8 minute read
How In-House Counsel Can Protect Trade Secrets
Intellectual Property
How In-House Counsel Can Protect Trade Secrets
By Steven P. Ragland
It’s a scenario that strikes fear in the hearts of general counsel everywhere. A new hire brings gigabytes of data over from a prior company and infects your systems. It could be as blatant as plugging a thumb drive into a workissued laptop and copying formulas, semiconductor recipes or product roadmaps onto the laptop — or, even worse, onto a shared network drive. Similarly terrifying is a call from an anonymous tipster revealing that your former employee has been using your trade secret information at your chief competitor for years — finally explaining how that arch-rival leapfrogged past you in the market and took a huge bite out of your sales. Now you need to find actionable evidence, select outside counsel and pray that the expense of pursuing major litigation is worth it.
In nearly two decades of litigating cases in Silicon Valley, I have seen these nightmares become reality time and again. As bring-your-own device policies proliferated, and digital storage became cheaper and more prevalent, it has only gotten easier to pilfer trade secrets … or to simply forget where data was socked away during a vacation or work-fromhome stint. Each case is different, but the individuals who improperly use, copy or retain trade secret information tend to fall into four broad categories.
The Conspirator: A newly-hired executive downloads key information from a prior employer on her way out the door and aims to build a team at your company to compete head-on with the former employer. She is sophisticated, attempts to cover her tracks and will likely infect your company by incorporating stolen information in whatever she does. She often solicits former coworkers. This is the willful misappropriator, who can present the most danger to your company.
The Gunner: Retains important material from prior employer and intends to use it to get ahead at your company. Does not think he’s doing anything “really illegal,” even if he knows it could be wrong, because he helped develop the information he pilfered. Keeps misappropriated data on home computer or personal storage devices to refer to privately as needed. Still very dangerous because your company may be responsible for everything he does in the course of his work.
The Pack-Rat: Retains everything related to anything she ever worked on at a prior employer, or downloads it all right before leaving. May or may not ever look at, refer to or otherwise use the material, but feels better having it socked away just in case. The digital equivalent of a hoarder. Presents a significant risk because it will be very hard — maybe impossible — to prove she never used the retained information for your benefit if the improper downloads or retention are discovered.
The Oopsy-daisy: No intent here, just a bit of absent-mindedness. This is the guy who forgot that he had loaded project documents onto a personal cloud account or portable drive. Still a potential problem for your company, unless you can prove he never accessed the stuff in any way since leaving his old job.
In any of these scenarios, the infection might be caught quickly, the unwelcome data isolated, and the issue solved with minimal disruption and expense. Or the problem could metastasize and create enormous exposure for the receiving company and a major competitive threat for the victim of the theft. Either way, even a single employee’s indiscretion can become a multi-year headache, require huge legal spend and put your company at risk.
In-house counsel can do a lot to protect against these problems. First, understanding what constitutes legally protectable trade secret information is key. Second, best practices for on-boarding and off-boarding employees will do much to avoid sleepless nights worrying about what-ifs and, even worse, “whatthe-heck-just-happeneds.”
INFORMATION, NOT THINGS
A trade secret is any information or know-how not generally known in the industry that is kept confidential with reasonable protective measures and derives value because of its secrecy.
One key point in understanding trade secrets is that the law protects information and not necessarily particular things. This means that any given document might contain lots of protectable information, along with plenty of material that is not protected at all. Additionally, trade secrets can include “negative information” — knowing the dead ends a competitor pursued. For example, if your company is creating a robotic vacuum cleaner and one of your engineers has access to all of Roomba’s design and testing information, your timeline could be shortened and your R&D expense lessened by knowing all the things Roomba tried that didn’t work.
Both state and federal statutes protect against trade secret theft. Although they differ, they generally prohibit any unauthorized use, copying or disclosure of trade secret information — all of which falls under the general rubric of “misappropriation.” The secret ingredient does not actually have to make its way into your product for your company to be liable for misappropriation. Absence of use, however, may mean there are no actual damages from the misappropriation, and makes it far easier to remedy and avoid litigation. So catching things early is key.
