Nicole D. Galli, Law Offices of N.D. Galli LLC Nicole D. Galli, Law Offices of N.D. Galli LLC

It seems like every week there is another trade secrets case or investigation making headlines.  Just this month, Christopher Wray, director of the FBI, in a speech titled, "Responding Effectively to the Chinese Economic Espionage Threat," explained that "the FBI currently has about 1,000 investigations into Chinese technology theft." As recent news reports and cases show, state actors misappropriate trade secrets not only through cyber means, but also through partnerships with an insider, such as an employee, and otherwise seemingly legitimate business relationships. Indeed, studies show that the vast majority of the threats—even those without a state actor involved—are from some kind of insider—current and former employees or trusted business partners (e.g., joint venture partners, suppliers, customers and the like). This is corroborated in speaking with many in house counsel about these issues, as I do, as they tell me it is insider threats that keep them up at night, far more than whether their cybersecurity protection is adequate (although that's certainly an important consideration as well).

Some may wonder why trade secrets are so much more in the news these days. That's a complicated question for which there are numerous possible explanations. One factor is the impact of patent eligibility law on key technology areas such as software, business methods and medical diagnostic testing. Another factor is the increasing mobility of the workforce and the heightened level of electronic connectivity among people (such as social media and workplace communication services such as Slack), which creates situations ripe for both inadvertent and intentional trade secret loss. Of course, we cannot underestimate the impact of now having a federal trade secret law with the enactment of the Defend Trade Secrets Act in 2016 and similar laws in Europe with the implementation of 2016 EU Directive. And we also can't ignore the impact of attacks on the enforceability of restrictive covenants in certain jurisdictions. To me, however, the most important reasons are the ubiquitous nature of trade secrets—all businesses have them—and their high business value, which is being increasingly recognized. Indeed, some studies show that many businesses consider their trade secrets to be their most important form of intellectual property, even more so than their patents (which seems contrary to most IP lawyers' perspectives).

So how do we stem what is clearly a rising tide of trade secrets disputes and actual and potential loss? If you or your clients haven't been thinking about enhanced trade secret protection, you are behind the times. The old ways of relying on confidentiality agreements and NDAs, employment agreements, "need to know" rules, and cybersecurity are inadequate in today's climate. Instead, companies need what I call "trade secrets 2.0"—a multidisciplinary approach to trade secrets protection that looks to create a company culture and business processes around enhanced trade secret protection. Such systems draw upon various sectors of the company such as legal, IT, HR and R&D, and often rely upon an executive sponsor to reinforce the importance of the issue. As one study shows, as of just a few years ago, at best one-third of companies—even large multinational ones—were taking more comprehensive steps to secure their trade secrets. Many companies I know, especially smaller ones, do not even realize they have trade secrets. Yet everything that a company does that it does not share with the public and provides it with a competitive advantage is potentially a trade secret. Once companies realize how broad the definition of trade secret really is, they start realizing how many they have and how little they are doing to protect them.

To me, a first step in trade secrets 2.0 protection is identification. For most companies, trying to identify each and every trade secret the company has is a losing battle. Especially in technology and R&D-driven companies, new trade secrets can be created every day, rendering any catalog of trade secrets obsolete as soon as it is completed. This does not mean one should not try to think about this however, and at least come up with broad categories of trade secrets that the companies might have. The kinds and location of the trade secrets, for example, can inform the other steps one takes in protecting them, as can knowing how, if at all, the trade secrets need to be shared within and outside the company.

More specific identification becomes increasingly important at various entrance and exit points. One example is when employees are on-boarded or leave the company. At that time, it is helpful to at least have some idea of what trade secrets the employee will be (or was) exposed to so that proper instructions can be given for how they should be handled going forward.  For many companies, avoiding having an employee utilize their prior employer's trade secrets in your company can be as important if not more important than worrying about losing your own trade secret. Such companies not only want to avoid an accusation of trade secret misappropriation, but also want to avoid having their technology contaminated with trade secrets they do not truly own. Another time that is critically important is when partnering or sharing information with another company—whether an investor, joint venture, customer, or vendor.

