Trade secrets are important because money, resources, and time are spent developing information or technology. Most of the time, this information is of substantial economic value. Trade secret law protects this value. A good example of a trade secret is the Coca-Cola formula, which only two living executives know. Another good example of a trademark secret is KFC’s eleven herbs and spices recipe. Though these are famous examples, there are much more common trade secrets associated with businesses, including lists, databases, customer information, manufacturing processing, and financial data.
What are trade secrets?
The Illinois Trade Secrets Act (ITSA) defines a trade secret as “information, including but not limited to, technical or non-technical data, a formula, pattern, compilation, program, device, method, technique, drawing process, financial data, or list of actual or potential customers or suppliers, that:
- Is sufficiently secret to derive economic value, actual or potential, from not being generally known to other persons who can obtain economic value from its disclosure or use; and
- Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy or confidentiality.
A trade secret plaintiff under the ITSA must show that information was sufficiently secret to give the plaintiff a competitive advantage and show that the plaintiff took affirmative measures to prevent others from acquiring or using the information. Trade secrets are different from other forms of intellectual property in that protection lasts as long as information remains secret. This is different than patents, trademarks, or copyrights, where disclosure is necessary for protection. Trade secrets are mainly protected by state law. Generally, there’s no federal private right of action unless the trade secret was discovered through espionage, hacking, or through actual damage to a computer system.
Defining a trade secret
Illinois Courts have identified 6 common law evidentiary factors relevant in evaluating whether information qualifies for trade secret protection. The The first four are particularly relevant to cybersecurity.
- The extent to which the information is known outside the plaintiff’s business
- The extent to which it is known by employees and others involved in plaintiff’s business
- The extent of measures taken by the plaintiff to guard the secrecy of information
- The ease or difficulty with which the information could be properly acquired or duplicated by others
- The value of the information to the plaintiff and to the plaintiff’s competitors
- The amount of effort or money expended by the plaintiff in developing the information
How is trade secret protection lost?
Trademarks are typically lost if they are independently discovered, reversed engineered, if there is unrestricted disclosure, or if the company fails to act once the secret is out.
Unrestricted disclosure is disclosure to individuals not subject to carefully constructed confidentiality agreements. This can take the form of releasing trade secret information on company website, either purposefully for marketing reasons or through carelessness.
Failure to act once the trade secret is out refers to a situation where a company must aggressively do all in its power to have the disclosure removed from the public. For example, they can issue an injunction stopping the disclosure. If the information is publicly released onto the internet, however, it is possibly too late for any action to protect secret status. Immediate and thorough action is necessary in the wake of public release; even if trade secret status is lost, the company may still get damages for the release.
Trade secrets are lost through the inappropriate spread of information
If trade secrets are lost to those inside the company it is usually because there was a lack of clear, established, and enforced company-wide confidentiality policy. Sometimes this is linked to the lack of appropriate clauses in employee contracts. Loss of trade secrets to those outside the company are usually because emails or mailings were accidentally misdirected, or someone posted privileged information publicly on the company website or because of cyber hacks or threats.
How the internet facilitates the loss of trade secrets
The Internet has changed the way in which companies do business. For one, privileged information is made available to many more individuals than it was before. This includes sales and management employees, IT personnel, consultants, website/database programmers, third-party software or equipment maintenance personnel, potential partners and investors, customers, production distributors, and more. As a result, companies can no longer simply lock sensitive documents behind closed doors, and electronic security must be made a priority. A few simple steps can be taken to achieve security; companies should:
- Use password protected terminals, email accounts, servers
- Use email encryption for very sensitive data
- Limit access to confidential material
- Monitor who accesses material, when they access it, and for what purpose
Data security must be established in addition to confidentiality procedures. If these precautions are not taken, there may be no legal recourse for the disclosure of confidential information.
Specific ways trade secret protection can be lost online
One way in which trade secret protection can be lost is through the posting of information on the company website. While possibly beneficial from a marketing standpoint, this can defeat a trademark secret claim later. Often, the process of posting information online is not as closely monitored as more “official” company documents such as regulatory filings, print advertising and department blogs. Thus, employees may be able to directly post information online without review by managers or attorneys. Sometimes, such lack of review can lead to erroneous posting of protected information.
Another specific way in which trade secret protection can be lost online is through e-mails sent by employees to outsiders that are not covered under confidentiality agreements. This is because email is so easy and prevalent, and misaddressing accidents are common. Secondly, in the digital age, hackers and cyberspies have become increasingly prevalent. If websites, servers, and e-mail accounts do not have proper security features, courts will look to see what steps were taken to prevent access.
