“Data that is loved tends to survive."
— Kurt Bollacker
In last month’s post, Part 1 of this series,we considered the view of European academics that trade secrets are not “intellectual property” because they don’t give the power to exclude others, like patents, copyrights and trademarks do. But considering that trade secrets are treated throughout the world like a kind of property – they can be transferred and taxed, and stealing them is considered theft – we concluded that what matters is not exclusion, but control. It is the ability to control access to secret data that can give companies an advantage over others that don’t know about it.
We considered the example of an Armenian family that has managed to keep – and profit from – the secrets of making the very best orchestral cymbals for four centuries. They did this by sharing only within the family, where presumably they had available some compelling ways to enforce trust.
For the rest of us in the modern, globalized and digital economy, we have what looks like an impossible task. How do you protect the company’s secrets when they are zooming around the globe at the speed of light and accessible by thousands of employees, contractors, partners and vendors, each with a small supercomputer in their hands? More specifically, what do you do when those people go home in the evening and use those same little devices to participate in various forms of social media, where they are relentlessly instructed to share the most molecular details of their lives with hundreds or thousands of “friends”?
Before we try to answer those big questions, here’s a comforting thought. What the law expects fits nicely with what the owners of a business should expect: that management will do what is “reasonable under the circumstances.” Okay, you might say, that is just an abstraction meant to dodge the problem. But there is some instructive guidance behind the “reasonableness” standard.
It starts with recognizing that perfect security is not feasible in today’s data blizzard. The more people we trust with access, the greater the risk. But in order to compete in fast-moving markets, we can’t go it alone. Today’s innovation and commercialization usually require large teams, including external partners. So being “reasonable” means accepting that risk.
Besides the imperative to share, we also have to confront another reality of risk: security measures almost always come at a cost. It’s not necessarily about money, but about convenience and productivity. Think about two-factor authentication, where in addition to your normal password you have to wait for a special one to be generated and sent to your personal device. Now think about doing that 50 or 100 times a day, as you go through each office door and engage with each software program or database. It adds up. Most businesses can’t afford the efficiency loss that results from placing maximum protection on all forms of data.
So it’s pretty clear that we can’t have it all when it comes to information security. “Reasonable” means thoughtful management of the risk of losing control over your data, while not letting the perfect be the enemy of the good. So how does a business do that? Here are some observations grounded in the law and in sensible business management.
To begin with, recognize that “reasonable under the circumstances” refers to the unique circumstances of your business and the risks faced by your information assets. There is no one-size-fits-all checklist of “best practices” that applies across the board. If you think that checking off a list of security techniques is enough, or if you’re worried that you’re not doing everything on some list, forget that. What matters is the circumstances you are in, measured by three things: value, threat and cost.
Valuable information can be found everywhere in most companies, and we can’t protect it all with maximum effort, or the business would collapse under the weight of the effort. Instead, we have to understand where we get competitive advantage from data, and try to categorize it according to its value. This is not necessarily value in the absolute sense, measured by currency. Instead, knowing relative value will help inform decisions about what level and kinds of security are needed. The algorithm that powers a critical business process might deserve more attention than a marketing strategy.
Assessing value could be as simple as picking the top 10 or 20 trade secrets that cause you concern. To do that, you need to know what you have. But don’t be put off by fear that an “inventory” of information assets has to be a logistical nightmare, like the hardware store shutting down for several days in order to count all the individual nuts and bolts. Instead, the idea is to organize your data into categories that reflect similar kinds of value, such as tools, databases, strategies, R&D records, information about customers, financial data, and information entrusted to you by others.
The next step is to assess the threat, or risk, faced by the different kinds of confidential information you need to manage. Here there are two kinds of threat. First, there is risk of loss or leakage that can reduce or destroy competitive advantage. We can refer to this as “outbound” risk. In contrast, but often equally important, is “inbound” risk, that is the possibility that your information may become contaminated by unwanted data from outside the business. Most commonly, this sort of infection happens through hiring from competitors; but it can also come in through poorly managed confidential business relationships like a potential acquisition.
In order to thoroughly understand your risks, of course, you need to estimate the likelihood that the bad thing might happen, as well as its impact on the business if it does. Hiring an engineering manager from a direct competitor to lead an identical project will represent a substantial danger of potentially serious harm; while providing secret drawings to a trusted vendor without negotiating a non-disclosure agreement (NDA) may be more acceptable. Making these distinctions will help management focus not just on the hazards but about how much risk might be acceptable in the name of efficiency.
Once you know what you have and the array of threats you contend with, you can begin to consider where to focus your attention and allocate your resources. In this part of the process you consider the ways in which you might reduce the potential for harm, measuring the cost (in terms of money or operational friction) against the value of the information in question. In recruiting the engineering manager, for example, you might consider not only providing warnings and getting assurances about unwanted transfer, but also, if the perceived risk warrants it, providing the new hire with independent counsel to reinforce the message and to better distinguish between the skill he can apply and the trade secrets he can’t.
Many other decisions about information security will be taken in this way. Should the company adopt a labeling system for confidential information that applies multiple levels of restriction, or will a simpler system result in better compliance? Does a different risk environment in overseas facilities call for a different kind of employee training there? Should NDAs be managed centrally, or should business managers be allowed to negotiate special terms? Should access to various systems and databases be controlled for each application, or is universal access with passwords enough? Should we install software on employees’ phones to ensure they don’t share company secrets?
If you’re thinking that what I’ve described here is just classical business risk management, you’re right. The process of considering value, risk of loss and cost of mitigation techniques is how most companies approach caring for their assets and opportunities. For some, the analysis is more ad hoc than strategic, while others increasingly look outside the organization for help in designing a comprehensive data protection program.
The most important takeaway is this: your information is your property, and without due care its value can diminish or disappear. But you have control over it. Pay attention and be aware of your options. That is the “reasonable” thing to do.
“Knowledge conquered by labor becomes a possession – a property entirely our own.”
— Samuel Smiles
Sometimes it seems that trade secrets are always fighting for respect. I recently ran into a friend who teaches at a European university. He somehow found a way to squeeze into the conversation a pronouncement: “You know, trade secrets are not property.”
Stay with me; this gets interesting.
I sighed, because I knew what was coming. I’d heard it many times before. “The essence of property,” he said, “is the ability to exclude others, and that doesn’t exist with trade secrets. Anyone is free to discover the same information, or to reverse engineer a product to learn how it is made.”
I acknowledged that trade secret rights are not exclusive, and it’s easy to reverse engineer some things. “But what about secret formulas, like Coca-Cola’s, and secret algorithms, like Google’s? And companies often make products using processes that you can’t figure out by looking at what’s public.” He was ready with the ultimate squelch: “Sure, but all of that is not property, because you can’t exclude anyone; you might not even know when someone is using the same so-called secret. If you can’t order them off, it’s not property.”
Like I said, I’ve heard this before. Even in the specialized world of intellectual property, the other major rights – patents, copyrights, trademarks – give you exclusivity, at least for a time. (Twenty years for patents, life of the author plus 70 years for copyrights, and during commercial use for trademarks.) If someone tries to make the same invention, publish the same song, or use a confusingly similar mark, you can get a court to make them stop, just like you can protect your land against trespassers. But for trade secrets, you have to accept the fact that others may develop, or discover, the same information that gives you an advantage over your competitors.
In some parts of the world – mainly Europe, where my professor friend was from – this distinction can matter. When the EU in 2016 issued its Trade Secrets Directive, requiring all the member states to meet certain standards in their national laws, it specifically said that trade secrets were not to be treated as “intellectual property.” That meant that the earlier EU Enforcement Directive, which provided some helpful remedies like seizure, and which required sharing certain information with the owner of the IP, wouldn’t apply to trade secrets.
Never mind that every one of the EU member countries have long been signatories to the 1995 TRIPS Agreement, which declares, in Article 1, Section 2, that all categories of IP, including “Undisclosed Information” (Article 39), are “intellectual property.” In Europe, the combination of academic inflexibility and political cowardice has kept business secrets trapped in this “non-property” abstraction.
