Overview of Ways to Legally and Practically Protect Your Company from Industrial Espionage
As we discussed in a previous article, companies can be at risk from internal and external sources of industrial espionage, in an attempt to gain an unfair competitive advantage or disrupt operations.
Owners of a trade secret have a federal cause of action against an individual or company that misappropriates their trade secret “if the trade secret is related to a product or service used in, or intended for use in, interstate or foreign commerce.” 18 U.S.C. § 1836(b)(1). The Defend Trade Secrets Act of 2016 (“DTSA”), which amends the Economic Espionage Act of 1996, defines a “trade secret” to include “all forms and types of financial, business, scientific, technical, economic, or engineering information.” However, the DTSA requires that: (1) the owner takes “reasonable measures to keep such information secret;” and (2) “the information derives independent economic value, actual or potential, from” its secrecy. Id. at § 1839(3).
There is no specific guidance on what constitutes “reasonable measures” that an owner must take to keep their trade secrets safe. As a result, whether measures are “reasonable” significantly depends on the nature of the trade secret at issue. In Dairy, LLC v. Milk Movement Inc., the plaintiff, Dairy, LLC (“Dairy”), sought a preliminary injunction to prevent the defendant, Milk Movement Inc., from using secret methods used in Dairy’s payroll software. The methods in Dairy’s payroll software enabled its clients to maximize benefits related to milk prices paid to dairy producers by milk handlers. No. 21-cv-02233, 2022 U.S. Dist. LEXIS 34072 (E.D. Cal. Feb. 25, 2022). The trial court held that Dairy had not shown any reasonable measures were in place to protect its trade secret. The trial court noted that Dairy posted screen shots of its software on its own website that included placeholders for data input, such that the software could be reverse engineered. See Dairy, 2022 U.S. Dist. LEXIS 34072at *4. Accordingly, the trial court denied the injunction.
In contrast, in United States v. Lange, Matthew Lange appealed his conviction for violating section 1832 of the Economic Espionage Act on the basis that the company did not take reasonable measures to protect its trade secrets. 312 F.3d 263, 265 (7th Cir. 2002). The Seventh Circuit Court of Appeals found that the company, Replacement Aircraft Parts Co. (‘RAPCO”), did take reasonable measures to protect its computer-assisted drawing (“CAD”) information. RAPCO protected its CAD information by storing it in a room with a special lock. Even though engineers, drafters, and other employees had access to the CAD room, the Seventh Circuit found RAPCO used reasonable measures to protect its trade secrets because employees needed authorization to access the room. See id. at 266.
State civil laws for the misappropriation of trade secrets are also available for companies that have had trade secrets stolen. Currently, 48 states and the District of Columbia, Puerto Rico and the U.S. Virgin Islands have enacted some form of the Uniform Trade Secrets Act (“UTSA”). The UTSA defines “trade secret” to include “information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (1) derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use; and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”
New York has not enacted the UTSA. Under New York law, a trade secret owner must demonstrate “(1) that it possessed a trade secret, and (2) that the defendants used that trade secret in breach of an agreement, confidential relationship or duty, or as a result of discovery by improper means.” N. Atl. Instruments, Inc. v. Haber, 188 F.3d 38, 44 (2d Cir. 1999). New York courts have considered various factors in determining whether information constitutes a trade secret. These factors include, but are not limited to: “(1) the extent to which the information is known outside of the business . . . [(2)] the extent of measures taken by the business to guard the secrecy of the information . . . [and (3)] the ease or difficulty with which the information could be properly acquired or duplicated by others.” Id. at 44 (citation omitted).
In North Carolina, the Trade Secret Protection Act (“TSPA”) states: “[t]he owner of a trade secret shall have remedy by civil action for misappropriation of his trade secret.” TSPA at § 66-153. Under the TSPA, a trade secret is defined as business or technical information that “[d]erives independent actual or potential commercial value from not being generally known or readily ascertainable through independent development or reverse engineering . . . [and is] the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” TSPAat § 66-152(3).
In Barr-Mullin, Inc. v. Browning, an appellate court upheld a trial court’s ruling granting a preliminary injunction for the plaintiff, Barr-Mullin, Inc. (“Barr-Mullin”) against the defendants, Douglas Browning and Primavera Systems, Ltd., (the “Defendants’). 424 S.E.2d 226, 228 (N.C. Ct. App. 1993). Specifically, Barr-Mullin alleged that the Defendants misappropriated their trade secrets in the COMPU-RIP software. Id. The Defendants argued that, because they had reverse-engineered the software, Barr-Mullin did not take reasonable efforts to maintain its secrecy. Id. at 229. However, the appellate court upheld the injunction after finding that Barr-Mullin took reasonable efforts to maintain the secrecy of its software by distributing the COMPU-RIP software in the form of object code, which can only be read by a computer and not a computer programmer. Id. at 229. Furthermore, Barr-Mullin was not required to establish that it was impossible to reverse engineer the source code. Id. at 230.
Practical Ways to Protect Your Business’s Trade Secrets
Both the DTSA and UTSA require that a trade secret owner take “reasonable measures” to prevent a bad actor from misappropriating their trade secrets. Again, there is no specific guidance to determine the parameters of “reasonable measures.” Companies must balance the need to protect proprietary information without unnecessarily restricting access to employees who require such access as part of their job responsibilities. While a separate article will discuss in greater detail the remedies available to companies harmed by industrial espionage, constant vigilance is the best way to protect trade secrets.
When considering how to mitigate risks, companies should ensure that trade secrets are always marked and maintained on secure servers. Clearly marking and identifying trade secrets, along with appropriate security measures for servers, will not only allow companies to potentially seek redress pursuant to the DTSA and UTSA, but may also prevent the inadvertent disclosure of trade secrets. The company’s secure servers should restrict access to confidential information and be assessed and updated regularly.
Simply informing employees that certain information is a trade secret is insufficient without additional protections in place. Companies may want to consider requiring employees to sign confidentiality agreements pledging to maintain the company’s proprietary information. Such an agreement should describe the specific trade secrets that should not be disclosed. Companies should also have vendors sign non-disclosure agreements and offer training to both vendors and employees to ensure they understand the expectations when handling proprietary information. Companies should treat their non-disclosure agreements as contracts with their employees and note any limitations. For example, employment contracts for limited durations should nonetheless require the employee to keep trade secrets confidential following the termination of the contract.
In addition, companies should also consider physical measures to protect sensitive information. Physical measures can include storing sensitive information in a room protected by a special lock, an alarm system, and/or a motion detector. The company can limit access to employees and executives who require the sensitive information to perform their duties, and minimize the number of copies of sensitive information. The company should also establish a policy for the proper disposal of confidential information.
For employees who no longer work with the company, access to confidential information should be severed as soon as practicable. The company should conduct an audit of all confidential information to determine whether the former employee improperly downloaded or copied any data. Also, the company should require outgoing employees to sign an agreement declaring that they have not downloaded any company information or have any company information in their possession. This agreement allows a company to request a court to immediately prevent the former employee from further disclosing trade secrets in the event that it is discovered that the former employee has taken any company information.
Furthermore, establishing and practicing procedures to quickly respond to the misappropriation of trade secrets is vital. Limiting the widespread exposure of trade secrets can be difficult once they have been released to the public. Companies may want to consider establishing a response team that regularly practices and updates the policies and procedures in place to protect confidential information.
Protecting trade secrets is an ongoing pursuit. Companies should monitor and update procedures at least annually in order to maintain consistency and ensure compliance. Otherwise, if reasonable measures are not taken, legal remedies may not be available. As a company grows, its trade secret protection efforts should also evolve.