An example of such a case is Religious Tech. Center v. Netcom On-Line Communications Services, Inc. (N.D. Cal. 1995). Netcom Online was an early internet service provider that hosted message boards. A former minister of Scientology posted copyrighted and secret church doctrines to the website. Netcom did not post the information themselves and did not control how users interacted with their services. The court found that only the original poster of trade secret was liable for the misappropriation. Those who downloaded and viewed the files were not liable. Furthermore, posted documents that became “generally known” lost trade secret protection.
What to do if a trade secret is released online
Give immediate notice to the hosting website. State that the information is posted without company authorization and that the website must immediately cease-and-desist use. Use a domain “lookup” website to help locate site owner. If successful, contact search engines, such as Google, to remove information from stored cache. If the cease-and-desist is unsuccessful, consider pursuing an injunction. The injunction should request removal of the secret material and prohibit the use of future reposting or disclosure of information. However, if the secret has already been widely viewed by the “relevant public,” then it may be too late for an injunction to be granted.
Respond to internet confidentiality threats with care. Occasionally, strongly worded legal action can do more harm than good. A company’s reaction can confirm the infuriation is valid and provoke the site owner. If information is hosted from a foreign country, legal recourse may be difficult but not impossible. A famous example is what has come to be known as the “Streisand effect,” which is when an attempt to hide, remove, or censor a piece of information unintentionally publicizes the information more widely. This effect is usually facilitated by the Internet. It is an example of psychological reactance where peoples’ knowledge that some information is being kept from them increases the motivation to seek out the information. For example, in 2007, the “AACS code” for overwriting Blu-ray and high-definition DVD protection exploded across the web following aggressive and publicized cease and desist orders. Within the course of one week, the code showed up on t-shirts, hundreds of thousands of blogs, in songs, videos, and even on tattoos.
Other remedies
The Consumer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030
Advantages over the ITSA:
- Plaintiff does not need to establish that material stolen is a trade secret, only that the material was on a protected computer
- There is no need to show additional security measures, such as confidentiality agreements, were used, beyond showing the computer was protected and the employee lacked or exceeded authority when accessing the information
- No need to show that the misappropriated information was actually used
- Provides federal question jurisdiction as an entry into federal court
Disadvantages to the CFAA
- Plaintiff must prove that the improper access caused “actual damage”
- Use alone does not count, must “impair” data or system in some way
- See Garelli Wong & Assoc. v. Nichols (2008 N.D. Ill.)
Economic Espionage Act, 18 U.S.C. §1831
- Specifically enacted to protect trade secrets
- Prohibits unauthorized transmission, download, or upload of trade secrets by computers
- No private right of action
- Has an extraterritorial aspect
- Up to $500,000 fine and 10 years in prison for violation
- Corporations and other entities may be fined up to $5 million
Electronic Communications Privacy Act, 18 U.S.C. §2510
- Protects e-mails that have not been opened or that are intercepted in transit
Stored Communications Act, 18 U.S.C. §2701
- Protects against intentional, unauthorized, access of an electronic communication when that communication is in electronic storage
Electronic Communications Privacy Act, 18 U.S.C. §2510
- Protects e-mails that have not been opened or that are intercepted in transit
Stored Communications Act, 18 U.S.C. §2701
- Protects against intentional, unauthorized, access of an electronic communication when that communication is in electronic storage
Protecting trade secrets
To ensure a reasonable amount of trade secret protection is in place, employers should password protect electronically stored information; limit employee knowledge of trade secrets and confidential information; require confidentiality agreements and post-employment restrictive covenants; label sensitive information as confidential and shred physical copies after use; conduct an exit interview with departing employees; monitor a suspected employee’s computer activity before termination; periodically inventory trade secrets and perform self-reviews of all policies and procedures regarding those secrets.
Employers should also establish a confidentiality policy, published in the employee handbook or other documents. The policy should comprehensively define what is confidential; specifically exclude generic information not eligible for trade secret protection to avoid a finding that the agreement was overbroad (if you claim too much is confidential, the court may find that none of it is); state that all confidential information, both physical and digital, must be returned at termination of employment and never shared with a third party without proper permission; require employees to sign an acknowledgment that the confidentiality policy has been received, reviewed, and accepted.
