Best practices to protect trade secrets
The ECCT's Intellectual Property Rights committee hosted a lunch on the topic "Beware of industrial espionage! - Best practices to protect your trade secrets" featuring guest speaker Huang Kuo-ming, Senior Partner at Formosan Brothers Attorneys-at-law. In his presentation the speaker offered insights into the root causes of trade secret theft, common inefficiencies in companies’ internal control policies, and solutions for enterprises to protect themselves.
He began by referring to a recent case involving two of Taiwan’s most prominent technology companies. In the case, a group of employees from one of the companies transferred to the other and were accused of stealing and using trade secrets. However, the case illustrates the difficulty of properly protecting secrets as well as taking remedial action after the fact, even though Taiwan has had a Trade Secrets Act in force since 2014.
The first step in protecting your trade secrets is to establish and record a precise list of trade secrets. Knowledge that qualifies as a secret could be a business, finance (forecasts or prices) or technological in nature or even related to Human Resources (such as salary information).
To meet the definition of a trade secret, it must have three elements: 1) It cannot be generally known; 2) it must have economic value and 3) reasonable efforts must be taken to protect the secret.
To meet the requirements of element 1, it cannot be easy, for example, for a competitor to discover the secret. Regarding element 2, it could be actual value or potential value that provides a competitive advantage. Element 3 is the most difficult to prove. It is common practice in trade secrets cases for defendants to claim that they didn’t know the information in question was a secret. Companies often revert to a blanket process of labelling all information and documents as “Confidential”. However, Huang noted that this type of action has been disregarded by courts because it is not reasonable to claim that all information is confidential. In addition, if the employee also often works at home using a company PC or other device, the case is likely to fall apart on the grounds that insufficient efforts were made to protect the secrets.
For companies to protect themselves, a minimum requirement is to have employment and non-disclosure agreements (NDAs) with the employees in place and strict security measures to prevent sensitive information from being leaked. For example, company computers should not have USB ports to allow information to be downloaded onto an external drive and there should be controls to prevent attachments being emailed to third parties or uploaded to the cloud. However, for employees that handle sensitive information, such as R&D staff, companies should go further. Besides controls on files being downloaded or shared, there should be authorisation controls restricting information flow between departments.
While it is common practice for companies to expect employees to work from home, this leaves them vulnerable if sensitive information can be accessed from PCs or other devices, sometimes through cloud-based apps. According to Huang, if you allow employees to take their computers home, it undermines the defence that proper precautions were taken to protect secrets.
After laying the groundwork in terms of setting up a secure system, when it comes to hiring employees, companies should first do due diligence to check on their backgrounds for red flags. For example, if employees have special relationships with third parties who have connections to competitors or they are heavily in debt, this should be a warning sign.
The next step is to sign an employment contract and NDA and inform employees about all the trade secrets they will have access to and ask them to sign agreements to acknowledge that they are aware of the secrets. The next step is to undergo training regarding protection methods. Employees should be tested on their knowledge of protection methods of all information (hard copy and electronic) and asked to sign documents to say that they accept and will comply with all the requirements. When employees leave the company, there should be robust procedures in place to ensure that they hand over all devices and documents before they leave and are not able to copy or transmit any data. Finally, throughout the process, companies should keep comprehensive records in case they need to be used as evidence.