Inside Job: Cybersecurity to protect trade secrets
The threat of outside hackers is not the only reason to implement cybersecurity practices. Thoughtful cybersecurity practices can protect a business’s trade secrets from theft by departing employees and competitors. And while media attention focuses on cybersecurity breaches for large companies, they are not the only targets. A recent survey found that over 50 percent of small and medium-sized businesses had suffered cyberattacks or data breaches in the preceding 12 months. Thus, any business with confidential, valuable information should develop its cybersecurity practices with protection of its trade secrets in mind.
Trade secrets can be almost any business information that is valuable because it is secret. This includes information about customers, employees, finances, products, and sales and marketing efforts.
Most states, including Utah, have laws to protect trade secrets through a version of the Uniform Trade Secrets Act. And the federal Defend Trade Secrets Act provides nationwide protection. Under these laws, businesses seeking return or non-disclosure of their trade secrets or to receive damages for improper disclosure must prove that their trade secrets are valuable and subject to “reasonable” protections.
Reasonable Cybersecurity to Protect Trade Secrets
Today most, if not all, business information is stored electronically. The security approach to protect information from hackers is similar to the approach to protect trade secrets. But because trade secrets are often taken by departing employees, there are some additional considerations.
What constitutes “reasonable” protection varies by business and depends on the nature of the trade secrets. So there is no single checklist of protections that is applicable in all situations. Thus, in-house counsel or an outside attorney may be consulted.
Identify Trade Secrets
As an initial matter, it is helpful for a business to understand where its trade secrets are kept and determine what protective measures and retention policies are applicable to them. This identification can also include informing employees about what information the business holds as a trade secret so that employees know what information should be treated with increased confidentiality, which may be accomplished through non-disclosure or confidentiality agreements with employees.
Implement Protective Measures
The next step is to implement protections. Use of computer and network access restrictions, strong-password policies, firewalls and other network security should all be considered as means to protect trade secrets from malicious outside actors, as well as to prohibit access by employees that do not need access to trade secrets to perform their job functions.
Employees often represent the most vulnerable point of a cybersecurity scheme. In addition to basic cybersecurity training that focuses on the dangers of email, phishing, malware, etc., relevant employees may also receive training on policies and protections applicable to trade secrets. This may include training about how trade secrets should be handled on employee phones, USB drives and other mobile devices, and about when trade secrets can be printed and how to securely store trade secrets in physical form.
Detect Improper Access
Systems and methods may be implemented to detect breaches if and when they happen. Theft of trade secrets can originate from inside a business, such as from a departing employee, as opposed to an outside actor. Accordingly, companies may also implement systems to detect threats to trade secrets from within.
Network monitoring and computer logs can help determine when trade secrets were accessed and by whom. Print logs may also be useful to determine those employees who printed trade secrets.
Respond and Recover from Trade Secret Misappropriation
Determining how to respond to a cybersecurity breach in the wake of an attack is not ideal. Cybersecurity professionals recommend that an incident response plan be in place before any breach occurs. A similar approach may be appropriate with respect to trade secret misappropriation.
Upon departure of an employee, access to trade secrets should be immediately revoked, all corporate devices collected, and company information and software removed from any personal devices (e.g., smart phones). Departing employees may also have exit interviews or separation letters, which remind employees of confidentiality, non-disclosure or non-compete agreements. The circumstances surrounding departing employees may help determine whether employee email is archived, whether access logs are saved, and for how long that information is preserved.
If departing employees are suspected of misappropriating trade secrets, businesses with a response plan can quickly and efficiently investigate the matter and determine whether court intervention is necessary. The response plan may delegate collection and preservation of relevant computer and network logs for investigation and possible use in court. The plan may also include contact information for forensic experts should outside help be necessary for investigation. An appropriate designee may also contact the misappropriator and demand prompt return of the trade secrets and all other confidential information.
While a response plan may not be necessary for protection of trade secrets, it can help make responding to trade secret theft easier.
Ideally, determining how to protect trade secrets should be done long before court intervention becomes necessary and may be considered in connection with general cybersecurity efforts. Again, what ultimately constitutes “reasonable” protection of trade secrets is specific to the unique circumstances of any given situation, as are the cybersecurity measures that a business chooses to implement.
Jared Braithwaite is a registered patent attorney and shareholder at the law firm of Maschoff Brennan. He is also a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.