les Nouvelles January 2020 Article of the Month
Protecting Organizational Trade Secrets In View Of The EU Trade Secrets Directive
Past-President, LESI &
Johnson & Johnson,
Senior Patent Attorney
Implementation of Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (hereinafter the “Directive”) requires organizations to take various measures to ensure their trade secrets can enjoy the protection provided for by the applicable member state. In the accompanying articles in this issue, various commentators have made recommendations for actions to take to claim that protection. This article seeks to gather and summarize those recommendations in a coherent fashion, so that organizations may maximize the possibility of securing such protection for their trade secrets.
In deciding what measures to implement and how to implement them, a recurring theme of our commentators is that the trade secrets owner must take such measures as are reasonable under the circumstances.
In this regard, there is little guidance as to what constitutes reasonable measures to be taken. While the explanatory notes of the implementing legislation of some countries does include such guidance, this is often considered non-binding. For example, in Austria, the explanatory notes provide that the appropriateness of the measures to be taken depends on the industry and size of the organization.
Thus, as noted by our UK commentator, the challenge is to determine what steps are reasonable “under the circumstances”. In doing so, it is necessary to take account various factors including the nature of the trade secret, its value, the owning entity, how that entity is organized and the manner in which it uses the trade secret.
To achieve this, our commentators have identified various steps to be considered and taken. While not exhaustive, these measures generally fall into two categories: (1) measures to be taken to protect trade secrets; and (2) measures to be taken to preserve the confidentiality of trade secrets that are the subject of, or are disclosed in, legal proceedings.
Measures to be Taken Relative to Protect Trade Secrets
Valuable technical and business information must be treated so that it meets the definition of what constitutes a trade secret. To achieve this, Art. 2(1)(c) of the Directive states that the trade secret must have been “…subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret;”.
Accordingly, it is imperative to assure that the measures taken meet the standards of reasonableness of the law of the applicable country. This infers that the trade secret holder be able to demonstrate to a court that it was diligent in formulating, implementing and documenting those measures.
Establishment of Written Policy
As a starter, the trade secret holder should establish and strictly implement a written organizational policy that, at the least, considers the following elements:
- Identification and documentation of its trade secrets;
- Valuation and classification of those trade secrets;
- Marking of those trade secrets;
- Management of those trade secrets, including via contractual means;
- Access Limitation, Tracking and Enforcement;
- Training and Education Programs;
- Entrance and Exit briefings and interviews for all employees; and
- Security Measures, including IT security measures, and Verification Systems to reasonably demonstrate compliance with the policy.
As a first step to arrive at this policy, management and employees who generate or handle trade secrets (both technical and business) should be identified and interviewed to properly understand and map how trade secrets created and/or used by the organization are generated, flow and used by the organization. This includes performing a risk assessment that considers the needs and possibilities of the organization, highlights the main risk areas and identifies what actions would be “appropriate” for the organization in view of those risks. Such assessment includes a review of the organization’s present confidentiality policies, procedures and practices and its trade secret protection management systems, including facility and information security systems.
Armed with such knowledge, the organization should then proceed to develop and implement a written policy of steps to take to facilitate the capture, recording, valuation, categorization, use, disclosure and enforcement of the protection of its trade secrets both within the organization and by any third party with whom they are shared. Such policy should consider including those elements which are elaborated below.
Identification and Documentation of Trade Secrets
The organization should review and clearly identify confidential information that is both circulating within the organization and which has been received from and shared with external sources. This includes the identification of confidential information as it is generated to identify trade secrets embodied therein. In doing so, the organization should identify the source, nature, contents and date of creation of the trade secret.
In doing so, what are truly trade secrets must be distinguished from information that is either not confidential and/or not a trade secret. Blanket measures designating all information as containing confidential trade secrets could well render protection for real trade secrets unenforceable.
Valuation and Classification of Trade Secrets
Once a trade secret has been identified, the organization should evaluate and consider if it wishes to protect it and the basis upon which such decision is based. As part of this process, pertinent contractual provisions concerning the trade secret, including ownership, licensing and assignment clauses, document marking requirements, non-compete covenants, non-solicitation and non-disclosure clauses will need to be reviewed.
Organizations should systematically perform a valuation of their trade secrets and classify them (including the need for protection thereof and who is to have access thereto) based on their value and sensitivity. On this point, the organization should be able to explain the factors it has taken into consideration and the methodology it employed to arrive at its valuation. Such valuations and classifications should then be subject to regular reviews and updates.
Since economic value is part of the notion of the trade secret, it is recommended to have the economic value of the trade secret indicated in the financial books of the organization, so that this part of the definition can be proven. Other means—e.g. the value indicated in a transfer or license agreement—are also appropriate.
