- Navigating trade secrets and the law: How to Identify, Monitor and Protect confidential business information
- Step three: Protecting your trade secrets
Step three: Protecting your trade secrets
This is the third article in our series on the importance of confidential information and trade secrets to every business (large or small). In these articles, we have looked at the practical steps you should take to protect your most valuable information, and how the law can help to maintain your competitive advantage. 9 June 2023 marks the 5th anniversary of the implementation deadline of the Trade Secrets Directive. Now is a good time to reflect on how certain European courts have interpreted the Directive and compare it to the approach taken in the US and China. What guidance does the case law offer to trade secret holders looking to protect their business’ most valuable information?
To be considered capable of protection under the European Trade Secrets Directive, information must meet all of the following requirements:
“(a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
(b) it has commercial value because it is secret;
(c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.”
But what constitutes ‘reasonable steps’ to keep information secret? As well as the European test, similar requirements are found in the equivalent laws in the US and China. Judicial guidance on the meaning of reasonable steps varies across regions. However, there are some common themes. Courts across the world tend to agree that robust contractual provisions regarding protection of trade secrets are important, as well as implementing practical measures to limit and regulate access to the trade secrets. They also tend to agree that the nature of those practical steps will vary depending on the value and nature of the trade secrets, the underlying technology, and the relationship between the parties.
Here are examples of the different approaches taken.
In the UK, since the implementation of the Directive under the Trade Secrets (Enforcement, etc.) Regulations 2018/597, there has been little guidance on what constitutes ‘reasonable steps’. However, the UK’s large body of case law prior to the Directive still provides useful guidance.
In one post Directive case, the court accepted that the information in question (ship design documents) did constitute trade secrets and that it had been unlawfully used within the meaning of the Regulations. In making this finding, the judge had regard to several clauses in the parties’ agreement, including the IP ownership provisions (in which the claimant retained IP in the design documents), requirements that the documents not be revealed to third parties without the other party’s consent, and that the parties disclose the documents to their employees only on a need-to-know basis. The judge also had regard to intellectual property notices applied by the claimant to the documents themselves.
Courts in the EU agree that there is no ‘hard and fast’ definition on what constitutes ‘reasonable steps’, and what is sufficient will depend on the circumstances. In particular:
- in Hungary and Belgium, courts have remarked that merely imposing a contractual confidentiality obligation on a recipient of trade secrets, without taking corresponding practical measures to avoid disclosure, may not be enough;
- in Germany, a court remarked that it is not necessary that there be ‘optimal protection’ or ‘extreme security’; and
- in Italy, a court found that while the claimant had introduced a highly sophisticated security system after the alleged infringement of trade secrets, this helped to prove that the security measures in place at the time of the alleged infringement were insufficient.
For information to qualify as a trade secret under the US federal Defend Trade Secrets Act (which, like the Directive, was introduced in 2016), the owner must make reasonable efforts to preserve its secrecy. US cases on this language are quite common; in the following cases, the respective courts held that:
- an employer was not entitled to injunctive relief where it neither requested nor took steps to ensure that employees deleted software program data from personal devices;
- a former employer had not sufficiently protected the confidentiality of customer information to attract trade secret protection. On the one hand, the employer limited employee access to the information and password-protected the network where the information was stored. On the other hand, the employer had encouraged the employee to keep the information on the employee's personal cell phone and laptop, had not had the employee sign a confidentiality agreement, had not marked the information as confidential, and had not instructed the employee to secure the information;
- a claimant had not taken adequate steps to protect the security of the alleged trade secrets when it shared the information with a third-party contractor without a confidentiality agreement and without other policies or practices for safeguarding trade secrets;
- a claimant was found not to have taken reasonable measures to keep its information secret. In the case, the trade secrets in question centred on the functionality of the claimant’s product. As such, although the claimant had taken certain protection measures (such as locking servers in monitored cages and using secure data centres), other measures would have been more appropriate (such as restrictions on which personnel were given access and under what terms);
- where a claimant claims that certain information constitutes trade secrets, it is not sufficient to merely take steps ‘after the fact’ to demand the return of such information; and
- a defendant’s counterclaim against the plaintiff for trade secrets misuse should be dismissed, agreeing with the plaintiff that the defendant had not made reasonable efforts to maintain the secrecy of its alleged trade secrets. The defendant had admitted that it had “opened its doors and showed everything (…) including its supplier and vendor information, customers developed through the website, and of course its design, fabrication and manufacturing trade secrets and intellectual property”.
Under the Anti-Unfair Competition Law of the People's Republic of China, one of the elements of trade secrets is that the rights holder must have taken measures to keep the information confidential. This requirement is expanded on in the Provisions of the Supreme People's Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Involving Infringements upon Trade Secrets, Article 6 of which sets out several practical measures that rights holders can take, and which Chinese courts will consider.
In 2020, China’s Supreme People’s Court considered a bundle of three cases in which the plaintiff claimed that the defendant had misappropriated its trade secrets and filed three patents based thereon. By putting in place relevant contractual provisions and practical access restrictions, the court found that the plaintiff had taken reasonable measures. It dismissed the defendant’s argument that because some of the plaintiff’s customers had not complied with those measures, trade secret protection should not be afforded.
So, what do we learn from these cases? What should you do to best protect your trade secrets? Here is our easy to follow 8-point plan to make sure you have taken ‘reasonable steps’ to protect your information:
- Identify your most valuable information. Conduct a trade secret audit and consider using a tool like DLA Piper’s Trade Secrets Scorebox to help you identify your trade secrets and assess the effectiveness of your business’ trade secrets protection strategy.
- Review how your trade secrets are stored and accessed, particularly if personal devices are permitted for business use.
- Assess your security measures (both physical and electronic).
- Limit the individuals in the business with access to your trade secrets to those who need to know them.
- Ensure that employees and others who have access to valuable information are identified and (regularly) trained on the importance of keeping trade secrets secure.
- Ensure that there are appropriate contractual provisions in place (in employment contracts and contracts with third parties) and that those contracts are policed.
- Review onboarding and exit procedures and ensure they are followed. Don’t let your trade secrets walk out the door when an employee leaves.
- Have a misappropriation action plan in place. Should the worst happen you need to act quickly in order to protect (and recover) your information. The best way to ensure a speedy response is to plan what must be done if misuse is suspected.
Trade secrets can often be a business’ most valuable asset but are often overlooked in favour of more traditional IP rights. Make sure you take adequate steps to protect them.
DLA Piper’s Trade Secrets Scorebox is based on EU law and helps businesses assess the maturity of their trade secrets protection. It provides the user with an overview of the best course of action to implement, improve, maintain, and monitor the organization’s trade secrets protection strategy. If you would like more information, please contact Roberto Valenti, Ewa Kurowska-Tober or Alexis Fierens.