Jump to Navigation | Jump to Content
American Bar Association

ABA Section of Business Law


Business Law Today

Protecting trade secrets
Dealing with the brave new world of employee mobility
By Bradford K. Newman
For an increasing number of businesses outside the traditional technology sector, a rising percentage of their value is comprised of intangible assets including intellectual property and trade secrets. Even the smallest innovation now leads to product differentiation, and time to market has never been more critical to the bottom line. Protection of trade secrets is of paramount importance to maintaining and increasing market share.

The largest threat to a company's trade secrets originates from current and former employees, according to an ASIS International survey report. Today's workplace is no longer constrained by the four brick-and-mortar walls of the employer's offices. Employee mobility, which covers employees who spend at least 50 percent of their business hours away from their traditional office space, is on the rise. Runzheimer's Winter 2007 International Mobility Report reflects that within the typical organization sampled, approximately 40 percent of workers hold positions that are likely to require participation in employee mobility programs and, in some industries sampled, the percentage was 50 percent or more and expected to increase.

Employee mobility has a significant potential adverse impact on the ability to protect trade secrets from disclosure to competitors. Too few companies focus on creating and implementing internal controls in this area before it is too late. Intellectual property management systems will not effectively protect trade secrets unless they address the realities of worker mobility. Runzheimer reports that 56 percent of the respondents in its benchmarking study reported concerns about both electronic and physical files used and accessed by mobile employees, another 12 percent were primarily concerned with electronic files only, and 4 percent were concerned primarily with physical files. Yet when asked if mobile employees who work from a remote office were subject to any type of inspection of their work environment, 91 percent of the respondents in Runzheimer's study said "no."

According to a survey conducted by the U.S. Chamber of Commerce, ASIS International, and Pricewaterhouse-Coopers, U.S. businesses lost $59 billion (in 2001 dollars) due to intellectual property theft in a one-year period from July 1, 2000, to June 30, 2001. The survey was conducted among CEOs of Fortune 1,000 companies and of 600 small and medium-sized U.S. Chamber member companies. Forty percent of the respondents reported incidents of known or suspected losses of proprietary information such as trade secrets. The survey results further support what so many companies know from anecdotal reports or firsthand experience. The top four areas of risk for loss of proprietary information are

1. research and development data (49 percent of survey responses reported loss);

2. customer lists and related data (36 percent of survey responses reported loss);

3. financial data (27 percent of survey responses reported loss); and

4. strategic plans and roadmaps (25 percent of survey responses reported loss).

The other areas of risk include merger/acquisition data, manufacturing data, unannounced product specifications, prototypes, and second-party information. The average dollar loss per incident for manufacturing companies with revenues less than $5 billion per year was $332,618 (in 2001 dollars). Thefts involving research and development data averaged $404,375 per incident (in 2001 dollars).

The August 2007 ASIS Survey Report confirms that the risks to corporate trade secrets continue to increase. Eighty-one percent of respondents confirmed that the cost impact of proprietary data compromises was comparable or higher in 2005 than 2004. The problems caused by loss of proprietary information include loss of revenue, loss of competitive advantage, loss of market share, increased R&D costs, increased legal costs, embarrassment, and increased insurance costs.

The number one risk factor associated with the theft of trade secrets is from those with a trust relationship with the organization, primarily current and former employees. This makes perfect sense. As Justice Holmes noted long ago, misappropriation of trade secrets is fundamentally rooted in the unique nature of the employer/employee relationship:

The word "property" as applied to . . . trade secrets is an unanalyzed expression of certain secondary consequences of the primary fact that the law makes some rudimentary requirements of good faith. Whether the plaintiffs have any valuable secret or not, the defendant knows the facts, whatever they are, through a special confidence that he accepted. The property may be denied, but the confidence cannot be. Therefore, the starting point for the present matter is not property or due process of law, but that the defendant stood in confidential relations with the plaintiffs.

