this “adaptive access.”
Feeling better now? “Zero Trust” is not some dystopian nightmare in which we have lost all our humanity. In fact, it may make our jobs easier by automating detection and response processes that now involve humans with all their capacity for error and misjudgment. Or at least that’s what everyone seems to assume.
In any event, ZTNA is coming to a large company near you. We can be fairly sure of this because the National Institute of Standards and Technology, part of the Commerce Department and the source of the most widely adopted standard for cybersecurity management, has recently issued the NIST 800-207 Zero Trust guidelines.
For many smaller companies, this is likely to be a long-term issue, as the risk environment may not indicate this sort of access control, especially within groups that value a great deal of fluid information flow and collaboration. But for larger, more complex organizations with multiple business units and product lines, the zero-trust approach may be the right direction.
As with most information security strategies, this one begins with identifying the company’s “resources”—that is, your data and where it’s located. Then you examine all of the “identities” that may need access. That part of the process is likely to be more difficult with mature organizations, because of the proliferation of user accounts. After that, you determine the circumstances under which the “identities” need to access each resource, and at that instance of interaction define levels of confidence (i.e., establish algorithms) that will permit different levels of access.
For most companies, this doesn’t mean replacing your existing framework, because most of the principles are implemented in existing systems, especially identity verification. Zero trust just takes it to a new level with a judgment about confidence in the identification, by looking at the circumstances of the access request and the device it’s coming from.
The new phrase is “never trust anyone, and verify constantly.” But remember, these are automated systems to protect sensitive data; they are not comprehensive controls on human interaction within the enterprise. Indeed, inside the corporate community, we need to foster the kind of collegiality and honest communication that support empathy, collaboration, creativity and . . . . trust.
Secretary of State George Shultz, who accompanied Reagan during his negotiations with Gorbachev, published some good advice just before his passing at age 100: “When we are at our best, we trust in each other . . . . With that bond, [we] can do big, hard things together, changing the world for the better.”
“Secrecy is the badge of fraud.”
— Sir John Chadwick
What a strange and compelling story. Brilliant young inventor conceives revolutionary machine, raises staggering amounts from investors, is fawned over by the press for a decade, then crashes to earth on revelations of faked demonstrations and technology that doesn’t work. When I learned of the recent jury verdict, I naturally turned over in my mind how all this could have happened to such a well-meaning person as . . . . . . . . . . John Ernst Worrel Keely.
Okay, you were expecting someone else. But since you may not have heard of Mr. Keely, let me fill you in, and explain the role that secrecy played in one of the country’s most elaborate and long-running scams. I assure you that the Theranos investors wish they had boned up on Mr. Keely’s operation.
Keely came to prominence in the 1870s, a time of breathtaking technological advancement. This was the decade of the phonograph, the telephone and the electric light bulb. Opportunity was in the air, ready to be seized upon by anyone with the foresight to identify, and invest in, the next big thing.
Some corners of theoretical science, however, had not caught up with this state of the practical art. Although we knew a lot about how electricity worked, physicists of the time still clung to the idea that all space was filled with an unidentified substance called the “ether” which was necessary for the transmission of light and electromagnetic waves. This stubborn mystery attracted Keely’s attention, and in his Philadelphia laboratory he conceived a machine that would be run by a previously unknown, but incredibly powerful, force derived from the ether and activated by the vibration of tuning forks operating on water.
Notice we use the word “conceive” here, just as patent lawyers would, to distinguish between having the idea and “reducing to practice” the invention. The first part can arrive quickly, in a “flash of genius” while the second part, building a device that works, can take years, or never happen at all. But part of Keely’s genius – he didn’t have a formal education – was his ability to spin the vision and to capture the imagination of his investors. And of course, to capture their money.
Introducing the “Etheric Generator”
In 1872, he invited a group of scientists, along with the press, to witness a demonstration of a rudimentary “etheric generator” that used vibrations to separate atoms of water, releasing enormous power. This effort resulted in enough eager investors to allow the Keely Motor Company to build and show off a more powerful version two years later. While he spoke of “quadrupole negative harmonics” and “etheric disintegration,” Keely blew into a tube and then poured in some tap water. As the machine started to grind and wheeze, the pressure gauge registered over 10,000 p.s.i. The press reported the reaction of one witness that, “great ropes were torn apart, iron bars broken in two or twisted out of shape, by a force which could not be determined.”
