Inevitably, when someone gets into a discussion of the proper governance and management of trade secrets, they fall down the proverbial rabbit hole of identification. Meaning, should a company try to identify all of its trade secrets as part of its ordinary course of business? Or should a detailed identification wait until misappropriation and enforcement? In my view, neither of these extremes are satisfactory—and both grossly oversimplify the options.

Let's start with some basics. As many know, trade secrets traditionally have fallen within the purview of state law, which for most states is some variation of the Uniform Trade Secrets Act (a notable nearby exception is New York, which applies common law). In 2016, the first federal trade secrets law—the Defend Trade Secrets Act—was also enacted. Regardless of the exact legal authority in question, trade secrets legislation is intended to protect anything of commercial value that is kept secret. Typical trade secrets include business information like customer lists, pricing, marketing strategies and the like, as well as more traditional IP-style trade secrets such as processes, methods of manufacture, formulas, recipes, algorithms (many of the things that cannot be subject to a patent, as well as many inventions prior to patenting). Trade secrets can also include research and development information including what worked and what did not (negative trade secrets) as well as business insights like sources of supply or key raw materials. Every business has trade secrets, whether they realize it or not, and various sources have shown that trade secrets are often a business's most valuable form of intellectual property, which is especially important given that 84% of the value of S&P 500 companies is shown to come from its IP and other intangible assets.

In order to have an enforceable trade secret, a trade secret owner has to demonstrate that they took "reasonable measures" to keep the information secret. What is reasonable depends on the circumstances—there is no one-size-fits-all criteria—but basic items like confidentiality agreements, "need to know" sharing, password protection, common cybersecurity measures, labeling documents confidential and the like are usually required. From a risk management perspective, it is also important to use "reasonable measures" to protect trade secrets—after all, the desired goal is to avoid loss in the first place, not to have an "opportunity" for enforcement.