Electronic information should be password protected. The company should establish a policy to change passwords on a regular or annual basis. Applicable passwords should be changed after employee termination.
Limit employee knowledge of trade secrets and confidential information by disclosing trade secrets and confidential information on a “need to know” basis. The company should refrain from giving every employee access to all information. It should also segment information and password access so different individuals only have access to information pertinent to their position. For instance, a salesperson may need sensitive information about a specific territory but not access to information from all territories.
The company should also require confidentiality agreements and post-employment restrictive covenants for employees with access to especially confidential information. Under Illinois law, protection of trade secrets is sufficient justification for a post-employment non-competition covenant – the “Inevitable Disclosure Doctrine.”
It is good practice to label sensitive information as confidential and shred physical copies after use. Do not merely throw away the copies containing information. Confidential material should be clearly marked as to not be included with distributed marketing material, in mass e-mails, or posted on public web pages. Consider encryption practices both for e-mail communications and for data storage.
Also, periodically inventory trade secrets and perform self-reviews of all policies and procedures regarding those secrets to ensure that policies continue to be appropriate in light of changing technology, circumstances, and the law. Engage in regular internet searches to confirm that there have not been any breaches of securities.
Other possible precautions to take include disabling internet access on computers that have highly sensitive information; limiting use of unauthorized USB flash drives, iPods or other possible data storage devices at work or disable USB ports on computers; and encrypting highly sensitive material on a laptop or tablet if traveling in case of theft. Note that when traveling abroad, customs may legally impound laptops.
Liebert Corp. v. Mazur (Ill. App. 1st Dist., April 5, 2005) illustrates the importance of taking precautions to be legally protected. Sales representatives from Liebert Corporation began working for a competing company and took customer lists with them. The lists were kept in a password protected directory, but the employees were not under a confidentiality agreement. The court found password protection alone is not enough to establish trade secret protection, “Restricting access [with passwords] … is a step in the right direction,” but not enough in itself. The court was “troubled by the failure to either require employees to sign confidentiality agreements, advise employees that its records were confidential, or label the information as confidential.”
Encryption and trade secrets
Encryption is the process of coding data or a message in such a way so that a password or key is needed to unscramble the contents. Becoming increasingly common, encryption is also becoming increasingly inexpensive and easily implementable. Encryption has been increasingly recognized as an important protection of privacy by state legislatures. For instance, on October 1, 2008, Nevada became the first state to mandate businesses use encryption when transferring “any personal information of a customer through an electronic transmission.” Massachusetts followed with a similar law that took effect on January 1, 2010.
Encryption is not per se necessary for trade secrets but is a “measure taken … to guard the secrecy of information” factoring for protection. However, it could possibly be construed, regarding the ITSA, as a reasonable necessity, depending on the circumstances. For instance, if stored on a relatively public or seldom used computer, and if data is especially sensitive and routinely transferred (i.e. through e-mail).
If encryption is used, be sure to back up encryption keys or data could be permanently lost. Keep the keys secure as well, of course, or the purpose of encryption is defeated.
Electronic communications between lawyer and client
A 2007 ABA report said that 72% of the lawyers surveyed send confidential information to clients via e-mail. 79% rely on confidentiality/privileged disclaimers as their primary form of security. In 1997, the ISBA issued an advisory opinion determining that lawyers may use e-mail without encryption unless “unusual circumstances” demand enhanced security methods. In light of the lower cost and difficulty of establishing encryption systems, increasing awareness of encryption by legislators, greater threats of identity and data theft, and increased technological proficiency of lawyers, this stance could change at some point in the future.
Popular choices for email encryption include:
- PGP encryption software: the most popular choice for both email and file security
- Hushmail: a web-browser based email service
- Gmail Premier Edition: many customizable encryption and confirmation options and increasingly being used more by law firms
- Microsoft Outlook: provides basic encryption processes, but both parties must be using Outlook or otherwise have their “public key” available
Many other commercial programs and digital security consultant companies are available to specifically meet office needs.
Other forms of electronic communication
Extranet
- A password accessible database
- Increasingly popular as a means to make real-time case information available directly to clients
- Possibly provides a more enticing target for cyberspies and hackers
Social networking
- Should only discuss general legal information, not specific advice
Electronic messaging
- Discouraged unless strictly monitored on both ends
- Always stress the importance of confidentiality to the client, if client gives out the password, someone outside of confidentiality could be privy to important documents and communications
