While the global pandemic has highlighted the perils of remote work, decades of collective experience undertaking internal investigations for corporations and their advisors in connection with the misappropriation of intellectual property leads us to a conclusion: we should not blame the pandemic alone, as not a lot has changed over that time when it comes to corporate approaches to protecting critical IP and safeguarding trade secrets.
Reflecting on our time investigating IP misappropriation and theft, and calculating damages and testifying in litigation, there are periods of growth in industries where protecting this information would have been particularly important. During the “dot-com bubble” between 1995 and 2000, there was an exponential rise in investments in technology and internet-based business premised on complex research, ingenuity, and an anticipation of other technologies required to accommodate these new businesses. These included the evolution of mass data storage companies to back-up code and other data inherent in these new industries. We saw similar advancements in new product development in the pharmaceutical industry between 2010 and 2019, which saw a 60 percent increase in new drug approvals over the prior decade, including 59 new drugs approved for sale in 2018¹. During the last few years, we have witnessed the race to develop and productize safe and efficient large capacity batteries for use in electric vehicles and other consumer products.
A constant throughout these periods of growth and innovation are the calls to respond to data exfiltration, in particular those found to be perpetrated by insiders, especially former or soon-to-be former employees.
The law has tried to keep up with innovation and the protection of intellectual property, including the Defend Trade Secrets Act enacted in 2016, which provides a private right of action for the civil misappropriation of trade secrets. The law covers trade secrets “related to a product or service used in, or intended for use in, interstate or foreign commerce” and has been extensively used already by those seeking to recover damages for the loss of intellectual property deemed to be trade secrets. Success in a Defend Trade Secrets Act case requires the plaintiff to establish:
- the misappropriated information is a trade secret;
- the trade secrets were acquired through improper means; and
- the use of the trade secret by the recipient has harmed the plaintiff.
Especially important in these cases is the burden on the trade secret owner to establish that reasonable measures were taken to maintain the secrecy of the trade secret and prevent the information from being known or ascertainable by others in the industry. In that regard and in connection with decades of investigating the exfiltration of IP and trade secrets, the following are some recommendations for protecting company confidential information.
- Inventory Trade Secrets and Proprietary Information: Organizations should take stock of their confidential information and delineate trade secrets and other confidential or mission-critical information. Once identified and inventoried, information that is deemed a trade secret should be marked as such and a steward assigned to ensure the proper handling of the trade secret.
- Employment Agreements: All company employees should execute non-disclosure agreements in which they agree to not share confidential information. Similarly, the company’s code of business conduct and employee handbook should also cover confidentiality requirements and employees’ obligations to raise incidents of breach of confidentiality or other proprietary data exfiltration or loss.
- Policies and Procedures for Handling Trade Secrets: Policies and procedures for trade secrets and confidential information should be developed to govern the access, use, and steps to protect the confidentiality of the trade secrets. Policies should include: a “need-to-know basis” for accessing trade secrets; restrictions on the sharing or transmittal of trade secret information; an affirmative duty for all employees to maintain the confidentiality of trade secrets; and processes for safe-guarding trade secrets such as clean desk policies.
- Training: Upon employment, all colleagues should be trained regarding the nature of the company’s trade secrets and the methods to and their responsibilities for protecting them. Training should include not only trade secret-specific training, but also encompass computer use, physical security measures leveraged by the company, and how to raise concerns via the firm’s integrity hotline or other methods used by the company to identify and address concerns. Employees with particularly sensitive responsibilities should receive supplemental training as appropriate. All training should be recurring and continually updated to reflect changes in the business and the intellectual property that comprises trade secrets.
- Physical Security: The company should conduct an enterprise-wide risk assessment to understand the risks and vulnerabilities to the company, its’ employees and assets, in order to determine the most appropriate physical security measures necessary to protect the firm’s trade secrets. At a minimum, the company should employ measures to restrict ingress to the company’s buildings and offices, utilizing an auditable badge system. Consideration should be given to additional physical security measures, including strategically placed cameras to observe ingress and egress, lockable offices where confidential information is maintained, and limiting access to server rooms.
- Technology: While technology is a facilitator of information exfiltration, it can also effectively prevent data loss and theft. For example, the use of data loss prevention technology, restricting access to USB ports eliminating use of thumb drives, and software to monitor attachments to emails as they pass through the company’s firewall. Additional technologies for protecting confidential information include digital watermarking of electronic documents and electronic filing systems that restrict access to trade secrets on a “need-to-know” basis.
There are a number of additional elements to take into account when determining the best approaches to protecting trade secrets, including policies and procedures for visitors and other third parties, the sharing of information with prospective partners or co-developers, and legal options such as patents and other protections. As these measures are considered, it is important to keep in mind that trade secrets are a critical part of an entity’s intellectual property portfolio and have great value of their own. Protecting these trade secrets should not be viewed as simply a cost, but an integral part of a company’s competitive business strategy and the costs of protection measures should be viewed accordingly. As such, companies should assess their trade secrets and take the appropriate measures to protect them in a comprehensive and holistic manner, taking into account the risks associated with their potential compromise.
¹https://www.cbo.gov/publication/57126 (Congressional Budget Office, Research and Development in the Pharmaceutical Industry, April 2021.)