TRADE SECRETS
An Introduction to Trade Secret Law
and the Legal and Security Risks to Such Property
in the E-Commerce Environment
A.
Trade Secret Protection in the United States.
In most jurisdictions in the United States, trade secret interests are protected by statute.
In the remaining jurisdictions trade secrets are protected primarily under the common law tort of
misappropriation of trade secrets, which is an aspect of the tort of unfair competition. There also
exist numerous criminal laws addressing the misappropriation of trade secrets, the most notable
of which is the federal Economic Espionage Act of 1996, 18 U.S.C. § 1831, et seq.
Forty-two states, including Oregon and Washington, plus the District of Columbia have
adopted the Uniform Trade Secrets Act (“UTSA”). The UTSA is based on the common law tort
of misappropriation of trade secrets, though there are several differences which provide
additional protection to trade secrets. Where the UTSA has been adopted, the common law tort
is preempted. Contractual remedies, however, are unaffected by the statute and remain an
important resource for providing additional protection as will be discussed below. While some
minor differences exist among the states, the general practice in the jurisdictions adopting the
UTSA has been to apply and interpret the provisions of this law in a uniform manner in light of
the court decisions from all jurisdictions which have implemented the UTSA. The UTSA,
therefore is a representative introduction to the law applicable to trade secrets in the United
States.
1.
Trade Secret Definition.
“‘Trade secret’ means information, including a formula, pattern,
compilation, program, device, method, technique, or process, that:
“(i) derives independent economic value, actual or
potential, from not being generally known to, and not being readily
ascertainable by proper means by, other persons who can obtain
economic value from its disclosure or use, and
“(ii) is the subject of efforts that are reasonable under the
circumstances to maintain its secrecy.” UTSA § 1(4).
The definition of trade secret under the UTSA is somewhat broader than under the
common law. For example, there is no requirement that the trade secret be used continuously in
one’s business, or even that it be used at all. As long as there is potential economic value from
the fact that certain information is not generally known, the information is eligible for trade
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
1
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com
secret protection. The information may be in either a tangible or intangible form; it may be
written, or stored on a computer disc or in electronic memory, or in any other tangible form, or it
may exist only in the memory of one or more human beings.
Central to any information being a trade secret is the not surprising concept of
“secrecy”. Less obvious, the secrecy requirement is two fold. First, the information must have
value because it is secret. Absolute secrecy is not required, but the information must not be
generally known to those who might benefit from the information. Second, there must be
reasonable efforts made to keep the information secret. The importance of this second element
cannot be over emphasized, particularly in the context of e-commerce, where what is “reasonable
under the circumstances” is a moving target.
Both secrecy elements are required. Thus, trade secret protection is lost under the
UTSA if the information is not kept secret, or if there is not a reasonable effort to keep the
information secret. There is no trade secret protection because the information is no longer a
“trade secret”.
2.
Misappropriation of Trade Secrets.
The protection provided by the UTSA against the misappropriation of trade
secrets includes damages and injunctive relief. Penalty damages and attorneys’ fees are also
available for willful and malicious misappropriation. UTSA §§ 2, 3 and 4.
Under the UTSA “Misappropriation” means:
“(i) acquisition of a trade secret of another by a person who
knows or has reason to know that the trade secret was acquired by
improper means; or
“(ii) disclosure or use of a trade secret of another without
express or implied consent by a person who
“(A) used improper means to acquire knowledge of
the trade secret; or
“(B) at the time of disclosure or use, knew or had
reason to know that his knowledge of the trade secret was:
“(I) acquired under circumstances giving
rise to a duty to maintain its secrecy or limit its use; or
“(II) acquired under circumstances giving
rise to a duty to maintain its secrecy or limit its use; or
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
2
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com
“(III) derived from or through a person who
owed a duty to the person seeking relief to maintain its
secrecy or limit its use; or
“(C) before a material change of his [or her]
position, knew or had reason to know that it was a trade secret and
that knowledge of it had been acquired by accident or mistake.”
UTSA § 1(2).
“Improper means” is defined as:
“* * * theft, bribery, misrepresentation, breach or inducement of a
breach of duty to maintain secrecy or espionage through electronic
or other means.” UTSA § 1(1).
B.
Trade Secrets on the Internet.
E-commerce over the Internet poses significant risks to the protection of trade secrets.