Employee mobility and departures necessarily pose a unique threat. Justice Posner's more modern articulation posits: "[a] trade secret is really just a piece of information (such as a customer list, or a method of production, or a secret formula for a soft drink) that the holder tries to keep secret . . ., so that the only way the secret can be unmasked is by [unlawful activity]."

In other words, trade secrets comprise information that is fundamentally defined by a confidential relationship the employee enjoys with his or her employer. Unlike patent, copyright, trademark, and publicity rights where the plaintiff claims a clear property right against the entire world, trade secret information is fundamentally relational in nature: Does the information that was misappropriated by the current or former employee have a special commercial value to his or her former employer not generally known to the employer's competitors, and was the trade secret acquired through a special--i.e., the employment--relationship with the employer? Further distinguishing the law of trade secrets from other areas of intellectual property, to establish the existence of a trade secret and to protect it from misuse, a corporation need not partake in a formal registration process or file any document with the government, since the property interest in play derives its relational value from not being publicly known or disclosed.

Assuming the employer establishes the existence of the trade secret, and that the current or former employee misappropriated it, the employer must still establish that it took reasonable measures to protect its confidential property in its relations with its employees. This poses new problems for the modern business. Today's employees are well-versed in using private Web e-mail accounts, external storage devices (also called "thumb drives" because of their miniature size), PDAs, instant message communications, and other means of communication that transcend the company e-mail system.

Taking into account remote offices, technology, global travel, and international business operations, the potential for employee porting of data off the employer's network and out of the company--even for legitimate business reasons--is daunting. The "office" is wherever an employee happens to be working at any particular moment and, even without assuming the existence of a malicious workforce, employers must assume that sensitive data is routinely being moved off company servers and stored in varied places and formats around the world in a manner that too few, if any, employers currently track. Further, trade secret protections outside of the United States vary widely and, in some countries, corporate espionage is an acceptable business tactic in the context of a foreign legal system that affords little or no protection for a company's trade secrets.

There is one more element in play. Today's key employees are similar to high-powered athlete free agents, constantly on the lookout for the team that will pay them the highest package. Gone forever are the days where employees work for one company throughout their entire careers. With the stiff competition brought on by the globalized economic marketplace, competitors are willing to pay exorbitant sums for a particular employee and his or her team. In turn, the rich compensation package places enormous pressure on the mobile employee to produce quickly for the new employer. Thus, key employees may feel compelled to port some or all of the work product they created for their prior employer with them upon departure.

The Sarbanes-Oxley Act (SOX) illustrates the perils to publicly traded companies that fail to devote sufficient attention to protection of trade secrets. One of SOX's central goals is the accurate valuation and protection of all of a company's assets. With respect to the protection of trade secrets, there is a growing consensus that one SOX provision deserves special attention in light of the SEC's compliance guidance relating to that provision. As a general matter, section 404 requires management to document, test, and certify the effectiveness of internal controls over financial reporting. Although the relationship between internal controls and trade secret protection is not clear from the face of section 404, the SEC's compliance guidelines identify safeguarding of assets among the internal controls that must be verified. The SEC defines "internal control over financial reporting" to include procedures that provide reasonable assurances regarding "prevention or timely detection of unauthorized acquisition, use or disposition of the issuer's assets that could have a material effect on the financial statement."

There is no distinction made between "tangible" and "intangible" assets. A sizable portion of a company's intangible assets would surely qualify as trade secrets, provided (1) the assets contain commercially valuable information or data not generally known to the public; (2) they have a value derived, at least in part, from the exclusive possession of the information; and (3) reasonable efforts have been made to keep them confidential. To the extent that a company's trade secrets, if subject to improper acquisition, disclosure, or use, could have a material effect on the financial statements, then section 404 would seem to create obligations on public companies to identify, value, and protect those trade secrets.

