With apologies to Jane Austen, it is a truth universally acknowledged that every company possesses information that it wants to keep out of its competitors' hands. Whether that information is a list of customers or clients; a strategic plan or business practice; pricing information; or something as specific as a process, formula, recipe or design that defines and distinguishes a company's product or service – the information is only as secure as the steps taken to protect it. Put another way, the law protects those who protect themselves.
Many lawyers and executives mistakenly believe that trade secret protection only extends to formulas and recipes (such as the recipe for Coca Cola) or designs (such as blueprints for a jet engine), and that their particular company or industry is therefore insulated from the realities of civil – let alone criminal – liability in this area. Wrong on both points. As to the first misconception, the law covers a broad swath of confidential business information. For instance, the Economic Espionage Act of 1996 (which parallels many state trade secret laws) broadly defines a trade secret to include "all forms and types of financial, business, scientific, technical, economic, or engineering information . . . " so long as the owner (paraphrasing here) has taken "reasonable measures" to keep the information secret, and the information derives some independent economic value from not being generally known to the public. And as to the second misconception, the plain truth is that the laws proscribing trade secret theft and computer fraud are being vigorously enforced between competitors in civil proceedings as well as by the Justice Department in the criminal context, and at a rapidly increasing rate.
Companies therefore need to be particularly vigilant not only in protecting their own data, but also in ensuring that their employees do not possess or use a competitor's information unless they are confident the information is public. Many businesses, however, fail to take the most basic steps to guard against these pitfalls. This is likely because they do not appreciate that "misappropriators" are usually the very people with whom they voluntarily share or depend on for information: employees and business partners.
The statistics illustrating this uncomfortable fact are chilling. According to a 2009 survey by David Almeling, in more than 85 percent of cases involving trade secret misappropriation, the alleged culprit was an employee (usually former) or a business partner. According to another survey by Dr. Larry Ponemon, 60 percent of workers admit to having taken confidential business information from their employers when leaving a job. Indeed, as another commentator noted, USA Today recently published a poll (based on a Monster.com survey) stating that 17 percent of surveyed workers admitted that they would disclose company secrets if paid; an additional 8 percent admitted that they had already done so. If these numbers are accurate, at least 25 percent of workers have either already sold confidential business information or would do so at the drop of a hat (or at least a few dollars). These statistics explain why trade secrets litigation in federal courts doubled between 1997 and 2004 and is expected to double again by 2017. Similarly, Mr. Almeling's research shows that trade secret litigation in state courts has increased 36 percent in the past 15 years, while litigation generally has only increased by 9 percent.
This math is not particularly surprising. At no other time in history have data and employees been so utterly mobile. Gigabytes of information can be downloaded in mere seconds onto a device attached to a key ring, and according to research highlighted by Jan Wolf's January 2012 Corporate Counsel article, employees move jobs (often between competitors) at such a rate that employers rarely expect new hires to stay more than five years.
Does this mean that you should no longer trust your employees? Certainly not; no one wants to work in a culture of mistrust and suspicion. Nevertheless, companies need to foster a culture that places a premium on the protection of, and respect for, sensitive business information. There are many – often inexpensive – ways to promote this "culture of confidentiality," and executives and in-house lawyers should take the time to ensure that company policies and procedures regarding such information emphasize confidentiality.
The first step in creating this culture is to assess and then clearly identify for employees which information is actually confidential. In doing this, it is important to not over-designate information as confidential. In United States v. Tien Shiah, for example, the district court in California noted that the defendant's confidentiality agreement was overbroad because it designated almost all information confidential, thus making it hard to determine what information was actually confidential. The sad and somewhat ironic truth is that if everything is deemed confidential, the total level of protection for all information suffers.
Once a company has identified its truly confidential information, there are several additional steps worth taking to ensure that employees are aware that maintaining confidentiality is of the utmost importance.
