Protecting companies’ confidential business and technical information – “trade secrets” – is becoming a major priority of the private sector and governments around the world. For good reason: one in five European companies has been the victim of trade secret misappropriation, or attempts at misappropriation, at least once in the past 10 years, and for two in five European companies, the risk of trade secret misappropriation has increased during the same period. Intellectual property (IP) and trade secrets are also vital to helping companies innovate and compete. Indeed, up to 75% of the value of the U.S. Fortune 500 companies is now attributable to intangible assets – and European companies similarly rely heavily on their IP and trade secrets to generate value.
New Laws and the ‘Reasonable Steps’ Requirement European, national and international trade secrets laws are evolving, and increasingly are focusing on the steps that companies themselves should take to protect their confidential and proprietary information. The very definition of a trade secret in the new EU Directive on the Protection of Undisclosed Know-How and Business Information (Trade Secrets Directive), includes the requirement that the owner or other controller undertake “reasonable steps” to protect the secrecy of its information. A “reasonable efforts” requirement is also included in the new U.S. legislation – the Defend Trade Secrets Act (DTSA). The controlling international treaty, the WTO TRIPS Agreement, and many countries’ national and even state laws contain similar requirements that the owner of confidential information undertake “reasonable steps” or “reasonable efforts” for that information to qualify as a trade secret.
Aside from the practical usefulness of implementing “reasonable steps” to prevent trade secret theft and misuse, taking such steps can also have crucial legal significance. Failure to take adequate precautions to protect such information can preclude a company from obtaining any legal redress at all if an unauthorized disclosure or use of the information takes place.
Putting Protections in Place Many companies are unsure what systems should be in place or what “reasonable steps” should be taken to ensure effective trade secret protection. The Center for Responsible Enterprise and Trade (CREATe), a non-governmental organization focused on helping companies understand leading practice for IP and trade secret protection, has defined eight categories of best practices for protecting trade secrets effectively. Each addresses the different elements comprising the “people, process and technology” necessary to ensure that business processes are in place to effectively protect valuable corporate assets.
- Policies, procedures, and records: The policies and procedures that a company has for protecting its trade secrets, including specific rules and processes for designating, managing and disclosing trade secrets, are vital.
- Security and confidentiality management: CREATe recommends that companies execute practices such as incorporating confidential information protection into physical and IT security system planning, implementing system access restrictions, and conducting ongoing assessment and improvement of security.
- Risk management: The scope and quality of a company’s risk assessment and risk management-related efforts can be an important element in identifying, prioritizing and implementing relevant protections for its trade secrets. CREATe recommends that companies assess potential risks to trade secrets, the likelihood and severity of potential risks, as well as a risk mitigation plan.
- Third-party management: Companies should conduct due diligence, have regular communication with supply-chain partners, ensure that written nondisclosure agreements are in place and carry out ongoing reviews.
- Information protection team: Trade secret protection activities should be coordinated through a cross-functional information protection team, complete with an identified leader.
- Training and capacity building: It is important to conduct training and capacity building for staff and supply chain partners, with more specialized training for those dealing regularly with trade secrets.
- Monitoring and measurement: Trade secrets can be best protected within a company when protection efforts are executed not simply ad hoc or as a one-time project, but rather when the management systems and processes within the company are used to monitor and measure trade secret protection regularly and over time.
- Corrective actions and improvement: The last major category of trade secret protection involves how corrective actions are taken to redress problems that arise. Ideally, corrective action will not simply deal with particular incidents in isolation, but will also address root-cause problems such that the company’s trade secret protection can improve over time.
For more information on CREATe’s research and analysis of trade secret protection as well as related cybersecurity issues, visit www.CREATe.org/Resources.
For those interested in this topic, a workshop focused on “The Protection of Now-How and Confidential Business Information and Trade Secrets” is on the agenda at the upcoming 2016 Pan-European Intellectual Property Summit in Brussels on December 1st and 2nd.
Allen N. Dixon is Intellectual Property counsel for the Center for Responsible Enterprise And Trade (CREATe.org), a non-governmental organization (NGO) helping companies around the globe prevent corruption and protect intellectual property and trade secret theft from cyber and other risks.