“The more you tighten your grip, the more slips through your fingers.”— Princess Leia speaking to Tarkin in the first Star Wars movie
Princess Leia wasn’t the first person to use the “tighten your grip” metaphor, but I think she’s the most memorable. To be totally accurate, she warned Tarkin that “more star systems will slip through your fingers.” And her philosophizing did not stop him moments later from using the Death Star to destroy her home planet, Alderaan. But that’s a quibble. The point for our purposes is that tightening your grip on a company’s trade secrets can actually lead to losing them. Stay with me here; this kind of excessive protection is more widespread than you might think, and most companies don’t appreciate the risks that they are taking by overdoing it.
The first category is legal risk. Recall that courts require, as part of any case for misappropriation of trade secrets, that you prove you have taken “reasonable measures” to maintain control over the information. Because most trade secret loss happens through employees, you might assume that judges want you to have strong confidentiality agreements. And you would be right; in fact, if you don’t have them, you are statistically likely to lose. But here’s the hidden problem: if your employee non-disclosure agreements (NDAs) are too broad, courts could throw them out.
On this issue lawyers may not be your best friend. Trained to turn over every pebble on the path, they come up with contracts that identify as “confidential information” everything that happens or is communicated in the business. Avoiding any attempt at actually explaining what makes particular information sensitive and in need of special handling, they opt instead for an open-ended set of examples, usually preceded by “including but not limited to” and listing such high-level abstractions as “all information regarding business methods and procedures, clients or prospective clients” or any information the employee “may obtain knowledge of” while working for the company.
This was the language used in one recent case, TLS Management v. Rodriguez-Toledo, where the judge concluded that the contract would cover information that was in the public domain or general knowledge of the sort that employees are supposed to be able to take to the next job. The court refused to “fix” the agreement by narrowing its terms and instead held that it was totally unenforceable.
Let’s pause and acknowledge that the business is always on the razor’s edge regarding confidentiality agreements, in the sense that employee NDAs must be fairly vague. That is because at the outset no one can predict exactly what trade secrets the company will have, and what the employee will be exposed to, during what may be years of employment.
But what seems a conundrum for the business – how to be comprehensive enough without being overbroad – can be resolved if there’s not almost exclusive reliance on the contract (and perhaps an equivalently vague Code of Conduct or Employee Handbook). The business has it within its power – and some courts might say has the responsibility – to communicate effectively to the workforce about confidentiality by training and other messaging delivered throughout the employment lifecycle. This can continue through the exit process, which presents a particularly powerful opportunity to ensure a common understanding of what the company views as its trade secrets and what are its expectations for the departing employee’s behavior after they leave.
The second kind of risk is operational. By making your confidentiality controls and rules too complex, or too demanding, chances are that a substantial portion of the workforce will either ignore them, or even deliberately circumvent them. For example, consider the requirement that the word “confidential” must be placed on every sensitive document. Unless you have a simple and easy way for people to add that term every time, they will tend to ignore the rule, especially if they see that others are doing the same. Another example is the prohibition against taking confidential information off the premises (or sending it to a private email address), when people need to work at home to get the job done.
In a Texas case where I testified as an expert in 2021, FMC Techs. v. Murphy, the company had sued a departing senior engineer for taking a secret, unpublished patent application describing undersea oil drilling equipment. The company had a suite of policies about protecting confidential information, including a requirement to mark sensitive documents. But in practice, documents were seldom marked “confidential,” including the patent application at the center of the dispute. Worse, the senior manager in charge of engineering couldn’t even explain what confidential information was. Basically, this was a company with valuable information, but they had decided to protect it mainly by patenting, and ultimately failed to police compliance with the “standard” rules they had established for trade secrets.
The jury decided that the claimed trade secrets didn’t qualify, because the company failed to exercise reasonable security measures. The moral of the story: if you create a rules-based framework for trade secret protection, you need to enforce it. And a corollary: only create rules that you reasonably expect the workforce to follow.
Trying to protect every bit of the company’s information as if it is equally important creates its own set of risks. First, that approach almost always results in a false sense of security. It leads management to think “we have set up really tight procedures for handling secrets, and so we must be safe.” The trouble is, the vast majority of information loss – whether through carelessness or espionage – happens below the awareness of management. When you have lost control of secret information, it’s still there, so you may not know that there’s a problem. As a result, you can easily miss all sorts of related vulnerabilities and ways to address them.
Second, by treating everything at the same level of sensitivity – for example, by giving all your engineers access to the entire database of information about the company’s ongoing research and development – you may think that you are encouraging collaboration and creative work. But by choosing not to partition access by project groups, you could be missing opportunities for more supervised collaboration, where managers know what’s going on, participants stay focused on their projects, and confidential information is less likely to leak.
Third, overly aggressive rules can slow things down when they need to move very fast, as in response to a reported data breach. The same phenomenon can work to reduce compliance with external regulatory requirements, where a too “locked-down” environment collides with the need for a certain amount of managed transparency that enables effective reporting.
Fourth, and perhaps most important, your workforce, properly trained and incentivized, is your primary bulwark against possible loss or contamination of data assets. If you put them inside a security regime that is too strict, not only do you risk noncompliance and circumvention, but you will be sending a message that you don’t trust them. Conversely, if you design your systems in a way that distributes an appropriate level of authority to determine what is confidential and how to protect it, employees are likely to be more engaged and effective.
This balanced way of implementing security measures takes more time and effort than simply issuing a standard set of policies and expecting that they will work. You need to have a good idea of what data assets are most important for protecting the company’s competitive advantage, and what are the risks to their integrity. From that point, you manage to those risks, and not so much to a precooked set of rules. Be realistic about what can work in your business. Often, that requires that you relax your grip.