It is also critically important to keep trade secrets identification in mind in connection with patenting. Some (and perhaps many) patent lawyers believe that if something can be patented it should be patented and that trade secrets should be avoided. However, for some companies, maintaining key assets as a trade secret makes good business and economic sense. Think about the value of the Coca-Cola formula over the last 100-plus years, versus a single pharmaceutical patent. Even though the pharmaceutical patent is likely highly valuable, the Coca-Cola value is likely higher. In addition, most times, it is best to have a web of protection, where some aspects of an invention are patented but others are protected by trade secrets. In any event, since patenting by its very nature (invention made public) is the opposite of trade secrets (invention kept from the public), this is a key decision point. Thus if there is some technology that a company wants to keep as a trade secret, it is critically important that it not be included or disclosed in a patent even if not actually claimed in a patent. Similarly, when there is a suspected trade secret misappropriation, it is important to check the company's patents for the related technology, to be sure that there was not already a disclosure of the purported trade secret in the patents.

Once you have an idea of the kinds of information you are protecting, then you need to think about additional protections. One important factor determining what kinds of protections you need is whether this information can be controlled within a small internal group or needs to be shared within the entire company. The more people who must have access to the information the higher the risk. Similarly, the protections required will vary depending on whether it is only going to be shared internally or whether it needs to be shared with third-parties. Third-party sharing is probably the most difficult situation for which to design trade secret protection—you now are dealing with not one but two companies, which at least doubles the risk—and you may not have a lot of control over the third-party, even if you have leverage in the relationship. One way you can try to protect yourself is by conducting due diligence on the third-party. Another is by only sharing a portion of the trade secret information (if possible), keeping the rest in a black box, for example, or spreading it among a group of suppliers (so that no one supplier knows everything).

In general, every company will benefit from employee training and creating a culture around trade secret protection. Inadvertence is often as much of an issue as deliberate misappropriation. For example, sending a document containing trade secrets to a home email to work on it remotely—though well intentioned—can increase the risk of loss and should be avoided. Sharing a thorny computer programming problem with friends outside the company to get suggestions and advice might be commonplace in the industry, but again not a great practice from the perspective of trade secrets protection. However, as in house counsel will tell you, one needs to balance practical realities of the business with trade secrets protection. As with any system that depends upon employee compliance, systems that make jobs harder are less likely to be complied with and more likely to be the subject of potentially hazardous workarounds.

All systems need regular monitoring and enforcement, in addition to regular employee training. Especially for larger companies, more sophisticated technological systems can be employed, such as blocking or disabling USB drives and utilizing software and algorithms that flag large downloads or emails with attachments, as well as other suspicious behaviors. At the end of the day, however, no system is fool proof. Accidents will happen and it is highly likely a misappropriation may occur as well at some point in a company's life cycle. Even if a company chooses not to pursue a legal remedy for a particular incident, it must take action when an incident comes to light and remedial steps should be documented. As any trade secrets litigator will tell you, one of the areas for discovery in a trade secrets case is whether there were past incidents of trade secrets loss or misappropriation and whether the company took the necessary steps to address them. In this regard, attention should be given to whether remediation records should be treated as privileged or whether some records should be maintained as a business record. This could be an important question later, when one may want to rely upon a business record regarding remediation without opening the door to a full privilege waiver.

These are only a small fraction of the considerations that need to be taken into account in designing an effective system of enhanced or trade secrets 2.0 protection. As with "reasonable measures"—the standard a court uses to determine whether or not a company took the necessary steps to secure the trade secret—trade secrets 2.0 protection needs to take into account a myriad of factors too numerous to discuss here. The first step, however, is to think about the issues and develop a comprehensive plan—just relying on "old school" trade secret protections will not cut it in today's world.

Nicole D. Galli is the founder and managing partner of the Law Offices of N.D. Galli, a boutique law firm with offices in Philadelphia and New York that protects businesses' key strategic assets through corporate transactions and governance measures, intellectual property counseling and commercial litigation. She is also the founder and president of Women Owned Law (WOL), the first national networking organization dedicated to empowering and supporting women entrepreneurs in the law. Galli can be reached at [email protected] or 215-525-9583.