Monitoring and documenting any royalties paid in connection with the use of the trade secret is recommended with respect to the assessment of any potential damages claims thereon.
Marking of Trade Secrets
All pertinent documentation (written and electronic) containing a trade secret should be clearly marked and identified, so that it is clear to those handling the information that it is a confidential trade secret. Such markings should be indelible, so that they cannot be erased or otherwise removed from the documentation. An example of such a measure, is the use of an indelible watermark (including electronic watermark) that extends over the length of the entire page(s) on which the trade secret is found.
In addition, the policy should require that all oral disclosures of trade secrets be identified as being a confidential trade secret when disclosed and that such disclosure be followed-up with a written communication, itself marked as being confidential, that identifies what was disclosed, when and to whom.
Management of Trade Secrets
The organization should manage the maintenance, use and disclosure of its trade secrets. This should be done using HR procedures and agreements with both employees and third parties, as well as physical and organizational security safeguards and information security.
A. Trade Secrets Protection Officer
Companies would be wise to appoint an individual to serve as its trade secrets protection officer (TSPO). Such TSPO would serve as the guardian of the organization’s trade secrets by insuring that all appropriate guidelines and policies are put in place, regularly reviewed, adhered to and updated, as needed.
In the mapping exercise mentioned earlier, the organization should also identify those persons and entities (including employees and third parties, such as consultants, suppliers and collaborators) that may have had access to trade secrets, the purpose, why and when they had such access and the terms and conditions thereof. There should then be a determination made as to whom should continue to have such access or to have such access in the future and on what basis such access should be given (for example, only on a need-to-know basis). This involves implementing an effective trade secrets documentation and tracking system, to be discussed in more detail below.
C. Contract Management
The organization should review and, if necessary, adapt, all existing agreements/clauses concerning the protection of trade secrets (e.g., employee contracts, external consultant contracts, CDAs, collaboration agreements, supply chain contracts, etc.) in view of the requirements and identify and address any weaknesses in such contracts. The same should also be done with all contract templates.
The policy should require that all contracts to be entered into have the appropriate clauses insuring the confidentiality and appropriate treatment of trade secrets. Examples of such types of clauses include those wherein Recipients of information concerning trade secrets agree to:
- limit access to disclosed trade secrets to trustworthy persons and organizations with certain thresholds of protection being mandated for particular types of data/trade secrets;
- permit access to the trade secrets only on a strict need-to-know basis;
- non-compete obligations concerning the use of such trade secrets by organizations and individuals having access to them;
- abide by the discloser’s code of conduct;
- promptly report breaches of confidentiality to the discloser and to enforce/assist in their enforcement;
- permit the discloser to demand the return/quarantining of paper/electronic documentation that contain trade secrets after the end of its use; and
- penalties for failing to comply with terms and conditions protecting trade secrets.
It is noted that the practice of backing a confidentiality obligation with a penalty clause can be controversial and, as was pointed out by our Polish commentator, can be subject to specific legal limitations and requirements in certain countries.
Trade secret owners should do their best to ensure that confidentiality clauses also apply to everyone to whom a recipient discloses the trade secret, even if such sub-recipient has no direct contractual relationship with the trade secret owner (e.g., to oblige contracting parties to extend secrecy obligations to their partners as well or to make the discloser a third party contract beneficiary). Otherwise, serious consideration needs to be given to prohibiting such further disclosures.
It is mandatory to keep and retain records of the policies and measures taken, for example, with the organization’s intellectual property records. Only by providing sufficient documentation that shows the measures taken to protect the trade secret can an organization be likely to be able to enforce its trade secrets rights. In this regard, it can be useful to develop internal documentation guidelines to ensure this and to ensure that employees abide by these guidelines. These policies should also be reviewed at appropriate intervals and revised as needed.
Access Limitation, Tracking and Enforcement
To insure trade secrets are afforded the maximum protection provided for them under the various national laws, it will be necessary to limit and restrict access to them, to be able to track who has had such access and to react to and enforce breaches of their confidentiality.
A. Access Limitation
As a minimum, the organization should be able to identify which persons/entities should be permitted to have access to which type(s) of trade secrets, to restrict such access to trustworthy individuals and entities who have entered into appropriate non-disclosure agreements relative thereto who have been informed of their duties of confidentiality relative to those trade secrets prior to granting access thereto.
1. For Employees
To minimize the risk for potential misappropriation, organizations should limit the distribution of certain types of information to designated parts of the organization, selected physical areas and possibly specified employees, as appropriate. This includes determining and assigning different clearance levels to each staff member or granting different types of access (view only, editing, printing, etc.) for different individuals depending on their needs.