The Internet is a universal and open network. Anyone, anywhere in the world can connect to the
Internet at any time. Information transmitted through the Internet is not secure and subject to
interception. An especially significant threat to trade secrets is that information can be
disseminated through the Internet nearly instantaneously to literally millions of computers
around the world. Such dissemination, even if unlawful and a misappropriation of such
information, operates to destroy the secrecy element necessary for trade secret protection. While
the owner of the information may have a claim against those who misappropriated the
information, once the information becomes public there will be no protection against anyone else
using the information. In many ways this is a unique risk presented by electronic
communications. Where dissemination is not instantaneous and universal, it might be possible to
put humpty dumpty back together again, and preserve the trade secret by recovering
misappropriated copies. As previously noted, absolute secrecy is not required. The Internet,
however, creates a significant risk that recovering misappropriated copies would not be possible,
and that trade secret protection would be lost altogether.
1.
Risks to Trade Secrets.
The source of the threat to a company is both internal to its own operation as well
as external. While companies may expend great effort and expense in protecting their systems
against outside attacks, losses are often the result of internal risk factors. Similarly, while
companies may focus on thwarting sophisticated schemes of industrial espionage and theft, they
should not overlook guarding against the loss of trade secret information more commonly caused
by inadvertence, negligence and vandalism.
(a)
Internal Threats.
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
3
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com
(i)
Employees. A company’s own employees pose a serious potential
threat to a company’s secrets. While some employees do engage in deliberate economic
espionage to sell trade secrets to the highest bidder, the loss of trade secrets though employee
action is most likely to involve carelessness, employee lack of awareness of the importance of
the information, inadvertence (misdirected e-mails or by introducing viruses through e-mail, the
Internet or installing programs), or malicious destruction of information out of perceived
mistreatment by the company. In addition, there may exist a mindset among colleagues, even
from different companies, of sharing their accomplishments without regard as to whether
company trade secrets are involved. This is especially true in the area of computer
programming, on which a business’ e-commerce activities may be heavily dependent. Which
threat is most likely to occur depends on the nature of the particular trade secret and the
individuals who have access to such secret. A comprehensive risk analysis, therefore, must take
into account both the nature of the information, and the individuals who deal with it.
(ii)
Third Party Contractors. Most companies conducting e-commerce
rely heavily on third party contractors: computer programmers, web developers, web hosting
companies, technology consultants, etc. Often these contractors work closely with company
systems and employees so that it is not obvious who is a contractor and who is an employee.
Contractors, therefore, present many of the same risks associated with employees discussed
above. In addition, however, there exist risks unique to third party contractors with respect to the
trade secrets created by such contractors either independently or jointly with company
employees. Such risks arise by operation of law and by contract. Without proper safeguards,
both contractual and operational, the company’s ownership of such trade secrets, and its right to
use and disclose such trade secrets may be at risk. For example, the copyright in computer
software is likely to belong to the outside contractor absent a written agreement assigning
ownership to the company. Absent such a written agreement, a company may have only a
limited license to use the Software in its own business, and no trade secret rights. Therefore, a
risk assessment must include an analysis of third party contractor agreements to establish the
company’s ownership rights with respect to trade secrets arising out of such agreements and to
prevent the loss or dilution of the company’s rights in trade secrets and other intellectual
property which may be incorporated into the contractor’s work.
(iii) Inadequate Policies and Procedures. Inadequate policies protecting
trade secrets and ineffective enforcement of existing policies and procedures constitute a twofold threat to trade secrets. First, if company policies do not adequately protect trade secrets they
are more likely to be stolen, lost or inadvertently disclosed to third parties. Second, the lack of
effective policies and procedures may result in the denial of trade secret protection altogether,
since a necessary element to such protection is that the information be the “subject of efforts that
are reasonable under the circumstances to maintain its secrecy.” Just as important documents
should be kept in a locked safe accessible only by those entrusted with the combination,
information on computers and on the Internet must be protected by both physical security and
electronic means appropriate to the importance of the trade secret. Internet access particularly
must be addressed on an on-going basis. What is reasonable under the circumstances is a
moving target as both the technology of protection and the technology of attacking computer
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
4
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com
systems evolve. This means not only having in place a policy to ensure periodic updating of the
company’s virus protection software, but also being prepared to address the risks posed by new
technologies such as, for example, the explosive growth of wireless technology.
