[BreachExchange] How Safe Are Your Trade Secrets?
destry at riskbasedsecurity.com
Thu Oct 18 10:48:17 EDT 2018
Your trade secrets might well be your most valuable business
possession. How can you keep them safe?
Across the world, the penalties for trade secrets breaches are high.
The FBI recently charged a US Apple employee with stealing trade
secrets and he now faces 10 years’ imprisonment and a $250,000 fine.
In the UK, the EU Trade Secrets Directive was implemented this summer,
and is a significant legislative step towards increased security for
companies looking to protect against the unlawful acquisition,
disclosure and use of their trade secrets.
It seeks to harmonise the approach to trade secrets across the EU, and
provide a common standard of protection for businesses.
With increased employee mobility and a less formal, fast-moving
environment, tech companies are particularly vulnerable to the risk of
valuable information being made public, or worse falling into the
hands of competitors.
The protection of information, such as technological knowhow and
customer information, is fundamental to the preservation of a
Co-working arrangements and employees that work for several different
businesses simultaneously are commonplace in the tech sector, so
employers must ensure that they have appropriate measures in place to
The new Directive
The Directive defines “trade secret” as information which:
§ Is secret (not generally known or readily accessible to persons
within the circles linked to the information in question);
§ Has commercial value because it is secret; and
§ Has been subject to reasonable steps to keep it secret by a person
who is lawfully in control of that information.
This is broadly in line with existing UK law, but the express
requirement to show that steps have been taken to protecting
confidential information is significant. Taking such steps as a matter
of course obviously makes it less likely that confidential information
will be stolen or misused in the first place.
However, it will now also help show the court after the event that the
information was in fact a trade secret. So, what can companies do?
What are you protecting?
Every company should constantly review exactly what information is
confidential and valuable in its specific business. This information
should be stored and used in a way which maintains its confidentiality
as far as possible.
Do all employees need access to the full customer list? Have sensitive
documents been password protected or stored on a commonly accessible
server? Are client pitches covered by non-disclosure agreements? Can
certain documents be kept ring-fenced from systems which could be
susceptible to cyberattacks?
When employees move from one business to another, employer
confidential information and trade secrets become vulnerable.
Employers must not encourage new, over-zealous employees to bring
confidential information with them to their new job and should obtain
written confirmation that new employees have not done this.
When recruits enter the business, employers should check that their
employment contracts contain well-drafted confidentiality provisions,
applying both during and after employment. Employees should be taught
which information is regarded as confidential and should only have
access to the information they need to perform their role.
Co-working and hot-desk environments present particular risks, as do
situations where employees are working away from the office, on public
transport or on public Wi-Fi networks.
There should be a clear policy as to how employees access the systems
they require if working from home; and emailing documents to personal
accounts should be forbidden.
If possible, IT systems should log who accesses documents, from where;
and in some circumstances it can be helpful to include tell-tale
harmless “fake” entries in databases, so that copying can be proved if
Employers must also endeavour to manage the employee termination/exit
process in a way that reduces the chance of deliberate breaches by
The process ought to be handled professionally and fairly, and
employers should: reaffirm confidentiality obligations and restrictive
covenants (by reference to specific clients if necessary), and
reiterate that breaches will be taken seriously.
A well drafted IT “Acceptable Use”/“Email Monitoring” policy must be
in place to warn employees that it may be necessary and proportionate
to check their sent items for evidence of misconduct. This will also
mitigate the risk of a GDPR breach or employee “privacy” claim.
Employers should also regularly review restrictive covenants to check
that they are well drafted and updated to reflect the employee’s role
if they progress through the business.
However well prepared you may be though, things can go wrong and
companies must be ready to act quickly and decisively if an incident
does arise. In the event of a trade secrets breach, consider the
§ Understand what information has been accessed and taken as soon as possible
§ Evaluate the potential risks to the business
§ Ascertain whether any personal data has been taken; which might
give rise to an obligation under the GDPR to notify the Information
Commissioner’s Office within 72 hours
§ Consider injunctions and court orders, to contain and minimise the
damage of the breach quickly
§ After the breach, promptly evaluate the wider repercussions –
consider if there has been adverse publicity and manage effectively to
minimise potential reputational risk
Whilst the Trade Secrets Directive does not radically alter the
protection of confidential information in the UK, it definitely serves
as a timely reminder that confidential information is an increasingly
valuable asset, and almost every business could do more to protect
By being both proactive and reactive, businesses can manage the
protection of their trade secrets and ensure that their most valuable
assets remain safe.
More information about the BreachExchange