On our side of the Atlantic, we’ve taken a more practical view about treating information as “property.” As we imported the law of trade secrets from Britain (which is about to leave the EU, but apparently not because of how they treat secrets), U.S. judges recognized that the knowledge developed by a business that gives it an edge should be treated like more traditional forms of property. This was important to an emerging industrial economy that required sharing information in confidence with employees and others.
In 1868, Massachusetts’ highest court ruled that if one “invents or discovers, and keeps secret, a process of manufacture . . . he has a property in it” that courts will protect against a breach of confidence. But the ability to assert trade secrets had already been established by the same court many years earlier. It may seem deliciously coincidental to those of you familiar with Roald Dahl’s Charlie and the Chocolate Factory that the first trade secret case in the U.S. was about . . . a process for making chocolate. If you want to look it up, it’s Vickery v. Welch, 36 Mass. 523 (1837).
In the first half of the 20th Century the courts took a small detour by emphasizing that the interest being protected was more about the confidential relationship than the information itself. In 1917, the U.S. Supreme Court declared that “the property may be denied, but the confidence cannot be.” But in later cases, the Court ruled that trade secrets may be taxed, that the constitutional requirement of compensation for seizure of property applied to trade secrets, and that “confidential business information” was “property” within the meaning of the mail and wire fraud statutes.
These decisions align with the way that business treats valuable information as an asset. It can be bought and sold, licensed, shared, and pledged as collateral. Is it “property”? The view here is that if it waddles and quacks, it’s a duck.
But apart from the way we treat it in transactions, what is it about this special right that should make us feel comfortable calling it property? It is the element of control. Although we can’t control whether someone independently develops the same information, we can control who gets access to our own, and under what circumstances.
Back in 1623 in Constantinople (now Istanbul), a fellow named Avedis Zildjian was trying to perform alchemy, and while he didn’t manage to transform base metal into gold, he did happen on a special alloy of copper, tin and silver that when fashioned into a circular sheet made a great sound. Today, the Zildjian family company still supplies what are considered the world’s best cymbals to leading musicians all over the world. The secrets are safe because they’ve not been disclosed outside the family for generations.
Other businesses can achieve the same effect, simply by managing their information assets. In fact, the modern law on trade secrets requires that, before courts will lend a hand to enforce promises of confidentiality, the owner has to show that it has engaged in “reasonable efforts” to keep the information secret. What’s “reasonable?” The law doesn’t specify, beyond teaching that every circumstance is unique, reflecting the value of the information, the risk of its loss, and the cost (including inconvenience) of instituting various measures to reduce the risk.
In the end, getting help from the courts to protect your secrets will depend to some extent on how much you exercise the control that comes with secrecy. Realizing the need to share information with employees, vendors, customers and collaboration partners, you should establish all the controls that help everyone understand the confidential nature of your data assets and reduce the risk of inadvertent leakage or contamination by someone else’s secrets.
Next month, in Part 2, we’ll take a closer look at what businesses should be doing to maintain the integrity of these most valuable assets. In the meantime, just remember this: you have control over who gets access and what they can do with those assets. Exercise that control, and you’ve staked a claim to your property. No matter what the European professor says.
“We’re from the government, and we’re here to help.”
— Anonymous
According to Merriam-Webster, the “Word of the Year for 2019 is “they” when used in the singular, typically to avoid ascribing a gender to the person being referred to. The larger point is this: language matters. Since this is a space dedicated to secrecy, let’s consider how we use language to determine who gets access to our trade secrets. For today, we’ll be looking specifically at how government does this. After all, they write the laws and so should be practiced at defining exceptions to property rights.
Why should the government care at all about business secrets? Examples will help us here. Locally, the fire department needs to know what hazardous chemicals you might be storing at your plant, in case they have to come and put out a fire there. For different but equally compelling reasons, the Food and Drug Administration (FDA) insists on knowing exactly how drugs are made, and the Environmental Protection Agency (EPA) requires submission of pesticide ingredients. And then there is the government as consumer: last year the U.S. spent over $550 billion on purchasing goods and services from the private sector, and with all that economic clout comes the right to demand access to a lot of related data.
Government purchases are regulated by the Federal Acquisition Regulation (FAR), a law only somewhat less complex than the tax code. But for “commercial items” the FAR gives the government no data rights. The seller can provide “limited rights,” allowing the government to use information only for internal purposes and repairs, protecting it from public disclosure.
Although not everyone sells to the government, many businesses are required to give the government a great deal of information that they don’t want the competition to see. A federal statute, aptly named the Trade Secrets Act, has been in place for over a century, making it a crime for federal employees to disclose valuable business information. In addition to the FDA and EPA, this law and other regulations designed to protect trade secrets apply to mandatory disclosures made to the Securities and Exchange Commission, the Consumer Product Safety Commission, the Occupational Health and Safety Commission, and even the Post Office.
Over the first half of the 20th century, as the federal government broadened its regulatory functions, keeping business data confidential was straightforward: companies would mark their records “confidential” and agencies would keep them sealed from public inspection. Then came the Freedom of Information Act (FOIA, pronounced with delight or disdain, depending on your interest, as “FOY-YAH”).
Originally adopted in 1966, FOIA was expanded in 1974 following the Watergate scandal, to allow broader and easier access to government by the public. It requires that federal agencies promptly make available to any “person” any requested record unless it is “exempt” from disclosure. Two aspects of “Exemption 4” are relevant here. The first is for “trade secrets,” which one might expect allows companies to breathe easy about the risk of disclosure. However, the courts soon interpreted the phrase “trade secrets” under a 1939 guide (the Restatement of Torts) to have a very narrow meaning, so that part of the exemption was not much help.
A second part of the exemption applied to “confidential commercial information,” and this at first seemed to provide comfort for submitters. But the courts eventually narrowed the meaning of this phrase, too, adding the requirement that, to prevent disclosure, a submitter had to prove “substantial competitive harm.”
This “competitive harm test” might not have been much of a problem if the issue were always resolved privately between the government and the owner of the secret information. But another actor was usually involved. Almost from the outset of FOIA, a statute intended to inform the public about the workings of their government, the most frequent applicant for disclosure has been — no prize for guessing — commercial entities. With the potential of access to information saving years of expensive research, competitors would challenge the exemption in court, leaving the trade secret owner to argue over the vague and speculative concept of “substantial harm.”
Not anymore. A few months ago the U.S. Supreme Court issued its first opinion on the meaning of Exemption 4. In a case called Food Marketing Institute v. Argus Leader Media, the issue was whether information about food stamp redemption at individual grocery stores, submitted by them to the FDA, had to be revealed under FOIA. Examining the text and history of the statute, the court held that “confidential” has an ordinary, dictionary definition and applies to any information that a business would customarily treat as “private.” The “competitive harm test” had been improperly added by the courts.
For companies that need to share competitively sensitive information with the government, this ruling provides much more certainty about keeping the information from competitors. But while celebration may be in order, it’s no time to relax. Agencies, and the people that work for them, can make mistakes. Just ask Monsanto, whose RoundupÒ herbicide dominates the market because it is effective against a large range of annual and perennial weeds and allows planting soon after spraying. In 1982, the EPA gave the secret formula to a lawyer for one of the company’s competitors. (The information was later retrieved.) And then of course there are state and local agencies to deal with.
What should companies do to protect themselves against the risk of disclosure by the government? First, put prominent labels on all sensitive records before they are submitted. This kind of marking may be required by a special statute or regulation that applies to your industry; but even if it isn’t required, it’s common sense to communicate boldly your claim of confidentiality to those who are handling your data.
Another way to control the risk of disclosure is to get an agreement from the agency involved. This is more cumbersome than just marking your documents, but it increases the odds that the information will be handled with care, and that the agency will refuse to disclose it to an outside party.
Finally, closely examine your draft submissions. Try to find a way to supply the required information without revealing your business secrets. To the extent that you achieve that goal, then your data will have the best possible protection against government disclosure.
