We talk more about patents, but it is our secrets that we should be worried about. Control of confidential information has been key to business success for centuries. Long before patents were − so to speak – invented in Venice in the 15th century, China had a lock on the production of silk, which at the time was more valuable than gold. The Industrial Revolution brought a focus on the factory, guarding formulas and processes for transforming raw materials into commercial goods. But it has been the Information Age, in which data is the raw material, that has made us fully appreciate the critical importance of trade secrets. Indeed, while companies have always gathered data about how to improve their business, these days data collection and analysis are forming the core of their business models – think Amazon and its algorithmic understanding of your buying habits.
According to a 2021 report from the National Science Foundation, businesses view trade secrets as more valuable than patents, by a significant margin. Across enterprises of all sizes and industries, 23% consider trade secrets as important, while utility patents lag far behind at 8%. You might say that is because the sample includes businesses that have no real interest in intellectual property. But when you sharpen the focus on companies that engage in R&D, the preference for secrecy remains, with 76% seeing trade secrets as very or somewhat important, and just over 50% assessing patents that way.
This does not mean that patents are fading away – there is nothing quite as powerful as the ability to exclude others from using your invention. But over the last 15 years in the United States, we have experienced an erosion of patent enforcement through court decisions, along with a lift for trade secrets from the America Invents Act. That statute effectively removed the requirement that an inventor reveal the ‘best mode’ of an invention, allowing implementation details to be retained as a trade secret without risking the invalidation of the patent. The law also expanded prior user rights to all areas of technology, making it safer for a company to choose secrecy for technology that might later be patented by someone else. These developments have helped shine a light on trade secrets – not necessarily as an alternative, but certainly as a more robust companion to patent protection.
Although we now recognize these information assets as extremely valuable, how to manage them is not so obvious. Many people inside and outside a company must have access to these assets, usually through electronic systems for storage and communication that are inherently insecure. Therefore, if you are faced with this challenge, a lot of your effort will be spent simply on not losing control of what you have. But equally, sensible management requires that you realize the potential of your data to enhance enterprise value, by ensuring that managers focus on putting it to work in the business.
Fine, you might say, but how do I do that? I am comfortably familiar with the registered rights, I know what they are, I can count them, and there are accepted ways to value them and to sell the ones I do not need. In contrast, managing information sounds like tying string around a cloud. Where do I start?
First, some good news: the legal requirement for establishing a trade secret aligns very well with achieving the corporate purpose of protecting and exploiting it. The basic law expressed in Article 39 of the TRIPs Agreement requires only "reasonable steps" to maintain secrecy of information that provides some commercial advantage. National laws reflect this fundamental policy to protect information so long as the business has taken reasonable measures to keep it confidential. But what does 'reasonable' mean? One recognized implication is that perfection is not required, otherwise any act of misappropriation would prove that you had failed to do enough. The law accepts that you cannot anticipate every kind of mistake or misbehavior by those whom you have trusted with access.
In effect, the law expects what the company's board expects: that management will exercise ordinary prudence under the circumstances to protect assets of the business. That means that you identify and analyze the risks and make a thoughtful determination about how to eliminate or reduce them. In other words, the framework for proper handling of trade secrets is nothing more than an application of classical risk management. One useful example of this sort of risk-based approach can be found in the Cybersecurity Framework published by the National Institute of Standards and Technology. Although originally directed at protection of critical infrastructure such as the financial system and energy grids, the institute's framework has been used as a general information security guide by businesses of all sizes in a variety of sectors.