Privacy Plus+

Privacy, Technology and Perspective

School’s back in session: Starting with Trade Secrets. This week, let’s join “Professor Hosch” at the start of a new law school year, looking at trade secrets.  Specifically, let’s consider the measures required to protect trade secrets.  Can we find an objective way to show that measures are “reasonable?”  We welcome your thoughts!

“Reasonable” or not:  Whoever claims to own a trade secret must show that she has taken “reasonable measures under the circumstances to keep the information secret” or otherwise protect it from loss, wrongful disclosure or misuse.  Absent taking reasonable measures to preserve secrecy, a “trade secret” probably won’t be held to be a trade secret at all.  So how can you tell when your protective measures are “reasonable enough?”

 Beyond the “reasonably prudent person:” Ask a second-year law student what are “reasonable measures,” and her immediate reaction will be, “whatever a reasonably prudent person would do in those circumstances.”  The reasonably-prudent person principle is correct as far as it goes, but it isn’t easy to use as a guide for business (especially in close cases), because what you believe is plenty might seem like just a jumping-off point for someone else, especially in hindsight.  Can we be more objective?

Toward the “objectively prudent person.”  Here are some ideas on how to “objectify” the “reasonable measures” you’re taking to protect your trade secrets.

  • Start with the obvious.  Especially in trade secret law, never overlook the simple basics.

    • Identify your trade secrets. You can’t enforce what you can’t define. Articulate what they are — never take refuge in generalities (e.g., “everything,” or long strings of noise you’ve cut and pasted from someplace). Make a list or inventory.

    • Make sure people know they’re trade secrets and commit to keeping them secure, through non-disclosure agreements, policies regarding confidential and trade-secret information (including return of all confidential and trade-secret information at end of employment), data classification policies, terms of use, training regarding the handling of confidential and trade-secret information, “awareness reminders” to stay alert (not the same thing as “training”), and otherwise.

    • Limit access.  Access to your trade secrets should be provided on a need-to-know basis only.  Monitor access.  Set up technical access controls to lock people out of places where they have no business, and to restrict their ability to access, save, copy, print, or email protected information.

    • Secure them.  Locks, password protection (with at least industry standard for password requirements), encryption, code obfuscation, storage in protected repositories and multi-factor authentication.

  • Treat your trade secrets according to their economics/value. “Value” is increasingly an element of what constitutes a trade secret in the first place. Certainly if you expect a court to treat your “trade secrets” seriously, you must show how you have tried to treat them that way yourself. Of course, not everything is priceless and must be guarded like Fort Knox; as Judge Richard Posner used to say, “perfect security is not optimum security” and many things can be protected with less than ultra-sensitive, perfect security. Conversely, nearly everything must be guarded better than the closets at Mar-a-Lago. Match your level of security proportionately to the economics/value of your trade secret.

  • Plot out a “bell curve” of cases.  Instead of looking for one white-horse case, draw a spectrum from where measures have been found to be “obviously unreasonable” across to those that were “obviously reasonable.” Read as many cases as you can find and plot them along your spectrum. You’ll find that they cluster in a classic bell curve.  Measures from the middle of that curve to the right are more likely to be “objectively reasonable.”

  • Look to standards.  We suggest looking far beyond trade secret cases. Some states have statutory duties of care related to data security, which generally impose obligations to maintain reasonable administrative, technical, and physical safeguards. Consider the NY SHIELD Act, Massachusetts’s Data Security Regulation, Alabama Data Breach Notification Act of 2018, along with the FTC Act, the SEC Safeguards Rule, HIPAA and other federal laws all require “reasonable” data security. Look also at “cybersecurity assessment frameworks,” the standards that industry groups, regulators, and others are developing for objectively assessing cybersecurity, especially in the context of privacy. There are many of these – SOCs 1, 2, and 3; NIST; SANS Critical Controls; HITRUST; and others.  These are an emerging, underused resource that can be used in trade secret analysis.

“Cutting edge?”  We’re indebted to Milt Springut for (with much else) the thought-provoking question of whether trade secret owners must sometimes – or always? – use cutting-edge devices in order to be taking “reasonable precautions.” He reminds us of the TJ Hooper case from the Second Circuit in 1932, where Learned Hand wrote that a tugboat owner could be negligent for failing to have working, two-way radios on board, even though those were not yet industry standard at the time. We suggest that where the value/risk of the trade secret is high enough, cutting-edge protections might indeed be necessary, especially where the cost of protections would be low.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.