The “Word of the Year” for business in 2020 is “confidential.”
“Any sufficiently advanced technology is indistinguishable from a rigged demo.”
— James Klass
The spectacular failure of blood-testing firm Theranos is the subject of a riveting book, Bad Blood by investigative reporter John Carreyrou, and an engaging documentary, “The Inventor” on HBO, focusing on Elizabeth Holmes, the once-celebrated wunderkind who dropped out of Stanford at age 19 to “change the world” with a device that would perform hundreds of diagnostic tests with a few drops of blood from a finger stick. It’s a story made for Hollywood (Jennifer Lawrence will play Holmes in the forthcoming movie), filled with lies, deception, threats and sex, set in a Silicon Valley startup.
Once valued at $9 billion, Theranos raised hundreds of millions from famous investors such as Rupert Murdoch, Betsy DeVos and the Walton family (owners of Walmart). It landed a corporate partnership with drugstore giant Walgreens, which built a series of “wellness centers” in its stores, where customers could order blood tests without a prescription. Due to a legal loophole, the Food and Drug Administration (FDA) hadn’t examined the Theranos device, called “Edison,” which was still just a prototype. But the show had to go on. Most blood tests had to be performed with a traditional syringe draw. As for the “droplet” tests, they were dangerously unreliable. The technology that made everyone so excited, it turned out, didn’t actually work. Theranos collapsed. Elizabeth Holmes now faces trial for criminal fraud.
Theranos’ initial success was not something that Holmes could have achieved on her own. She needed the cooperation of a supporting cast of prominent men (yes, they were all men) on her board, including such luminaries as former Secretaries of State Henry Kissinger and George Schultz, former Senator Sam Nunn and retired General James Mattis (who would go on to serve as Secretary of Defense in the Trump administration). None of them had backgrounds in medicine. Also serving on the board, and as the company’s lead lawyer, was David Boies, the trial lawyer who had represented Vice President Al Gore in his election case before the Supreme Court.
But the most important enabler of the Theranos con was not a human being. Instead, it was secrecy. According to the book and documentary, to keep investors and business partners in the dark about what was going on, Holmes used the excuse that the breakthrough invention had to be kept under the tightest possible wraps, lest competitors leap ahead. Her lawyers reinforced this notion, giving it enough credibility that Holmes could draw in otherwise rational people with the promise of a healthier society, a disrupted industry, and capital gains. This gave Holmes the comfort to actually fake demonstrations of the Edison: while important visitors were taken on tour, their blood sample was taken out of the machine and whisked to a downstairs lab where it was analyzed using commercially available equipment, with the results returned to the meeting room just in time.
Nondisclosure agreements were secured from everyone who came into contact with the company. And those agreements were enforced vigorously, apparently even using private investigators and threats of crushing litigation to keep knowledgeable employees from speaking with the press. (If you are interested in learning how lawyers can terrorize well-meaning whistleblowers, I urge you to read the book.)
Secrecy was apparently also used within the company, keeping employees “siloed” from other areas by an extraordinarily strict need-to-know policy. As a result, those who worked on running the machines didn’t know what the engineers might be doing to fix and improve them, and new development projects kept people guessing about whether the real breakthrough technology was being sharpened in the next room. All of this partitioning of knowledge was coupled with enthusiastic “us vs. them” speeches by Holmes designed to keep morale strong and faith alive.
Of course, the “dark side” of trade secrets—where the law enforcing confidentiality is used in unintended ways—isn’t unique to Theranos. Nondisclosure agreements have been accused (without much empirical evidence) of discouraging employees from moving to new jobs, for fear that they will inadvertently misuse some confidential information. More recently and notoriously, they have become part of the “#MeToo” conversation, as a mechanism for suppressing the truth by silencing victims of abuse.
But we have ways of preventing, or at least mitigating, these inappropriate consequences. Courts routinely exercise discretion to favor the free movement of employees from job to job. There are now strong whistleblower protections built into federal law for those who want to share with the authorities confidential information about potentially unlawful conduct.
Even the Theranos story doesn’t mean that trade secret law is inherently dangerous. Consider Apple, one of the world’s most secretive companies. (Holmes famously modeled her clothing and business habits after Steve Jobs.) Apple has consistently used NDAs and secrecy management to protect products under development, to great effect when they are ultimately unveiled, all without touting non-existent technology. And it’s easy to imagine how Theranos might never have happened if investors and business partners had been less credulous and more insistent to understand the technology. It is entirely possible to couple information security with appropriate governance and oversight; indeed, that is how most companies behave. More than any problem with trade secret law, the Theranos debacle is about greed, hubris and the overwhelming power of human denial when faced with inconvenient facts.
However, the Theranos story got me thinking about other aspects of secrecy and technology that pose stickier problems. The one that comes to mind is artificial intelligence (AI). As a concept, AI has been with us a long time, representing the evolution of powerful computing that we imagine might someday mimic the human brain. But only recently has it seemed on the relatively near horizon, with systems being deployed on information sharing platforms like Facebook, and, soon it seems, in our cars. It’s one thing to let Google protect its search engine; but we have seen how fake news can affect elections, and we wonder how computers will be able to make life-or-death decisions while driving themselves (and us) down the road.
A common public reaction to these concerns about personal-impact technology is to demand “transparency” of the companies that use AI in their tools. We want to know exactly what the algorithm is that determines our news feed, and we want visibility on what the car will do when faced with the choice of hitting the baby carriage or grandma. But here we run into a dilemma common to all forms of advanced technology: we need to encourage the innovation that gives us new products and services; but to enable the necessary investment of money and risk we need to guarantee secrecy so that the innovator can recoup its investment.
When as a society we faced a similar problem a century ago with an emerging technology with profound individual consequences, it was pharmaceuticals, and eventually we fashioned an approach that has worked fairly well to serve both private and public interests, in spite of the narrow loophole that Theranos exploited. Drug companies are required to reveal to the FDA their formulations and test data, where technically qualified officials examine the drug or device for efficacy and safety. All this is done behind closed doors, to protect the company’s investment in some very expensive and risky research. But because we have confidence in the ability of the agency to get it right, we are comfortable using the drugs that have been approved.
It’s not clear to me that a similar model would work to address the potential flaws in secret AI engines. How would we develop models for testing everything that could possibly go wrong? How could a government agency reliably make predictive judgments about software that operates in the world, rather than chemicals that operate in the human body? And even if those challenges could be overcome, what do we do about the fact that the AI algorithms, unlike drug formulations, are not static, but are built to dynamically alter themselves through machine learning?
I don’t have a good answer to these questions. Unlike the situation at Theranos, where the risk of harm from secrecy could have been met by some healthy skepticism and common sense, AI presents a uniquely difficult challenge to find the right balance of competing interests. We need to keep talking about it.
When one company looks at buying another, the potential buyer engages in a “due diligence” process designed to help it fully understand the relevant risks and opportunities before the deal is done. In today’s digital economy, most business assets are intangible, and so intellectual property (IP) is among the most meaningful of the variety of issues that an acquirer needs to examine. But while most due diligence checklists include dozens of questions pointed at the target company’s patents, trademarks, and copyrights, trade secrets get relatively little attention, often limited to a single request to confirm that the target has some system in place to protect its secrets from unauthorized disclosure.
This light touch on trade secrets, compared to the other forms of intellectual property, can seem bewildering when you consider that secrecy has been shown repeatedly to be the preferred method of protecting commercial innovation. Moreover, with so many companies turning to data collection and analysis as a way to enhance their competitive position, one would think that trade secrets should get top billing in any assessment of a commercial transaction. That it frequently doesn’t may reflect the roots of trade secrets in state common law, distinct from the registered IP rights, which can be counted and more easily valued. Even though we now have legislation at the state (Uniform Trade Secrets Act) and federal (Defend Trade Secrets Act) levels, trade secrets may still seem relatively mysterious to many of the corporate lawyers who lead due diligence efforts in connection with acquisitions. Or those lawyers may just assume that these issues are being handled by the company’s IP specialists.
