[BreachExchange] Five Steps to Lower the Risk of Trade Secret Theft from Business Partners
Inga Goddijn
inga at riskbasedsecurity.com
Wed Feb 15 19:39:51 EST 2017
http://www.lexology.com/library/detail.aspx?g=5b8c1509-ab4b-4b8d-a181-f48877fcc22a
As stories of international and domestic hacking and espionage dominate the
news cycle, it’s easy to forget that when it comes to trade secrets,
employees and business partners—not hackers—pose the biggest threat. *See*
David S. Almeling et al., *A Statistical Analysis of Trade Secret
Litigation in Federal Courts*, 45 Gonz. L. Rev. 291 (2009/2010).
In a recent webinar
<http://employment.gordonreeswebinars.com/november-8-2016-non-competes-non-solicitations-can-you-protect-your-business-information-from-employee-theft/>,
Gordon & Rees addressed protection of trade secrets and proprietary
information from employee theft. Here, we address some steps to help
prevent business partners from misusing your trade secrets.
1. *Identify your trade secrets and control access to them*
Before any agreements are drafted or any information or documents are
exchanged, be sure you have identified your trade secrets
<http://www.gordonrees.com/publications/2016/the-defense-of-trade-secrets-act-key-takeaways-and-recommendations-for-businesses>
(see also the definition under the Uniform Trade Secrets Act
<https://www.law.cornell.edu/wex/trade_secret>). You can’t protect them
unless you know what they are. This sounds like common sense, but
surprisingly, in the hustle and bustle of everyday work, not all companies
take the time to do this until they’ve realized their trade secrets have
ended up in the wrong hands. (Unless it is appropriate for your industry,
referring to everything as a “trade secret” is not helpful, either—for
example, your business partners are less likely to take your actual trade
secrets seriously if you claim that information you have made public are
also trade secrets.)
A trade secret “registry” could be considered favorable evidence in
court—as long as it is timely updated and actually distributed to
employees. *See Schalk v. State*, 823 S.W.2d 633, 643 (Tex. Crim. App.
1991). This registry will also help your own employees with the marking the
proper designations when such information is exchanged with a business
partner.
Securing your trade secrets in-house will not only help your case in court,
it also helps when it comes to disclosure to third parties, particularly
inadvertent disclosure. Chances are, not every employee will require access
to every trade secret. Secure physical and electronic access to the
appropriate trade secrets to the appropriate personnel.
What measures are appropriate will depend on the circumstances and will
likely evolve with time and technology. Information stored on secure
servers that had three layers of physical security passwords, 256-character
PuTTY keys, with portions possessed by only a single person was found by a
court sufficient evidence for a jury to conclude that a trade secrets owner
took appropriate measures to protect its trade secrets. *Xtec, Inc. v.
CardSmart Techs., Inc.*, No. 11-22866-CIV-ROSENBAUM, 2014 U.S. Dist. LEXIS
184604, at *26 (S.D. Fla. May 15, 2014).
On the other hand, where information was distributed to 600-700 people
where at most only 190 people signed confidentiality agreements, and where
that same information was not stamped as “confidential,” a court found that
no reasonable jury could conclude that “reasonable efforts” were made. *Tax
Track Sys. Corp. v. New Inv’r World, Inc.*, 478 F.3d 783, 788 (7th Cir.
2007).
1. *Draft tailored non-disclosure agreements (“NDAs”)*
Before any information is exchanged with a business partner, have your
attorneys help you draft a non-disclosure/confidentiality agreement
tailored to the arrangement. Not only will this agreement help you in case
you need to litigate the matter, it will provide the protocols for your
business partner to follow.
Some provisions you and your attorneys will want to consider are the
return/destruction of trade secrets at certain stages (and certainly when
the relationship is terminated), a perpetual non-disclosure and non-use
clause when it comes to trade secrets (as opposed to an expiring one), how
trade secrets will be identified/marked (and the ability to later
identify/mark previously exchanged documents), and requirements for the
business partner’s employees to sign individual NDAs and/or obtain training
on how to handle trade secrets. This is not an exhaustive list—work with
your attorney to flesh out the agreement.
Be wary of stock or template agreements; many of them may not contemplate
the specific issues that may arise in your situation. Many “standard”
agreements also contain language that relieve the business partner of its
contractual obligations of non-disclosure and non-use as soon as the trade
secrets are made public—without specifying that such public disclosure must
have been authorized by the owner of the trade secret, and without giving
the owner the chance to mitigate the effects and damage of the unauthorized
disclosure.
But no matter how perfect the agreement, it won’t matter if it isn’t
properly implemented.
1. *Train your own employees*
Identify all the employees who will be corresponding with the business
partner and make sure you train them. Let them know what information can be
exchanged, what cannot, which individuals from the business partner they
can exchange information with. Provide them with a written checklist and
designate a person most knowledgeable—or better yet, a specialized team to
direct their questions to. This team should also conduct some “spot checks”
throughout the relationship to make sure protocols are being followed.
If the relationship with the business partner will span more than a couple
months, also have a plan in place to retrain your employees in regular
intervals.
1. *Train the business partner’s employees*
Even if you require individuals from the business partner’s company to sign
an NDA, that may not be enough. You may want to provide the partner’s
employees with the necessary training, or at least provide the partner with
the necessary materials to provide the training themselves (and require
them to do so as part of the NDA). Regularly communicate with the partner
to make sure they are protecting your trade secrets, and have your
employees and your specialized team pay attention to how the business
partner is using this information as well.
1. *Create a contingency/emergency plan*
Did an employee send a trade secret to the business partner without marking
it as such? Has the business partner communicated plans that may violate
the NDA? Has the relationship with the business partner begun to go sour?
Your team should already have a contingency plan in place to deal with
these—and other—situations, and protocols to continually improve security
and access. Make sure you follow through on enforcing contractual
provisions, and make sure you act swiftly.
In closing, remember that when dealing with trade secrets or handling other
proprietary, confidential or otherwise private information, nothing beats
being prepared.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170215/9f984112/attachment.html>
More information about the BreachExchange
mailing list