Further, organizations need to develop and document internal guidelines and employee policies for managing trade secrets, confirm that employees are aware of, have read and understood them (via Entrance Briefings and interviews as well as training and educational programs) and ensure that all employees sign and abide by them.
Employee confidentiality undertakings in, for example, employment contracts and policies should be signed by all employees handling trade secrets.
As noted by our UK commentator, when dealing with employees, it will be necessary to check whether the measures might have an adverse impact on them. For example, if an employee no longer has access to classified information so their job is essentially downgraded, then the employee may have a claim against their employer.
2. For External Persons and Organizations
Disclosing trade secrets to external persons and organizations represent perhaps the greatest risk and are often the most difficult to police. As already discussed, such disclosures should only be made under appropriate confidentiality provisions. However, it is recommended that trade secret disclosers also understand how a recipient will manage the protection of the discloser’s trade secrets.
Disclosers can contractually require Recipients to take the same measures to protect the discloser’s trade secrets as it would its own. Alternatively, disclosers can oblige high-risk recipients or recipients of highly valuable trade secrets to disclose their confidentiality measures upon request. Another approach sometimes employed is to require external recipient organizations to contractually agree to use the same confidentiality measures as those employed by the trade secret discloser.
However, each approach is problematic in that it requires a party to reveal those measures it takes to protect its trade secrets. The issue is that doing so may be unwise in that it may open up that party’s system to being compromised (for example, via hacking).
Nonetheless, at the very least and while not perfect, recipients should be contractually be required to treat the trade secrets in a manner which is not less than those which are standard for the industry.
While useful, sometimes even the above measures may not be enough. For example, as noted by our Italian commentator, Italian case-law before the Directive (that they do not expect will change after its implementation), considered the use of a password along with entering into a non-disclosure agreement with employees and external parties to be insufficient to protect trade secrets.
It is advisable for an organization to implement an effective trade secrets documentation and tracking system, so as to identify and document exactly who has access to the trade secret, whether the trade secret has been disclosed to an employee, consultant or a third party for the purposes of current or potential cooperation and the circumstances related thereto. In this manner, the organization can maintain a register of all individuals who has access to its trade secrets, when they were accessed, why they were accessed and how such access was obtained. Consideration should also be given as to documenting disposition of the trade secret after use. This should be done electronically (in the event that digital records are accessed) or manually when necessary. Policies should mandate that the persons responsible for the disclosure also be responsible for assuring that such tracking is done for those trade secrets they have disclosed.
1. Incident Response Protocols
In order to minimize the effects of trade secrets violations, incident response protocols should be established in order to swiftly and diligently react as soon as the organization is aware of the occurrence of a trade secret violation, its scope and the individual responsible therefore. Such protocols include the adoption of a crisis management plan, including a plan for recurrent follow-ups and assessments of the measures taken to protect the trade secret. Individuals and entities who receive such confidential information should agree to adhere to such protocols.
2. Contract Provisions
Employees and third parties given access to trade secrets should contractually undertake various obligations concerning breaches and enforcement set forth above under “Contract Management”.
Training and Education Programs
Programs to increase awareness, such as continuing education sessions, to ensure that employees and third parties who have access to trade secrets are informed about what a trade secret is, why it is important to preserve their confidentiality and protect them and measures adopted within the organization to provide such protection are also considered as being advisable to implement. Such programs should also help prevent potential attacks or threats.
Such programs may be provided in the form of on-line training courses that employees are required to periodically take during their employment tenure that includes a short quiz on the contents thereof to confirm that the employee has actually paid attention to, and understands, them would be advisable.
Entrance and Exit Briefings
Employees who may have access to confidential information should be subject to both entry interviews for new employees and exit interviews for departing employees.
The goal of such interviews would be to minimize the risk that incoming employees will not illegally bring with them and use former employer’s trade secrets, to educate them on the organization’s trade secrets policies and procedures and to educate departing employees of their duty to preserve the confidentiality of the trade secrets after leaving the organization. Entry and exit forms should be prepared that the employee would sign to confirm they have been informed of the policies, that (in the case of exit interviews) they did not breach the policies and that access keys and access to the organization’s resources is properly granted or returned (ended). Further, such interviews should be used to ensure that any confidential documentation which an employee may have in their possession upon departure has been returned/destroyed.
Employing sufficient security arrangements both in physical facilities and IT systems is essential. Broadly speaking, such measures fall into two categories: verification systems and IT Security measures.