Some industries and companies typically pay close attention to their most valuable secrets, due to the nature of their businesses. Examples include chemical manufacturers, biotech companies with their heavy emphasis on R&D, and to a certain extent software companies that increasingly locate their core algorithms in a private cloud, where customers can use the tool but not look inside. But a lot of what makes any business valuable consists of more dispersed technoloy, including knowing what not to do (“negative know-how”) and insights drawn from data analytics that in turn drive marketing strategies.
Based on anecdotal experience, it seems that, with some exceptions where the acquirer pays very close attention, there is often a disconnect between the perceived importance of information assets in the abstract and how they are actually treated in the context of planning, investigating, and executing business combinations. Even where these assets might seem not to matter very much, as when the acquirer plans an “acquihire” (buying the company just to get its smart employees), there is still reason for concern, since trade secrets reside largely in the heads of individual actors, who may or may not stay around after the deal is done.
All businesses face risks in connection with their information assets, more or less constantly. That’s a necessary result of the trend toward “open innovation,”2 coupled with the fact that the systems used for storage and communication of data allow wide access to hundreds or thousands of individuals and are to one degree or another insecure. A lot can be done to manage those risks on an ongoing basis, but the potential acquisition presents a uniquely fraught circumstance compared to other relationships because the parties’ interests at the outset are not necessarily aligned, and the time frame for dealing with some very complex and challenging issues is often quite short. Both sides in the deal must confront significant risks resulting from the understandable anxiety that each experiences (or should experience) from sharing or receiving highly confidential information.
Let’s first consider the target company. Classically, the biggest hazard faced by the target is the almost existential risk that it will expose its core secrets to a suitor who ultimately walks away from the deal and goes into direct competition. And while that fear is legitimate and should inform any number of protective strategies, it may make more sense to first recognize a somewhat counterintuitive problem: the risk of success. By this I mean that if the deal goes through, the target will have to provide very extensive “reps and warranties”—essentially guarantees about the ownership and security of its information assets and freedom from third-party claims. Here is an example, cast in the typically overburdened prose of commercial transaction documentation:
The Company and each of its Subsidiaries have taken all commercially reasonable measures to protect and preserve the confidentiality of any Trade Secrets that comprise a material part of the Company IP. To the knowledge of the Company, all use and disclosure of Trade Secrets owned by another Person by the Company or any of its Subsidiaries have been pursuant to the terms of a written agreement with such Person, or such use and disclosure by the Company or any of its Subsidiaries was otherwise lawful.
The prospect of signing on to these guarantees represents a challenge because the target needs to start preparing for this responsibility very early in the process, by revisiting its trade secret protection program, as well as its compliance with outstanding confidentiality agreements. Of course, this can also be viewed as an opportunity to enhance trade secret governance, no matter the outcome of the proposed acquisition. IP counsel advising the target company can be very helpful in directing this analysis, including identifying specific areas of risk and setting priorities for management action.
But the deeper and more consequential concern is that the transaction will not come to pass, and the purported acquirer turns into a competitor made more capable and threatening by virtue of having had access to the target’s secrets. Here too, reducing this dimension of risk begins with getting the house in order regarding trade secret management. The first step in taking adequate precautions is to know what trade secrets you have, how they are represented (in code, in process documents, in the head of the fellow who operates the production line, etc.), and what their value is to the company. The latter can be an expression of how much they contribute to profitability due to increased efficiency, for example, or of the damage that would be caused if the information fell into the hands of a competitor. Either way, addressing in a disciplined way the relative value of the target’s major categories of information assets will inform the extent of risk taken in the coming negotiations over how much of it the suitor will be allowed to see and under what conditions, as well as perhaps the financial terms of the hoped-for acquisition.
The starting point for disclosure must be a robust nondisclosure agreement (NDA) by which the potential acquirer acknowledges the confidential nature of the process and promises not to disclose or use any confidential information other than to evaluate the possible deal. This contract has to be negotiated at the outset, separately from the terms of the eventual transaction (although executing a concurrent letter of intent is quite common), and before any secrets are exposed. From the target’s perspective, the NDA needs to include a broad definition of “confidential information,” allowing for only the standard exceptions for information that is publicly known, developed by the recipient independently of its exposure to the secrets, provided properly by a third party, or already in the recipient’s possession (the latter should be limited to what can be demonstrated by contemporaneous records).
To the extent possible, the target should resist agreeing to a “residuals clause,” which removes from coverage any information that is “retained in the unaided memory” of the people who are to have access to the target’s secrets. Although there may be good reasons for the potential buyer to want such protection for itself (see discussion below on this point), the practical effect can be to grant a license to the target’s secrets. Not only does this open up the possibility of unfair competition from the buyer if the deal doesn’t go through; it also imperils the general enforceability of the target’s secrets as to others, because they can claim that the information has not been the subject of “reasonable efforts” to protect it, a necessary element of establishing trade secret rights.
Another significant provision from the perspective of the target addresses what to do about verbal disclosures of secret information. The buyer’s NDA may limit confidential information to what is contained in documents that are prominently designated as confidential. But the due diligence process normally includes interviews in which additional sensitive information may be revealed. It is important that the target at least have the opportunity to identify this information in a written communication within a specific time following disclosure. And speaking of time, the target should consider very carefully any attempt to limit the term of the recipient buyer’s confidentiality obligations. Again, such a limitation (typically three to five years) is rational and reflects the other party’s interest in avoiding the administrative burden of perpetual compliance. But as with the residuals clause, putting a limit on the period of confidentiality can have the effect of granting a license when the period expires; so the target must be comfortable that none of the shared information will remain valuable after that time.
Whatever the terms of the NDA, there will remain some risk that information will be misused beyond the target’s awareness or ability to prevent. Therefore, it also needs to focus on the process of disclosure, to ensure that information is only transferred when and to the extent that it needs to be. In general, it is a good idea to use “progressive incremental disclosure,” starting with an exchange of nonconfidential data, and then working gradually through increasingly sensitive information as trust and confidence between the parties build. Each stage thereby provides a basis for understanding the value and risk of moving to the next stage. For some highly sensitive information, special restrictions might include limiting disclosure to named individuals or under supervision without the ability to copy or take notes. And it may even be possible to negotiate for a limited disclosure of certain items, or certain details, leaving full disclosure to occur only after closing. Sometimes the acquirer will accept such terms because it has been able to make a sufficient assessment based only on partial access and the deal otherwise has enough momentum to justify it.
In contrast to the target, the buyer’s major risk, besides overlooking some aspect of the target’s data assets, is in its exposure to information that might be relevant to the company’s own R&D or other business transactions. These concerns for potential “information contamination” are most acute when the company has an existing plan to develop related technoloy in-house but wants to compare that possibility to what it might be able to acquire outside. This is known as the “make vs. buy” conundrum, and it is fraught with hazards.
The reason we refer to this situation as a conundrum is that the potential acquirer has separate interests that tend to compete with each other. For example, it wants to know as much as it can about the target’s technoloy and strategies, so that it can adequately assess the transaction. But at the same time, acknowledging that the deal may not happen, it also wants to protect its own freedom to operate and so would like to keep exposure to the target’s secrets to a minimum. This ambivalence is sometimes compounded by different internal agendas, typically because of the related internal development program, whose leaders naturally would like to win the “make vs. buy” contest. This can lead to their breaching the wall between their group and the deal team, as they try to better understand the competition.
The challenge is much greater if no such barrier was erected to begin with. In Nilssen v. Motorola, the court denied summary judgment on the defendant’s claim that its competing product was developed independently of the target’s technoloy, because some of the supervisors of the internal project had attended due diligence meetings with the target company’s engineers. As the court explained, “the placement of key employees in a position where they might assimilate a trade secret permits an inference of misappropriation.” The point had been made even more forcefully by the Federal Circuit in Roton Barrier v. Stanley Works, in which the prospective buyer had tried to argue that the personnel exposed to the target’s secrets did not meaningfully participate in the internal development project, but merely supervised others who did the work. The court rejected the argument as “disingenuous.” It also declined to recognize as independent the work of a third party hired by the buyer to manufacture its competing product, because it had been given instructions by those who had access to the target.
