TRADE SECRETS

Protecting trade secrets: common pitfalls

Innovating companies need a robust system that prevents misuse of trade secrets and responds quickly when a breach is discovered, says Hannah Netherton of CMS.


Protection of trade secrets has never been more important. Commercial advantage and business opportunities can stand or fall on being the first mover or established player in a competitive market, but gone are the days when secret formulae were locked in office safes.

Most businesses store sensitive commercial information on cloud-based networks that have varying degrees of access by company personnel and third parties. The past year has shown that employees don’t need to be physically in the workplace to access a huge range of company information, and in fact remote working can create greater opportunities for bad actors to thrive.

Many trade secret breaches come from employees or ex-employees, through a combination of human error and malicious intent. Below are some of the most common mistakes that companies can make when it comes to protecting their trade secrets and confidential information in the UK, and some key steps that can be taken to manage these risks.

Failure to identify and categorise trade secrets

The UK law provides varying degrees of protection depending on the nature of the information in question: does it amount to a trade secret, confidential information or simply “know-how”?

Trade secrets are the most heavily protected category of information in the UK (outside of other protectable IP). Since 2018 the Trade Secrets Regulations have formalised in statute the previous common law protections available to businesses and we are starting to see this legislation being used in breach of confidentiality and post-termination restrictions disputes brought by companies against staff.

Employees are subject to an implied obligation during their employment not to misuse trade secrets or confidential information. Where trade secrets are involved, this obligation extends beyond termination of employment, even where the employment contract doesn’t deal with this.

By contrast, express ongoing contractual obligations are generally required in order to prevent ex-employees (or any other form of worker or contractor) from using confidential information after employment has ended, and it is typically not possible to restrict an individual’s use of their know-how and skills acquired over the course of their employment.

However, it can be notoriously difficult to delineate between a trade secret and confidential information, and between confidential information and know-how. Given the different levels of protection afforded to each category, businesses need to form a view on which of their intangible assets amount to trade secrets and then take steps to ensure that they are protected accordingly.

Trade secrets should be identified and kept on a register, with a list of which personnel have access to the relevant information and appropriate protections put in place over those assets.

image
“As a starting point, organisations should have clear and up-to-date contractual protections with the whole workforce.”
Hannah Netherton, CMS

Failure of systems and controls

The protections put in place over trade secrets and highly confidential information need to be coherent and robust. Additional protections are needed over an organisation’s most valuable assets, to proactively protect them from being misappropriated and also, if it comes to taking enforcement action over misuse, to demonstrate to a court that the assets do amount to trade secrets that can be protected by law.

This can be achieved through IT infrastructure and ensuring that there are, for example, appropriate levels of encryption, limited access, multi-factor authentication, file transfer conditions and other restrictions over the assets that have been identified as requiring protection.

Many businesses are increasingly using monitoring software to track access/use and warn of misuse, although these should be carefully implemented in order to manage the data privacy and employment rights issues that come with such software and artificial intelligence solutions.

IT infrastructure alone will not be sufficient. Organisations need to put in place appropriate controls through policies and procedures to manage the risk of misuse of assets. As a starting point, organisations should have clear and up-to-date contractual protections with the whole workforce, from employees to self-employed contractors and outsourced service providers.

These should run alongside internal policies and processes that provide further detail on how the workforce are expected to conduct themselves when it comes to business ethics, as well as the practicalities of, for example, dealings with third parties and what happens when individuals leave the organisation.

Finally, the importance of offboarding processes when staff leave cannot be overstated. As a starting point, employees who have access to valuable information may need to be put on garden leave during their notice period to prevent their ongoing access and potential misuse.

Organisations should consider the circumstances in which they will monitor departing employees’ accounts and devices during their notice periods, including for webmail usage or other data egress, which may need further investigation.

This may be a routine or random process, or triggered only where there are specific concerns but, in any scenario, businesses need to think about the data privacy implications of this kind of monitoring.

Employers should ensure not only that staff have returned all of their company devices and other hardware (without their first being wiped), but also that their access to any cloud-based platforms has been terminated and any other specific account details and associated passwords have been provided to the company.

Businesses should instruct employees to delete any company information that may be stored on personal accounts or devices. Many organisations require that staff sign a confirmation that they have complied with these offboarding requirements, which is sensible but of course needs to be put into practice.

“The systems and processes should also be monitored to ensure they remain effective.”

Poor organisational culture

It is not enough simply to have policies and procedures in place to ensure sufficient protection of trade secrets. Staff and managers need to be trained effectively on the processes to be followed and understand the expectations and accountabilities across the business.

Organisations that have enabled a culture (or perhaps a subculture in certain business lines) that condones personal risk-taking and personal gain are more likely not only to misuse corporate assets in the first place, but to have management more likely to fail to deal with the fallout effectively.

Appropriate “tone from the top” on these types of issues is of course important but it can often be the middle layer of management that has the most impact and influence on day-to-day conduct and culture. It is notable that some IP-heavy businesses incentivise staff to ensure rigorous protection of assets through staff commendation programmes and similar initiatives.

How can businesses avoid these risks?

As well as the above practical considerations, organisations should consider these strategies to protect their trade secrets:

  • Accountability: It is essential that organisations have clear internal responsibilities and accountabilities for these issues, whether it is legal, IT/operations, HR, internal audit or some other function or business line. Those with responsibility need to be empowered to manage the internal systems and controls effectively.
  • Regular reviews: Once some of the above steps have been implemented (eg, a trade secrets register) they must not be left to gather dust. The assets requiring protection will inevitably change over time—some may become less sensitive and new trade secrets and confidential information will be created. The systems and processes should also be monitored to ensure they remain effective.
  • Emergency planning: Organisations can find themselves blind-sided when misuse of trade secrets or confidential information is discovered. Any legal action to enforce trade secrets protections needs to take place without delay. However, it can take some time during the initial crisis to work out what needs to be done and by whom, which can lose valuable hours and days. An emergency plan with key contacts and steps to follow, such as cutting any ongoing access to systems or securing evidence, can be invaluable in helping those first 24 to 36 hours run smoothly.

Businesses that bear in mind the above suggestions will be much better placed to proactively avoid misuse of their trade secrets and confidential information, and to move quickly and effectively to protect the business if a breach is discovered.

For more on this topic, watch “Trade Secrets: The Alternative IP” on WIPR Patents Live.

Hannah Netherton is a partner CMS. She can be contacted at: hannah.netherton@cms-cmno.com


Image: Envato Elements / vkasporsky

Issue 2, 2021


Stay up-to-date with the latest news