But even for businesses not governed by SOX, the same concerns exist, and in many cases may be more pronounced. The success of early-stage and less-mature companies, which often have a larger percentage of mobile employees relative to the total employee population than more mature corporations with publicly traded shares, may be even more dependent on identification and protection of trade secrets. It is likely that all corporations owe a fiduciary duty to their shareholders to protect valuable trade secrets.

Nevertheless, senior management often does not fully appreciate the scope of its obligations as it relates to protecting trade secrets. The three largest problem areas are (1) failure to identify, inventory, and value trade secrets; (2) failure to institute internal controls regarding confidentiality; and (3) failure to protect trade secrets when employees depart. Each of these areas is more pronounced in the case of mobile employees. Even where theft has admittedly occurred, many state and federal law enforcement agencies will refuse to prosecute the offending employee unless the business can demonstrate it took effective measures to protect the confidentiality of the data the employee stole. In civil litigation, courts routinely consider whether the complaining party took adequate measures to protect the confidentiality of the trade secrets at issue.

Similarly, companies need to protect against the transference of third-party trade secrets into the company when new hires arrive. Several NASDAQ and S&P 500 companies are currently trending toward internal reviews of and modifications to their trade secret programs. Experienced trade secret counsel also are devising state-of-the-art procedures tailored to specific industries, designed to maximize protection of intellectual property, including trade secrets. At a minimum, every company should consider instituting the following internal controls:

  • Create an internal committee to identify and account for key corporate trade secret data.

  • Institute controls to ensure the confidentiality of the trade secret data, including limiting who may access core trade secret data, using passwords, requiring the labeling of confidential information, and monitoring access.

  • Tailor internal controls to cover mobile employees who work outside the traditional office setting and who routinely travel.

  • Institute processes to ensure that external candidates do not violate their confidentiality obligations to their current employers.

  • Ensure that the company maintains an updated and compliant computer and e-systems monitoring policy that adequately accounts for mobile employees.

  • Institute site security procedures that, at a minimum, require visitors to sign in, restrict their movement, and record the nature of their business.

  • Require new hires to execute and abide by confidential information agreements.

  • Develop policies about the use of external storage devices with company laptops, transmission of company data to private Web e-mail accounts, and usage of instant message software; these policies must take into account the business realities of the mobile employee.

  • Train employees--especially managers--to identify trade secrets and use the internal controls designed to protect them.

  • Require vendors, independent contractors, and third parties who might access trade secrets to sign confidentiality agreements.

  • Utilize an exit interview process, especially for mobile employees. The mobile employee's laptop should be accounted for and, in many instances, its contents preserved. The employer should inquire as to whether the mobile employee plans to work for a competitor and ascertain the whereabouts of all company data accessed by that employee for work reasons over the last several months.

  • As part of the exit interview process, require departing employees to execute a certification detailing what external computer media they used while employed and reminding them of their obligations not to copy, retain, disclose, or use trade secret data in tangible or intangible form.

  • For sensitive or high-risk departures, create a forensic image of the departing employee's hard drive and maintain a library of such images. It is critical that the forensic image not alter or modify key metadata, that industry-accepted software capable of preserving data in slack and unallocated space be used, that a trained professional make the image, and that a chain of custody be maintained.

  • Institute IT and related policies to protect outsiders from accessing trade secrets.
While most businesses have never heard of the phrase "trade secret audit," let alone allocated the internal resources to conduct one, such audits should be conducted on an annual basis to assess the status of trade secret programs and protections. For those businesses that already have rudimentary or sophisticated controls in place, continued improvements and modifications will likely be required to protect the confidentiality of core trade secrets. As the number of mobile employees increases and the technology available to them evolves, so too does the risk to a business' trade secrets. These risk factors mandate that resources be devoted to this issue proactively, rather than after an employee misappropriates core trade secret data.
Newman serves as the chair of the Employment Law Department at Paul, Hastings, Janofsky & Walker LLP in Palo Alto, California. His e-mail is bradfordnewman@paulhastings.com.

Back to Top