Occasionally the breach occurs in a narrower but equally dramatic way, as when the buyer’s outside patent attorney is tasked with reviewing the target’s unpublished patent application to assess its strength. This was the situation in X-IT Products v. Walter Kidde, in which the court denied summary judgment to the defendant because the draft claims in the application were deemed to reflect the target’s confidential assessment of the most protectable features. The attorney had passed on this information, together with a list of cited prior art from the application, to an associate who was working on an application for the defendant in a related field. Although the defendant managed to demonstrate independent work in every other respect, this leakage was enough to deny summary judgment.
Transgressions like these can have serious consequences beyond exposure to a damage award. In Den-Tal-Ez v. Siemens, the buyer falsely assured the target that it was no longer interested in acquiring a competitor, while in fact it was conducting meetings in parallel and ultimately chose the competitor. Having been exposed to the plaintiff’s manufacturing facilities and technical know-how, the buyer was enjoined from completing its intended acquisition, or acquiring any other competitor, for a period of three years. The injunction was affirmed based on a theory of threatened misappropriation, which the court deemed “inevitable.”
While some of these mistakes are operational, the potential acquirer’s first line of defense against liability is an NDA carefully constructed to cabin its exposure. Ideally, the contract should limit protected information to that which is provided by the target in writing and clearly marked as confidential. If verbal disclosures are to be permitted, they should be effective only if confirmed in a specific writing within a brief period. (Note that someone on the recipient’s side should be tasked with receiving and verifying the contents with those involved in the disclosure.)
Whether or not the prospective buyer is engaged in development of a competing product or service, it is wise to include in the NDA an acknowledgment that it may be so engaged, and that there have been no representations of exclusivity, the buyer being free to consider the acquisition of alternative businesses or technologies. The most reliable way for the buyer to protect its freedom is by insisting on a “residuals clause,” typically some variation of the following:
Discloser agrees that the disclosure of Confidential Information to Recipient shall not impair the right of Recipient to engage in its business, including the development of products and services that are competitive with that of Discloser, provided that Recipient does not breach this Agreement. Therefore, it is agreed that Recipient may use Residuals for any purpose. “Residuals” means any information retained in the unaided memories of the Recipient’s employees who have had access to the Discloser’s Confidential Information pursuant to this Agreement. An employee’s memory is unaided if the employee has not intentionally memorized the information for the purpose of retaining and subsequently using or disclosing it in violation of this Agreement.
Other important provisions of the NDA include setting a time when confidentiality will expire (this may prompt push-back from the target, but particularly if there is no residuals clause the administrative burden of perpetual management of the exposure can be a very legitimate concern) and a choice of law and forum (critical for cross-border deals). A requirement to arbitrate disputes may also be helpful, especially as a way to ensure confidentiality.
No matter how complete and robust the contract governing the transaction, effective due diligence requires very close management of the process. Generally speaking, complete, documented separation should be maintained between those who have access to the target’s secrets (the “clean team”) and those who are engaged in internal development. For particularly sensitive situations, such as where the company has an ongoing project that is directly competitive, it may be wise to employ a third party to handle the diligence, or the relevant portion of it, and to report back only their recommendations. And there may be some information that is so highly confidential that the target is unwilling to provide access at all before closing. This then becomes a matter of assessing the risk, which may be mitigated to an extent through representations and warranties in the transaction documents.
Having identified, allocated, and controlled the risks as appropriate, diligence proceeds with the objective of learning as much as possible about the target’s trade secrets and how they are protected and deployed. Among the documents to be examined should be employee and consultant confidentiality and invention assignment agreements, third party NDAs and related contracts, policies and procedures regarding trade secret protection, training programs, records of R&D, and licenses or other agreements reflecting ownership and control (including the ability to transfer to the acquirer), such as joint development or funding relationships.
Examination of the target’s trade secret protection program is not about checking a box, but should be as thorough as necessary to assess whether it at least meets the “reasonable efforts” element of secrecy as defined by the Uniform Trade Secrets Act and the Defend Trade Secrets Act. Interpreting that provision, the courts expect the trade secret holder to balance the value of the information against the risk of loss, measured against the cost of various measures that could reduce or eliminate the risk. A good description of this basic risk management approach in practice is provided by CREATe.org.
The due diligence process should also address the following questions:
Finally, assuming that the acquisition proceeds, the buyer should have created a thoughtful plan for integration of the target’s workforce. Corporate cultures and practices around treatment of confidential information vary greatly. Employees at a very small company may not be used to the controls required in a more hierarchical organization. Even companies of equivalent circumstances may have established different approaches. The integration plan should combine the best information access and security measures from each, just as with other aspects of their operations. Whatever the decision regarding ongoing structures, the surviving company should institute a rigorous and ongoing training program, with regular follow-up.
Management of trade secrets is fraught with competing interests. There is the tradeoff between security and inconvenience—for example, the annoying wait for a special code to allow “two-factor identification” when you already have your password handy. There is trusting your employees while knowing they might leave to join a competitor. And there is the tension between corporate secrecy and the public interest, such as when the fire department insists on knowing what toxic chemicals are used in your facility.
And now we have the cloud (like “internet,” its ubiquity merits lower case), which offers unparalleled convenience and flexibility to outsource corporate data management to others. But moving IT functions outside the enterprise creates new vulnerabilities for that data, which happens to be the fastest growing and most valuable category of commercial assets. So understanding this environment has to be a high priority for business managers.
The cloud has given us multiple acronyms, like SaaS (software as a service), PaaS (platform as a service), and IaaS (infrastructure as a service). But it’s not as complicated as it sounds. From the customer’s perspective, the cloud is just a bunch of linked servers in some (presumably) secure location that gives you an array of IT resources whenever and wherever you want them. Tech companies like Amazon, Microsoft and Google have built massive clusters of computing power and data storage that can be rented out using their own applications, or as a host for the customer’s software tools. Cloud services are now ubiquitous. If you are using Twitter, Facebook, Office 365 or Box, or just doing a Google search, you are flying in the cloud.
It may come as a surprise to some Millennials that the cloud is not new. It is the result of an evolution of networked mainframe computers that began in the 1950s, leading to the development of “virtual machines” that combined the capabilities of several real ones. As telecommunications shifted to digital, these bundles of remote hardware became a powerful platform for business to increase efficiency by buying computing resources on an as-needed basis.
In the world of trade secrets, the cloud has wrought fundamental change. Software companies used to worry about their customers reverse engineering their products distributed on CDs. Now they put those applications in the cloud, so the customer only has access to its own data and outputs. And the massive and inexpensive capacity of the cloud has enabled companies to generate a new class of assets, including analytics from “big data.” Finally, the cloud has given industry the option to outsource all or part of the information security management function to full-time specialists.
But sending out your data to be stored and manipulated can be like sending out your shirts to be washed—they can get mixed up with other people’s clothes, and you are counting on the laundry to keep everything separated and organized. Even if you prefer the metaphor of putting your jewels in the hotel’s main safe, you need to realize that they are no longer in your control, and you don’t personally know the fellow who works behind the desk. It is this fundamental set of risks that represents the dark, threatening side of the cloud.
The nature and extent of risks to data security differ according to the type of service that the Cloud Service Provider (CSP) offers, as well as its commitment to overall security. The “public cloud” is like a dormitory or public swimming pool. Your information may be rubbing shoulders with others’, possibly including competitor data stored on the same server, so techniques for data isolation will be very important. A “private cloud” is like having everything run on your own servers, but management and location can be outsourced for efficiency.
In between are “hybrid” environments, in which data and applications are distributed among multiple clouds, one or more of which may be public or private, according to needs, risk reduction and cost. There is also the option of a “community cloud” in which multiple organizations with similar interests band together to create a shared private cloud, which can be managed and hosted internally or externally.
