With the passage of the Defend Trade Secrets Act (DTSA), the federal government handed businesses a lethal new weapon to protect trade secrets in federal court. There should be champagne popping in boardrooms everywhere. Why, you ask?
Access to federal courts in and of itself is a major boon for businesses. Any seasoned litigator knows that in federal court, deadlines and dates are set quickly and are firm. Further, federal courts have more judges, more resources, and less cluttered dockets. Accordingly, federal litigation customarily moves at lightning speed compared to state court. Also, anecdotally speaking, the federal judiciary and its staff are the cream of the legal crop. Federal judges aren’t encumbered with running for re-election (as in Ohio), they take the time to understand complex legal issues and have the wherewithal to deal with those issues. Their staff attorneys are usually enjoy digging into the meat of legal issues and complex fact patterns. This isn’t to say that state court judges and staffs are substandard. More so, state courts generally lack the resources and time to put together a stellar legal team to review your case. Thus, when dealing with a complicated trade secrets cases, federal courts will be a welcome arbiter for practitioners and clients alike.
But … there is always a but … if one seeks to enforce trade secret rights in federal court, one must bring her or his “A” game. A federal court will expect a party to be able to prove their case and motion practice is more effective. To provide an example, the “trade secret” had better be a trade secret. At first blush, that seems an obvious statement. However, beneath the obvious is the point I am driving at: if you have a trade secret you better keep it like a secret. Let me explain.
The DTSA adopts the Economic Espionage Act’s (EEA) definition of a trade secret. According to the EEA, a trade secret is defined as follows:
“[A]ll forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing.”
But that’s not all. To qualify as a trade secret, the owner must: (1) have “taken reasonable measures” to keep the information secret; and (2) “derive independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.” See 18 U.S.C. § 1839(3).
Reasonable measures? Sounds like another way of saying “gray area.” What are the federal courts likely to do with such gray area? I predict the federal courts will paint it with the many splendored colors of information security. Simply put, federal courts will look to set quantifiable standards for the reasonability of measures to protect trade secrets. I believe the easiest method to judge the reasonability of a plaintiff’s security measures is to view them through the lens of information security. Because many organizations still lack adequate information security, proving the existence of a trade secret trade secret in federal court will become increasingly problematic. Although scant at this juncture, federal case law seemingly bears this theory out.
In US v. Shiah, No. SA CR 06-92 DOC (C.D. Cal. Feb. 19, 2008), a case addressing trade secrets under the EEA, the defendant copied 4,700 computer files belonging to his employer, Broadcom, to an external hard drive shortly before leaving to start a new job with a competitor. In Shiah, the district court engaged in a lengthy discussion of the “reasonable measures” requirement. The measures taken by Broadcom to maintain the confidentiality of its secrets included confidentiality agreements signed by its employees that explained the value placed on confidentiality and attempted to indicate which documents were considered confidential. The confidentiality agreement also prohibited employees from taking confidential information with them upon their departure. The court noted Broadcom’s use of IT-managed firewalls, file transfer protocols, intrusion detection software, passwords to access the company’s intranet, a layer of protection between its intranet and the Internet, and selective storage of files. Broadcom further required non-disclosure agreements, tracked sharing through a program called DocSafe, and marked documents as confidential. Finally, Broadcom maintained a high security physical facility. Seems pretty good, huh?
Despite Broadcom’s security measures the court found them “barely sufficient” to qualify as reasonable under the EEA. The court opined that Broadcom should have provided education, training or guidance to employees regarding the information it considered confidential. The court stated that the training should have been “regular” and included methods for ensuring information remained protected. The court also noted that if Broadcom had a “comprehensive system in place designating which documents were and were not confidential”, it would have been easier for employees to identify confidential information. Regarding the confidentiality agreement signed by Shiah, the court stated that it was overly broad in designating nearly all information as confidential, making it difficult for employees to understand what information was actually confidential.
The court also criticized Broadcom’s off-boarding process with Shiah. The court indicated that Broadcom was overly concerned about “sending a message” as opposed to actually protecting its information. The court indicted that Broadcom should have had Shiah’s supervisor present to thoroughly explain the terms of the confidentiality agreement, identify the information the company determined to be particularly sensitive, and inquire as to what information he was taking with him. The court also stated that Broadcom should have taken steps to inspect Shiah’s computer to determine what information Shiah had accessed and when. The court indicated that had Broadcom simply inspected Shiah’s computer, it would have learned that Shiah copied thousands of files and would have been able to investigate immediately.
Lastly, what I find most interesting about the Shiah case is the court’s dicta regarding “reasonable measures”. The court presciently stated:
“The Court is also basing its determination on what would have been considered reasonable at the time, in 2003; the Court notes that the reasonableness standard will become more and more stringent as time passes. Over time, there will and have been improvements in technology, information, and knowledge pertaining to data secrecy[.]”
The controversy in Shiah happened 13 years ago. In terms of information technology, 13 years is an eternity. The threats to information are more formidable and pervasive than ever. Furthermore, with the development of various forums on the “Deep Web” and the rise of crypto currency, it has never been easier to sell information such as trade secrets to willing buyers and to do so anonymously. A comprehensive information security regime that emphasizes trade secret management will be the best prescription for protection in this new age of federal trade secret litigation.
Read Menzies Aviation v. Wilcox, 978 F.Supp.2d 983 (D.Minn. 2013) for a more recent take on federal trade secret litigation as it relates to the consideration of “reasonable measures”. In Wilcox, the U.S. District Court of Minnesota held that the trade secret owner failed to employ reasonable measures when the employer was aware that the subject employee used personal email and a personal computer for work matters, and that much of the confidential information was shared with another third-party vendor.
Does the employer in Wilcox sound like your organization? Do you allow employees to access their personal email or use a work computer for personal matters? Conversely, do you allow employees to use personal computers or devices (phones or tablets) for work matters? Does your organization even meet the security standard set by Broadcom, which was ultimately determined to be insufficient? If your answers are yes, it seems that you may be unwittingly undermining your own ability to enforce your trade secrets rights in federal court.
ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.