(b)
External Threats. Trade secrets are also at risk from external forces.
There is no denying the threat of deliberate industrial espionage by highly sophisticated
multinational corporations and by foreign governments. The Economic Espionage Act of 1996
was enacted in acknowledgement of the reality of this threat. For most companies, however, the
more significant and ever present threat is electronic vandalism that either destroys the trade
secret information, or prevents its use by interfering with the only systems, the company’s
computer network or internal site, capable of taking economic advantage of such trade secrets.
Recent world-wide attacks by viruses and worms demonstrate that no one, from the US Military
to Microsoft, is immune.
2.
Protecting Against Threats to Trade Secrets.
(a)
Addressing Employee Risks. The most critical times to address the risk to
trade secrets posed by employees is at the time of hiring and firing. Company policies should
not overlook these sensitive periods. At the very least, companies should have a system for
reference checks, especially for employees who will have access to trade secrets. At the time of
hire the employees should be informed that they will have access to trade secrets, and their
obligations to maintain the secrecy of such information should be discussed explicitly.
Employees should be specifically informed of the trade secrets to which they may be exposed.
Some employees may legitimately not be aware that certain information is considered secret and
valuable by the company. Drawing attention to the information has a further benefit of
impressing on the employee the employee’s personal responsibility for the protection of this
valuable property. Employees with access to sensitive secret information should be asked to sign
confidentiality and nondisclosure agreements. Training employees in appropriate confidentiality
policies and the company’s policies and procedures for protecting trade secrets should be ongoing. Policies should set forth clearly what kind of information may be transmitted by e-mail,
over the Internet, facsimile, or by wireless transmission. Employees’ access to trade secrets
should be limited to a need-to-know basis, which should be reevaluated on an on-going basis.
As part of the standard termination procedure, employees should be required to go
through an exit interview. At the interview, arrangements should be made for the return of all
company information and materials and all copies. Employees should be asked to sign a form
certifying that everything has been returned.
The company should also consider having employees in especially sensitive
positions sign non-competition agreements prohibiting them from working for competitors.
Such agreements make it much easier for a company to protect its trade secrets since there is no
need to prove that any trade secrets are in fact being misappropriated. A former employee is
simply prohibited from even working for a competitor for a specified period of time. Noncompetition agreements are carefully scrutinized by the courts to make sure restrictions on an
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
5
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com
individual’s ability to find employment are not unreasonably limited geographically or
temporally. The enforceability of such agreements are, therefore, highly sensitive to the
particular circumstances, and to the case law of the jurisdiction of employment. In Oregon, for
example, a non-competition agreement with an employee is enforceable only if entered into
before the employee begins work, or upon a bona-fide promotion.
(b)
Addressing Third Party Contractor Risks. The steps taken with respect to
employees apply equally to third party contractors. Third party contractors should sign broad
confidentiality agreements which address the limitations on both the disclosure and use of trade
secret information. Such agreements are especially important in dealing with web developers
and web hosting contractors who may have access to the personal information of the company’s
customers, thereby introducing risks associated with privacy as well as trade secrets. In addition
to confidentiality agreements, the company should have a clear policy enforced by password and
physical access restrictions regarding the information to which third party contractors have
access.
Contractors also should be required to sign agreements which specifically
set forth the ownership interest and the use rights with respect to any intellectual property,
including trade secrets, which may be created during the course of the contractual relationship.
As discussed above, absent written agreement, a company may discover it does not own its trade
secrets.
(c)
Addressing External Threats - Policies and Procedures Generally.
Effective policy and procedures, consistently enforced, regularly updated, and periodically
subject to outside audit, are the best defense against external threats. They are also effective in
limiting exposure from internal risks. Policies and procedures should be tailored to address the
value of the particular information, the ease with which it may be misappropriated, and the
legitimate need for access to such information. Not only is this good business practice, it
satisfies the legal requirement that “reasonable” effort be taken to protect the secrecy of
confidential information.
Policies and procedures should be designed with the primary objective of
limiting access. This may be done in a variety of ways, as the following examples illustrate:
(i)
Limiting Physical Access.
- Sensitive information may be kept on separate computers
with no physical connection, or protected connections to
other more widely distributed computer networks.