All of these models share to some extent the basic prospect of increased efficiency and reliability by not doing everything yourself on your own network of servers. But to the extent you’re not doing it yourself, you’re trusting that others will do it right, and that presents a potentially unknown level of risk to your data assets.
A nominal security advantage of the cloud is that this is the business of the CSPs, and presumably they commit serious resources to hiring the best professionals and installing and maintaining the best security tools. However, as with any other service, there are a lot of options, and unfortunately a lot of variability in quality. According to McAfee, a security firm, only 10% of today’s 25,000 CSPs provide encryption for stored data.
So what should businesses look for in a cloud service?
There is a legal dimension to this question, since being able to uphold your trade secret rights in court requires that you exercise “reasonable efforts” to protect them yourself. Your efforts will be judged in hindsight, and in any event you should view the standard as a minimum, not an aspiration. This means doing the due diligence to find out what sort of risks you may be taking on with a CSP, and working to minimize them.
First, be realistic about the risks to your data. According to the McAfee report, 80% of companies experience third party theft of cloud-stored data each month, with an average rate of 12 incidents per month. Chillingly, the report claims that cloud credentials for 92% of companies are for sale on the “Dark Web.” (Does this make you feel better about the value of two-factor authentication?)
Second, find out what the CSP does about security, and how it aligns with the policies and procedures of your organization. Are they certified under the ISO 27000 series of standards and do they guarantee continued compliance? Look for robust controls in the four primary areas of information security: deterrence, protection, detection and incident response. What features come as part of a package, and what options exist for enhancing them?
Third, learn how the provider actually manages specific security issues. Do they outsource any of their own infrastructure? How do they address internal threats from their own personnel? How do they guarantee separation of data? How will they ensure proper deletion of data?
Fourth, and speaking of guarantees, what does their contract say about the issues that matter most? Do they acknowledge that your data belongs to you? (About half will fail that test.) Do they accept liability for loss or contamination of your data? Do they guarantee logging and audit trails that will allow you to comply with existing and emerging government standards for data management compliance?
Finally, take a look in the mirror and accept that when you share your data with anyone, security becomes a shared responsibility. Make sure that you have robust software tools to help you monitor and receive alerts about what is going on. And take the opportunity to review carefully your own internal procedures, especially authentication protocols. Security management in the cloud forms a chain, and you may be its weakest link.
Over the course of two weeks, the United States has imposed tariffs on hundreds of billions of dollars of Chinese goods and has blacklisted Huawei, the world’s largest telecommunications company, on national security grounds. Google, Intel, Qualcomm and Micron have announced that they will stop doing business with the company. The United States has even threatened to withhold intelligence from our key allies if they go forward with plans to use Huawei equipment.
Although there are many issues driving this newly escalated trade war between the United States and China, chief among them is the concern that China and its companies are engaged in intellectual property theft. Say what? Upend global markets over infringement of private technology rights? This must be pretty serious. Let’s take a closer look.
First, a bit of historical perspective. Spying between countries to get access to military and other state secrets has been common for thousands of years. Economic espionage arguably got its start 500 years ago, with the introduction of patent laws, which at the time rewarded whoever was first to import useful technology into the country. No need to be an inventor; just find something new and hurry back to your home country’s patent office.
When I was working at the United Nations in Geneva, we encouraged developing countries to adopt strong IP laws. Their diplomats often took pleasure in reminding me that the United States had launched its industrial revolution with textile technology stolen from England. (You can find the real story of Samuel Slater’s 18th century escapades here.)
By the middle of the 20th century, America had become an economic superpower, and it witnessed Japan rebuilding its economy with cheap knockoffs of U.S. merchandise and some outright trade secret theft. However, over time, Japanese industry innovated, and laws protecting intellectual property followed. The same natural progression based on self-interest in domestic innovation happened in South Korea, which now has a very strict set of laws protecting trade secrets.
For China, going from industrial copycat to tiger (or more appropriately, dragon) has followed a similar path. For example, starting from scratch in the 1980s, China took only 30 years to build the largest and one of the most respected patent systems in the world. This was possible only because the government established domestic innovation and the intellectual property to accelerate it as top strategic priorities. And it has made considerable progress in harmonizing its laws, as I have recently explained.
But China is a special case when it comes to risk of information loss. Not only is it roughly the same size as the U.S. market, but its economy blossomed during the global transition to the information age. That means that secrets are much easier to acquire than back when everything was on paper. And given our dependence on global networks for the transmission of critical data assets, it’s easy to see why Huawei, building the gear to drive those networks, seems like a serious threat. This is so even though the company is privately owned and insists that it will not obey any orders from the government to tap into the systems it is building; after all, critics point out, China’s economy is controlled by the Communist Party.
This begs the question of what to do about the problem. The Trump administration has decided that China has more to lose than the United States in a trade war, and so it has turned to tariffs, and the banning of Huawei, as a way to squeeze the Chinese and force them to stop stealing, reform their laws and open their markets. Coercion can sometimes work, I suppose (unlike the president, I have not written a book on how to make a deal). But history, and the fundamentals of negotiation, point to serious danger.
When one party to a transaction raises the stakes to existential levels to get attention, it risks that the other party will be driven away, not just from the transaction, but also the relationship. Here, the Chinese show more signs of digging in than backing down. Within days of the tariff announcement, China’s president, Xi Jinping, together with the vice-premier responsible for U.S. trade negotiations, paid a very public visit to a large factory processing rare earths, the ingredients essential to lithium ion batteries and other modern technologies. China controls 90% of the world’s supply. And the chosen factory happened to be located in Jiangxi, where in 1934 the Communist Party began its famous “Long March,” a 4,000-mile strategic retreat in painful preparation for its eventually successful fight against the Nationalist forces of Chiang Kai-shek.
The message could not have been weightier or clearer. China is preparing its government and people for a long struggle against the increasingly adversarial United States. It has vowed to “take all necessary measures” in response to the blacklisting of its national champion Huawei, which could result in reinforcement of Huawei’s position in markets not controlled by the United States. According to the company, it has stockpiled critical components as it prepares to manufacture its own semiconductors, freeing it from reliance on U.S. manufacturers.
While it’s possible that the U.S. strategy may produce some sort of agreement in the short term, it’s at least as possible that another result will be the long-term “decoupling” of the Chinese and U.S. economies. That outcome would cause significant harm not only to U.S. industry, which continues to see China as a growing market (trade between the two countries tripled from 2004 to 2018, reaching $660 billion), but also to the global technology-based economy, which relies on common standards and accessible markets.
While the concerns around trade secret theft are real and need serious attention, we should be considering ways to address them that don’t create so much risk of collateral damage. We should accept that China is a controlled economy and that certain aspects of its governance will not change to match our own. As we have done in the past—most notably beginning with the 1994 negotiations leading to the TRIPS Agreement—we should engage in multilateral diplomacy to establish new agreements for the robust enforcement of intellectual property rights, including trade secrets. And we should use our current technological advantage to develop a new generation of encryption tools and other measures to detect and prevent espionage. This would mimic the framework for trade secret protection in our own country, where we provide strong enforcement mechanisms but also require that companies exercise their own “reasonable efforts” to reduce their information security risk.
U.S. industry has invested decades of effort and billions of dollars in securing footholds in the Chinese market, which holds enormous promise over the long term. Our domestic companies have come to rely on global supply chains, most of which run through China. It would be very difficult to disentangle and relocate all those supply relationships. And in the meantime, China has the power to cause our businesses a world of hurt. It’s not just about rare earths. China provides 95% of the world’s fireworks. Think about that during the upcoming Independence Day celebrations.
What is at stake in this trade war animated largely by intellectual property is nothing less than the life blood of global trade. Innovation is like growing fruit trees. You get the best results from cross-pollination. While we should not tolerate theft of our intellectual capital, neither should we give up the chance to find mutual benefit from old-fashioned diplomacy and negotiation. We worked hard to interest China in joining the World Trade Organization and other multilateral institutions so that we could all enjoy the synergies of free trade; we should consider making more use of those institutions and relying less on unilateral boycotts.