But the “force which could not be determined” was just too attractive to ignore. Technology was changing the world overnight, and if what Keely had could be scaled up, then the possibilities – and the profits – were practically limitless. The company was capitalized with over $5 million (the equivalent of more than $100 million today), from prominent investors like John Jacob Astor IV. A leading Philadelphia socialite provided Keely with a monthly salary to maintain his laboratory and his focus on perfecting his invention.
The stockholders showed extraordinary patience. Year after year, at their annual meeting, Keely would send a report about some new development or discovery that reinforced the fundamentals but required extensive refinement. As promised delivery dates passed, Keely would provide new demonstrations, with increasingly impressive outputs from the machine. He enthused that his “etheric generator” would make other sources of power obsolete, and that a train could travel to San Francisco and back using the power generated from the “disintegration” of a single quart of water.
Throughout the more than twenty years of the company’s existence, Keely resolutely refused to share any details of how his technology worked, claiming that to reveal the secret would destroy its advantage over the competition. Although some nervous shareholders asked for an independent inspection, most were content with Keely’s explanations and accepted waiting.
Keely died in 1898, apparently without having revealed his secret to anyone. However, an investigation by The Philadelphia Press concluded that Keely’s motor had been “a delusion and deception,” and that the “mysterious force” which Keely claimed to have discovered derived from a three-ton tank of compressed air buried in the basement of his laboratory, connected to the workshop with pipes and wires hidden in the walls and in false floors.
Hindsight Skews the Analysis
With the benefit of hindsight, it’s easy to see Keely’s investors as credulous rubes who let greed and hubris overcome their better judgment. But that’s the power of hindsight, isn’t it? Let’s say you were hanging around Palo Alto in 1998 and a couple of Stanford students named Larry and Sergey came to you saying they wanted to build an algorithm that would search information for free but bring in $100 billion a year in advertising revenue, would you have given them money to start what would become Google? Sure, you say, but that’s another application of the power of hindsight. The fact is that in real transactions like this we are stuck with trying to calculate risk without knowing all the facts.
So, if you’re an inventor with no track record to establish your credibility, or if you’re an investor who wants to ensure that the technology is “real,” how do you protect yourself? It’s understandable that the investor wants to look under the hood and poke around; and it’s just as understandable that the inventor wants to keep the secret under wraps, because if it gets out the value is destroyed. Both of these people have a legitimate interest in protecting themselves.
But that doesn’t mean that the inventor can lie. In her trial, Theranos founder Elizabeth Holmes admitted that she hid the fact that the company was not using its highly touted “finger prick” device to test patients’ blood and instead was using traditional test equipment from established companies. She tried to defend her behavior as protecting the company’s trade secrets about how it had modified that equipment. But the existence of trade secrets doesn’t allow the inventor to defraud. And it doesn’t – or shouldn’t – mean that investors have no obligation to check out the veracity of the inventor’s claims.
The Dilemma of Asymmetric Knowledge
The answer to this dilemma of asymmetric knowledge lies in finding creative ways to build trust and confidence, so that the risk on each side becomes clearer and more easily managed. In a process that I refer to as “progressive incremental disclosure,” the participants begin with no confidentiality agreement, but are open to establishing one. The inventor determines a series of “reveals” that can be expected to increase confidence in the investor, without giving away enough information to constitute a real risk to the integrity of the secret. Along the way, the inventor may demonstrate the technology in a way that shows its potential but again does not reveal the mechanism. In another step, the inventor may call on a respected third party to perform tests that can shed light on the plausibility of the innovative machine or process, without requiring access to everything about its operation.
At some point in this negotiation, trust and a willingness to accept risk may merge, leading the investor to agree to sign a nondisclosure agreement. That act may be significant, as it could interfere with the investor’s ability to deal with a competitor. But it also may not be enough. There are some innovations that are so easy to replicate that even with a nondisclosure agreement in place, not all the details will be made available. If it comes to that, at least the investor can make a decision based on having secured a lot more information than was available at the outset. And the parties will have tested their ability to rely on the trust imposed in one another.
In the end, it comes down to risk analysis, and a process of reducing risk through diligent investigation. For example, the investors in Keely Motor Company, had they looked a bit harder into Keely’s background, would have discovered that, before he became an inventor, he worked as a carnival barker.