- Physical access to computer or premises may be restricted
by individuals using ID badges, sign-in procedures, locks,
escorts, security personnel, etc.
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
6
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com
- Searches of person and property including computer files,
e-mail, and voicemail and use of video surveillance. Note,
under federal and state privacy laws, specific employee
policy language and notices are required to authorize such
searches and surveillance.
- Document control, such as numbering confidential
documents, and implementing procedures for the
destruction of confidential documents.
(ii)
Limiting Access Electronically.
- Access to all important information should be by
password. An effective password policy requires on-going
training in the selection, protection and use of passwords.
- Firewalls and other electronic security measures should be
placed between sensitive information and other networks,
including the Internet, with greater public access. A
firewall is only as good as the computer equipment and
software of which it consists and those monitoring it, all of
which must be subject to on-going evaluation and
upgrading.
- Encryption of especially sensitive information may be
used both to protect stored information and to protect the
transmission of trade secret information from one computer
or Internet site to another.
- An effective virus prevention program to intercept
destructive code is such a basic requirement that it is very
likely negligence not to have such a program in place.
With virus attacks evolving daily, however, it is probably
also negligence not to have a periodic program of updates.
The most effective policies and procedures start with identifying the
company personnel who are charged with the responsibility of developing and enforcing the
policies and procedures that will ensure that company secrets are not compromised.
Accountability is an essential element to the vigilant protection of trade secrets in an e-commerce
environment.
Finally, several factors suggest that a company should not rely solely on
its own resources, but provide for periodic outside audits of the effectiveness of its policies and
procedures. The e-commerce environment by its nature is subject to numerous internal and
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
7
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com
external risks on very large scales. The technology is complicated, usually involving systems
from many vendors. Further, the technology is constantly evolving. Most telling perhaps is that
third party evaluations are becoming automated, thereby reducing their cost so that it may be
harder to justify not undertaking such precautions.
C.
Risks of Misappropriating the Trade Secrets of Another.
Even assuming that a company will not engage in intentional misappropriation of
another’s trade secrets, a risk of such misappropriation exists whenever a company hires an
employee who has knowledge of the trade secrets of another company. This is of particular
concern in the e-commerce area. The Internet is a common denominator for all businesses
engaged in e-commerce. Companies which normally would not consider themselves competitors
may profit greatly from one another’s trade secrets with respect to doing business on the Internet.
There is, therefore, great incentive to protect such secrets by challenging the hiring of former
employees by another e-commerce business. See e.g., trade secret dispute between Wal-Mart
and Amazon.com where Wal-Mart alleged that its trade secrets associated with its strategies and
processes for information technology management and use in a retail sales environment had been
misappropriated by Amazon.com through the hiring of some of Wal-Mart’s key information
technology personnel.
The risks of such a claim is not a insignificant risk considering the high rate of turnover
of personnel performing Internet and e-commerce related functions, and the increasingly
common requirement that such personnel sign non-competition agreements and confidentiality
agreements. Even in the absence of a non-competition agreement there is developing in the
United States a legal principal referred to as the “inevitable disclosure doctrine” which provides
trade secret protection even where there is no misappropriation or a threat of misappropriation on
the theory that the circumstances make it ‘inevitable’ that the defendant would have to disclosure
the plaintiff’s trade secrets. This doctrine has been applied to enjoin a high level former
employee from working as the chief executive officer for a competitor on the grounds that his
new employment would “inevitably lead him to rely on the plaintiff’s trade secrets.” Pepsi Co.,
Inc. v Redman, 54 F3d 1262, 1269 (7th Cir 1994).
Certain precautions should be taken in light of the risk that the employment of former
employees of company’s not obviously competitors could lead to liability for theft of trade
secrets or at least subject a company and its new employee to litigation. Reference checks must
be thorough and they should include requests for all confidentiality and non-competition
agreements. All such agreements should be reviewed carefully. Some additional protection may
be afforded by having pollicies and even agreements with new employees which specifically
prohibit employees from using the trade secrets or other intellectual property rights of others.
2001 Lane Powell Spears Lubersky LLP
999999.2001/311146.1
8
John C. Stevason
Lane Powell Spears Lubersky LLP
601 SW 2nd Avenue, Suite 2100
Portland, OR 97204-3158
Phone: (503) 778-2144
stevasonj@lanepowell.com