1. Verification Systems
Organizations should implement systems capable of providing reliable evidence at any time on its trade secrets, the measures taken to preserve their confi dentiality and which employees and third parties, such as consultants, customers, suppliers and collaborators have had access to them, when and why.
Implementation of technical precautions such as use of access cards/passwords to enter specific facilities and the establishment of surveillance systems in such facilities to monitor access to particularly sensitive process trade secrets is recommended.
2. IT Security Measures
Adoption of a program of measures to be implemented by the organization’s IT team to ensure the confidential storage and traceability of trade secrets is recommended.
Security measures to adopt could include: (i) an effective policy on the use of corporate electronic devices, (ii) multiple passwords, (iii) internal procedures for the processing of trade secrets, (iv) control and limitation of access to where the trade secrets are used/ stored, (v) implementation of “clean desk” policy, (vi) periodic destruction of documents, (vii) restrictions on the use of external storage devices, such as USB sticks, (viii) use of encoding and encrypting software systems, (ix) remote storage and data loss prevention (DLP), (x) control of copying and reproduction (by providing codes that restrict or track copying/downloading of such information), (xi) security checks and audits, (xii) employee-activity monitoring and (xiii) training employees to manage confidential data appropriately and in a responsible manner.
It will be necessary to ensure that the policy is consistent with the organization’s policies on data protection and cyber security.
Policies mandating the destruction/erasing of confidential information on servers should be approached with caution in that they can open an organization up to claims that its records are incomplete or otherwise cast doubt on their integrity which may prove fatal in litigations. Thus, compliance with contractual clauses requiring such erasing of electronic information could prove fatal in litigations. As a suggestion to surmount such problems, instead of document destruction/ electronic erasing, documents (electronic and paper) containing trade secrets could be removed from usual open storage sites and placed in a special quarantined location. In their place, “placeholders” could be substituted, indicating that an original document that would normally be found here has been removed, the reason why it has been removed and where it may now be found. Special documented access to the quarantined site could then be provided by the organization’s IT security systems under a special procedure wherein the identity of the person accessing them, the date(s) involved and the reason for such access are all documented. This would serve the dual purpose of maintaining the integrity of the organization’s records while also maintaining the trade secrets out of reach of individuals who should not have access to them.
Another important element to have in mind regarding employees is the implementation of clear rules to deal with private and business IT devices or relating to data that may be taken on business trips abroad.
As a result, it has become crucial to establish IT measures to protect and monitor access to trade secrets and establish rules on the use of private storage media.
Finally, providing anonymous “hot-line” numbers whereby employees and external partners can anonymously report suspicious behavior and activities should be provided.
Measures to be taken to Preserve Trade Secrets in Legal Proceedings
Measures to be taken to protect trade secrets in both present and future legal proceedings should be mandated in the organization’s policies.
In certain countries (such, as was pointed out by our German commentator), trade secret holders must follow specific procedures in order to ensure that confidentiality rules are respected in court proceedings.
Examples of such procedures specified by our German commentator include:
- a credible showing, in its request for confidentiality measures in court proceedings, that the information is a trade secret. This may involve the submission of documentation with regard to confidentiality measures taken by the organization;
- labelling submitted documents that contain trade secrets as such and submitting a version (such as a redacted version) that can be publically viewed, otherwise it may be presumed that the version containing the marked trade secrets can be inspected, unless the court is aware of special circumstances that do not justify such a presumption; and
- an indication of precisely which part(s) of a document is or contains a trade secret along with a request to limit access thereto.
It should also be noted that, in certain countries (such as Germany,) judicial decisions on the classification of information as a trade secret and the restriction of access to unredacted versions (or parts) of documents or to the courtroom can only be challenged together with the decision on the main action.
Should the need arise to disclose trade secrets to public entities (in the context of public tenders, judicial proceedings or other administrative or regulatory processes), the decision to do so or not should be taken on a case-by-case basis by the appropriate decision-makers with the organization. In the case of doubt, trade secrets should only be disclosed to a court or public entity after it becomes clear what legal, physical and technological measures are in place to ensure security and confidentiality. This is because, despite the existence of good intentions, judicial, administrative and regulatory authorities may not have the means to guarantee secrecy.
While the various measures noted above are no guarantee that an organization can effectively avail itself of the protection relating to trade secrets in all cases, if followed, they can provide a sound basis for asserting such a claim. Moreover, the adoption and the effective implementation of such measures (adapted to the circumstances of the case) should increase the organization’s chances of obtaining provisional and precautionary measures to prevent, or at least minimize, the damages that can result from an unauthorized disclosure of its trade secrets. ■
Available at Social Science Research Network (SSRN): https://ssrn.com/abstract=3420846