Often the sine qua non for trade secret protection to attach is the existence of a confidentiality or non-disclosure agreement. Indeed, it is good practice to have those agreements signed when an employee is hired and/or promoted, as well as re-executed periodically (perhaps in conjunction with an annual review). Confidentiality agreements should clearly communicate that any and all information provided to or created by an employee in the course of employment is the company's sole and exclusive property that the employee cannot take upon termination of employment. As noted above, these agreements should specifically identify the confidential information relevant to the company's business. In addition, these agreements should make clear that employees must maintain confidentiality over information they know, or have reason to know, is not generally known outside the company. Employers should highlight and explain these provisions, provide the employee with a copy of the agreement and encourage questions.
Data mobility creates particularly difficult challenges for businesses seeking to protect confidential information. For instance, employees often email documents from work computers to personal email addresses. The most sophisticated companies employ filters and other software to ensure that data leaving the company network via email or download is for a business purpose. These methods, however, tend to be expensive and difficult to manage, and they may inhibit working remotely. Although each business is different, there are at least two generally applicable "rules" in this area. First, adopt a policy that specifically addresses access to and use of company data and networks, and make sure employees are aware of and understand the policy. Such policies should address the use of personal email and the Internet; what data can and cannot be removed from the office; and how employees can work remotely. The second consideration is passwords; though most businesses use them for general network access, employees often have unfettered access to all corporate information once they enter the network. These days it is not hard to compartmentalize network access such that access is provided on a need-to-know basis; indeed, courts favorably view such efforts. For example, in United States v. Dongfan Chung, the Ninth Circuit noted that reasonable measures include limiting access to information on a "need-to-know basis." Likewise, particularly sensitive electronic documents should have unique passwords.
In fact, the degree to which an employer restricts employees' access authorization may bear on the employer's right to seek relief in federal court under the Computer Fraud and Abuse Act (CFAA) from an employee who has misappropriated documents. In 2011, the Ninth Circuit determined in United States v. Nosal that whether an employee "exceeds authorized access" (such that liability attaches under the statute) turns on the scope of the restrictions placed by the employer on the employee's permission to use the computer. Only two years earlier, the same court found in LVRC Holdings LLC v. Brekka that an employee had not exceeded authorized access and therefore was not liable under that same statute, even though he downloaded corporate documents prior to leaving for a competitor, because he was given general access to the entire company network. Policies should at the very least limit authority to access data to that which furthers a legitimate business purpose.
Businesses should ensure that employees consistently designate confidential documents – whether in paper or electronic form – on the face of the document. It should be clear to anyone who sees a document whether the company views the information as "confidential," "highly confidential" or a "trade secret." As noted above, arbitrary and over-designation of confidential documents can diminish protection. In other words, if it is not confidential, do not mark it as such.
When employees leave a company, they should have an exit interview during which they are reminded of the company's confidentiality policy, and departing employees should be provided with the most recent version of their confidentiality agreements. Moreover, they should sign a statement acknowledging that they complied with the policy and that they have not taken company documents. Likewise, companies should instruct new hires that they cannot bring proprietary information from their former employer. New employees should affirm in writing that they neither brought nor intend to use their previous employer's proprietary information. In-house counsel and HR departments should be particularly attuned to this point, as it can prevent distracting and expensive lawsuits (or perhaps even a grand jury investigation) because a new hire is using and sharing work product from a previous employer/competitor.
Businesses should periodically remind their employees about all confidentiality policies, ideally with regular training tailored to the business. Such training, which can be done in a meeting or through an online program, both reinforces these policies and fosters the culture of confidentiality.
In sum, the standard of reasonable conduct expected from a company only increases as information technology becomes more sophisticated. Ironically, the same improvements in technology make it easier for employees to copy and share data. Fortunately however, establishing clear policies regarding confidential information can help discourage employees from misappropriating information and avoid a crisis that, because of the public nature of litigation, is bound to result in further exposure of confidential materials.
Christopher J. Morvillo is a Litigation Partner in the New York office of Clifford Chance. A former federal prosecutor in Manhattan, Mr. Morvillo has extensive experience representing and advising individuals and entities in a wide variety of white collar criminal and regulatory matters, including several recent representations involving criminal and civil allegations of trade secret theft and computer fraud.
Megan E. Farrell is a Litigation Associate in Clifford Chance's New York office, focusing on commercial litigation and criminal regulatory disputes. Prior to joining Clifford Chance, Ms. Farrell worked as a prosecutor at the Brooklyn District Attorney's Office.