ON AND OFF-BOARDING
Creating a standard system that is consistent across all departments for on-boarding employees is crucial. Proprietary rights agreements (PRAs) that define trade secret information and certify compliance are commonplace for good reason. First, the law of trade secret protection, employee mobility, and data protection is constantly evolving, and your PRAs need to change with the times to remain fully enforceable. Second, since your business and IT systems are evolving, your forms should reflect that. continued on page 16 And, third, PRAs should be paired with well-crafted employment agreements, offer letters, or other paperwork clarifying responsibilities and expectations.
Additionally, your IT system needs to be protected. What that looks like will depend on the size and complexity of your business, but generally it is good to limit access to trade secret information to only those employees who have need to use it; include an alert system for suspicious activity, e.g., mass downloading; ensure that trails are left so you can trace back as needed when things go wrong; and facilitate remote work within your IT ecosystem to reduce the use of personal storage devices, unsecured cloud accounts and emails attaching sensitive documents.
Training is essential. It should be mandatory and frequent enough to reach everyone. In addition to the specialized training, e.g., how to use the virtual private network, generalized training on trade secret protection is worth the time. Not only will it help create the right culture, but it’s a great thing for litigators like me to point to if we someday have to represent your company in court. And here’s a secret: Outside counsel are usually happy to come in and give these trainings for free. Your legal department may even get continuing legal education (CLE) credit.
Finally, there is no substitute for having a one-on-one conversation with every new hire that explains your company’s information protection policies and procedures. With a one-on-one, not only can you watch the employee read and sign the PRA and similar paperwork, but you can also ask the key questions: Do you still have anything from your old company? Do you understand that you may be terminated if you use anyone else’s information? Do you have any ongoing obligations to your prior employer, e.g., non-solicit or non-competition covenants? Do you appreciate that anything you work on here belongs to us? Are you familiar with our internal reporting or whistleblower system?
Due diligence is worth the effort. I recall one instance where my client had an otherwise great case against a competitor stealing key information, but they had not taken the steps needed to protect their information. Therefore, they had no remedy. There was no PRA and no caution against blabbing about innovations over beers with friends.
Off-boarding should be just as robust as the on-boarding process, but with an extra focus on collecting devices and any media or virtual locations where your proprietary information may reside. The PRA obligations should be reinforced, the individual ideally should sign a further acknowledgment and agreement to respect his or her soon-to-be former employer’s intellectual property rights, and access to systems should be immediately terminated.
Here, the interview is just as important as it is for new hires. What is every device he or she has ever used for work? Did she or he ever email documents to his personal email account? Does she or he have a home computer or tablet that might have some old work material on it? Are there any thumb drives, SD cards, or external hard drives?
If there are red flags, or even just odd vibes, follow up and close the loop. I am surprised at how many times a client reports that something concerning came up in the exit interview but was never followed up on — and now we have to seek a temporary restraining order or move for a preliminary injunction to protect crucial intellectual property.
Finally, keep a record of these offboarding procedures and protect the digital trail. It is tempting to have IT simply wipe a former employee’s laptop, reconfigure it and give it to a new hire. But especially for departing employees with access to key information — or who you know, or suspect will be taking a job at a competitor — preservation is worth the expense and hassle.
Problems often are not discovered until years later when a whistleblower sounds the alarm that someone is using your information at a competitor, or when you discover that your secret sauce has been incorporated into the competitor’s product. If you need the computer hardware for other folks, you can create a forensic image for minimal expense. But make sure it’s done right. If you need assistance to ensure the image is forensically sound, work with a trusted vendor, or consult with experienced outside counsel.
There is no one-size-fits-all solution, but through a careful and deliberate process, you can do a lot to protect your own crown jewels — and to protect against being a trade secret defendant yourself.
Steven Ragland is a partner at Keker, Van Nest & Peters. He focuses on civil and criminal matters in trade secret misappropriation, legal malpractice, cryptocurrency matters and criminal intellectual property issues in the technology, health care and venture capital sectors. sragland@keker.com