Laws to support trade secret rights are critical to the information economy. It may seem counterintuitive, but by enforcing confidential relationships through trade secret laws we make it possible to disseminate and commercialize innovation. Erecting a new iron curtain that separates technology markets and standards between Chinese and American spheres of influence would seriously diminish that effort.
Yes, it’s important to stand up against theft of IP; but creating new barriers may not be the best way to do that. As Denzel Washington said in the 2014 film The Equalizer, “When you pray for rain, you gotta deal with the mud too.”
In 1994, the United States was winding up the Uruguay Round of trade negotiations leading to the establishment of the World Trade Organization (WTO). Tucked in among the toothbrush and rice tariffs was the Agreement on Trade-Related Aspects of Intellectual Property. The TRIPS Agreement was seen as a breakthrough, setting common standards for protecting IP, including provisions on trade secrets that closely aligned with U.S. law.
Twenty years later, I visited a friend at the WTO to find out what had actually been happening as a result of TRIPS. I was especially interested in what countries had done since 1994 to bring their national laws into harmony with the trade secret requirements. Because each member of the WTO was supposed to submit reports on its compliance, I asked about them. Yes, we have them, my friend told me. They were in boxes in the next room. But no one had ever read them.
Just months before my visit, the European Commission had received an industry report lamenting the legal chaos facing companies that tried to enforce their trade secret rights in Europe. Although every one of the 27 member states of the EU was also a signatory to the TRIPS agreement, virtually none of them was in compliance. In response, the Commission issued a “Directive,” instructing all member states to (finally) harmonize some basic aspects of their trade secret laws.
At about the same time, business interests in the United States were pushing Congress to enact the Defend Trade Secrets Act, and it passed almost unanimously. As part of the bill, Congress expressed deep concern about foreign misappropriation of American secrets, demanding regular progress reports.
It seems that governments have been waking up to the serious challenge of trade secret theft.
To better inform its members about this emerging phenomenon, the International Chamber of Commerce in 2017 established a Task Force on Trade Secrets, which has just issued its report, available here. I was privileged to serve as co-chair of this effort, along with Stefan Dittmer of Dentons in Berlin. Although the primary focus of our study was the push for new laws in Europe and the U.S., it includes observations and lessons relevant to leaders and policymakers across all jurisdictions.
One key aspect of our analysis focused on the challenge of dealing with trade secret disputes in countries with a civil law tradition, which is to say most of the world outside the U.S., the U.K. and the Commonwealth. Trade secret theft almost always happens without the victim’s knowledge, and so to present its case the owner needs access to evidence of what happened. But civil law jurisdictions do not provide for information exchange between parties to a lawsuit. Since changing their basic legal framework (and especially embracing the U.S. civil discovery system) is not an option, countries attempting to address the problem have to find other solutions.
The most promising of these involves shifting the burden of proof in cases where the circumstantial evidence seems strong—such as the development of a similar product in an unusually short time after access to the plaintiff’s secrets—and requiring the defendant to prove independent development. This was considered in China last year as an amendment to its Anti-Unfair Competition Law (AUCL), but didn’t make it into the final version. However, very recently—perhaps influenced by ongoing trade negotiations with the United States—China has announced that this provision has been approved as part of new Article 32 of the AUCL, along with the right to seek quintuple damages as a deterrent. (Thanks to Jill Ge of Clifford Chance for the update). Although we need to see how the new law will be applied in practice, it is a very encouraging development.
Countries can also turn to a more classical approach by treating trade secret theft as a crime, which allows the state to gather evidence through a seizure. In 2013, Taiwan added criminal remedies to its trade secret statute, and in 2016 Japan expanded the scope of its existing criminal law to theft of Japanese secrets committed outside of Japan. Both of those changes came as a result of highly publicized civil cases brought by leading domestic companies.
Back in the United States the Trump administration has recently signaled an increased enthusiasm for criminal investigations involving foreign actors. In November 2018, UMC, a leading semiconductor company in Taiwan, was indicted along with a Chinese partner Jinhua, for allegedly stealing secrets from U.S.-based Micron. For the first time since the Economic Espionage Act was passed in 1996, the government also requested an injunction barring imports of certain devices. And in January 2019, the Justice Department indicted China’s Huawei for stealing trade secrets from T-Mobile, even though a jury in the civil case brought by T-Mobile had declined to award any damages. In addition to trade secret theft, the government charged obstruction, based on Huawei’s having engaged in a “bogus investigation” of the incident.
We’ve come a long way since the 1994 TRIPS Agreement, which didn’t seem to generate much interest in trade secret laws. Now, with industry’s increased reliance on data and the willingness of international businesses to plead their case to policy makers, governments around the world are recognizing trade secrets as an asset class that demands special treatment. The Report of the ICC Task Force on Trade Secrets provides a checklist of leading issues to inform efforts to improve domestic laws: (1) give trade secrets their due as a form of “intellectual property;” (2) provide the victim access to proof of misappropriation; (3) ensure that secrets are protected during litigation; (4) award full damages and costs; and (5) avoid creating broad exceptions to trade secret rights.
It’s unfortunate that no one read any of those TRIPS reports years ago. I urge you to take a look now at the ICC report. You’ll come away with a better understanding of how data assets, which travel the world at the speed of light, demand a coordinated approach from governments and industry
We all talk about the importance of data as business assets, but when it comes to buying and selling the companies that own them, we seem not to pay much attention. My anecdotal survey reveals that colleagues who focus on mergers and acquisitions confess to a lack of focus on trade secrets.
This may seem odd, even crazy, given the increasing percentage of industrial property represented by intangible assets—up from 17% in 1975 to 84% in 2015. The problem appears to start with the fact that secret information, no matter how central to the success of the business, is mysterious. Unlike the “registered rights” of patent, copyright and trademark, there are no government certificates defining secrets; and valuing them is hard. Add to that the imperative to get deals done faster and cheaper, and it’s easy to see how secrecy may have become the blind spot of transactional IP.
And there are plenty of opportunities to miss things. The statistics for 2018 reflect 49,000 M&A deals worldwide, accounting for $3.8 trillion (yes, trillion) in cumulative value. Given what we know about the extent to which industrial assets are intangible, and given the well-known preference for using secrecy to protect innovations, we would expect that the “due diligence” review for most transactions would include an intense examination of the target company’s trade secret assets and liabilities.
But that’s not what’s happening. I have spoken to quite a few lawyers who participate in this work, and have also reviewed dozens of due diligence “checklists” they typically use to guide their investigations. In many cases I was surprised to learn that trade secrets are not even on the list, crowded out by the “registered” IP rights—patents, trademarks and copyrights—that can be counted and (presumably) more easily valued. And where trade secrets are included, it tends to be a cameo appearance, usually just a note to ask the company how it protects its proprietary information from disclosure. Sometimes, I was told, the “momentum” of a deal leads to a reduction of even these minimal inquiries.
Inattention can have serious consequences. For the target of an acquisition, there is the almost existential risk of exposing core secrets to a suitor who ultimately walks away from the deal and goes into direct competition. But the potential buyer also faces a broad array of hazards, including exposure to information that could compromise its own internal development, failure to uncover liabilities from access to third party data, and ultimately a lack of preparation for the post-closing integration of different confidentiality cultures and processes.
Let’s first consider the target company. It may seem strange, but the target’s first priority should be the risk of success: if the deal goes through, it will have to provide very extensive “reps and warranties”—essentially, guarantees about the security of its information assets and freedom from third-party claims. The target needs to start preparing for this moment early in the process, by revisiting its trade secret protection program as well as its compliance with outstanding nondisclosure agreements (NDAs).
And then there is the more classical risk of the acquirer abandoning the deal after having had a close look at the target’s secret technology, strategies and other data. The best way to address this risk is through what I call progressive incremental disclosure: starting with a non-confidential exchange, and then working gradually through increasingly sensitive information as trust and confidence build. Ultimately, the target needs an NDA with maximum protections, including a broad definition of confidential information and protection for verbal disclosures. Beware of time limits and exceptions like the “residuals clause” (see below).
For the potential acquirer, the primary objectives are to keep options open and avoid unnecessary contamination by the target’s data. That risk is particularly fraught when the company already has an internal development program in place and is going to the market to consider alternatives. The biggest mistake is to include in the deal team people who are also involved in the internal project. Some situations are so sensitive that the potential acquirer may hire a third party to do the due diligence and provide only recommendations, without revealing any of the target’s technology.
The ideal NDA for the suitor is different than for the target, and that initial contract should be very carefully considered and negotiated. To limit administrative burden, obligations of confidentiality should expire after a set time. Verbal disclosures of the target’s secrets, if not forbidden, should be subject to a strict documentation requirement. And where the company has enough leverage, it should insist on a “residuals clause” that allows any use of the target’s information that is “retained in the unaided memory” of the individual participants after all the documents have been returned.
Once confidentiality obligations have been settled, due diligence can begin in earnest. And at least as to trade secrets, this needs to be more than a box-checking exercise. What are the target’s most valuable data assets, how vulnerable are they, and what has the company been doing about that vulnerability? Deploying cybersecurity controls is good but only addresses a fraction of the problem, since the vast majority of losses occur through employees or contractors, or through trusted external relationships. Systems and procedures for managing information risk need to be thoroughly examined.
All of this learning informs not just the decision whether or not to acquire the target company, but also the inevitable challenges that will confront the acquirer after closing the deal, as it attempts to integrate a new group of colleagues who may have been operating under a very different confidentiality regime, or perhaps none at all. The transition plan should account for the policy and process gaps discovered during diligence together with a robust training program to reinforce the new access and security regime.
Participants in the M&A mating dance should not let their enthusiasm for the deal get in the way of a clear understanding of the assets being acquired. There are more than enough business risks to go around, and secrecy management can always be improved. But you have to pay attention to it.
"When I use a word, it means just what I choose it to mean, neither more nor less."
— Humpty Dumpty (to Alice)
It seemed like a trade secret trifecta when Congress in 2011 passed the America Invents Act (AIA). Although the statute was aimed at patent reform, it made three helpful changes in how trade secrets are treated. First, companies could hold onto secret information about an invention without risking invalidation of their patents for failing to disclose the “best mode” of implementing it. Second, the “prior user right” that guarantees continuing use of a secret invention, even if someone else later patents it, was extended to cover all technologies. And third, the law would no longer deny a patent simply because the inventor had already commercialized the invention in a way that didn’t reveal it to the public.
Or so we thought. That last change depended on how you read the legislation. The long-standing requirement that an invention could not be “on sale” or “in public use” more than a year before filing a patent application was still there. But Congress added a qualifier to 35 U.S.C. §102: there would be no patent if the invention had been “in public use, on sale, or otherwise available to the public . . . .”
Before the AIA, the courts were strict about the consequences of choosing trade secret protection over patents. If the inventor used the invention for commercial purposes, the patent clock started ticking, even if the use was behind closed doors and did not inform the public about the invention itself. The same was true of a commercial sale of a product that used the invention, even though the contract of sale was confidential. The only real exception was for “experimental use” to refine the invention before it became ready for patenting. But even getting a prototype tested under a nondisclosure agreement could fail to qualify if there were other terms implying commercialization, like payment to the inventor.
The logic behind this interpretation of “public use” was explained eloquently by Second Circuit Judge Learned Hand in Metallizing Engineering Co. v. Kenyon Bearing & AP Co., 153 F.2d 516 (2d Cir. 1946). An inventor may indefinitely “practice his invention for his private purposes of his own enjoyment and later patent it.” However, once an invention is “ready for patenting” the inventor may not “exploit his discovery competitively” for more than the one-year grace period; otherwise “he forfeits his right regardless of how little the public may have learned about the invention.”
The insertion in the AIA of the phrase “or otherwise available to the public” indicated that Congress intended to change this rule and to provide that only uses or sales that informed the public of the invention would bar a patent. This seemed apparent just from normal standards for interpreting English, in which “otherwise” should be understood to refer to the terms coming before it. In addition, during consideration of the legislation, sponsors of the bill had taken the floor of the Senate to express their views that the new phrase would have the effect of limiting patent forfeiture to situations where the public had been informed of the invention and not just enjoyed its outputs.
Most commentators (myself included) embraced this interpretation of the AIA. And so did the U.S. Patent and Trademark Office (USPTO), which in its official regulations concluded that new section 102 “does not cover secret sales or offers for sales.” It seemed as though companies considering patenting would be able to engage in a variety of transactions to bring the benefit of their innovations to the public without risking their right to patent, so long as they didn’t publicly reveal the specifics of their invention.
Alas, assuming this is what Congress intended, they weren’t clear enough about it. In a case that tested the assumptions of the IP community, the Supreme Court recently decided that the law on public use and sale had not changed with the AIA. In Helsinn Healthcare v. Teva Pharmaceuticals, the owner of a new drug gave exclusive marketing rights to another firm, more than a year before applying for a patent. The agreement itself was publicly announced, but the dosage information claimed in the patent was kept confidential. Although something like a “sale” had taken place, the invention had not at that point been “available to the public.”
No matter, said the Supreme Court. Citing to its opinions going back as early as 1829, the court emphasized the significance of a public “sale” that effectively put the invention in commerce and beyond the ability of the patent system to pull it back. Judicial decisions about public use and sale never required that the invention itself be revealed to the public; and such a long-standing and clear interpretation could not be overturned by the “oblique” language of the AIA.
So where are we now? First, it’s still true that trade secret protection received a big boost from the AIA, through its changes to the “best mode” doctrine and the broad extension of prior user rights, which allow a company that had been practicing an invention in secret to keep using it in spite of a later patent (so long as the location and scope of use don’t change). These amendments removed a significant amount of the “trade secret anxiety” that had been created by patent law.
Basically, companies are free to classify and protect information assets through secrecy, even if the information closely relates to a patented invention, without fear that their patent will be invalidated. And by choosing to use secrecy rather than patenting to protect their innovative technology, executives can still sleep soundly knowing that a later patent can’t block them from continuing to use that technology.
But what about those “secret sales” and “public uses” that aren’t fully public? What can be done to stay out of trouble as the enterprise moves from invention to commercialization? How can you preserve your option to choose between secrecy and patenting as you get closer to market introduction?
One general piece of advice is to file for a patent at the earliest time. (Your patent lawyer can help you decide when an invention is “ready for patenting.”) The AIA was designed to encourage and reward early filing, and one of the best ways to keep your options open is to file a provisional patent application. That application, and the non-provisional application that follows it, remain unpublished for 18 months, giving the business time to consider the relative advantages and drawbacks of a patent over a trade secret, as well as the scope of what might go into a patent and what might be kept out. At any time during the 18-month period the application can be pulled and the information maintained in secret.
Key to avoiding patent forfeiture is to focus on the role of third parties in the process of commercializing your product. This is especially tricky for smaller companies, which can’t always afford to optimize the innovation in-house but have to depend on outsiders to test and improve it. Here, the good news is that you are in control of the risk, so long as you are keenly aware of it. To claim the benefit of the “experimental use exception,” make sure that your external testing programs are focused only on refining the product, not getting paid for it. And require that all participants sign strong nondisclosure agreements.
As your company builds and executes its go-to-market plan, you will often want to sign up distributors, resellers and other partners ahead of a product launch. There’s nothing wrong with that in the abstract, but you need to pay attention to how those transactions might affect your right to file a patent on an important invention. Even if no product has actually changed hands, you might have engaged in a “sale.” And even if no one else knows the still-secret invention you want to patent, your use of it may be deemed “public.”
Yes, this stretches the logic inherent in English grammar. But what can I say? It’s the law.