As we discussed in our May 1 blog on trade secret basics, in order to enforce trade secret rights, a trade secret owner must be able to demonstrate that reasonable measures were taken to protect its trade secrets.
What constitutes a “reasonable measure”?
Because trade secrets are often among a company’s most valuable assets, owners may feel a need to take every possible measure to protect them. After all, safeguards do much more than keep the sensitive information from leaking out: they also establish a trade secret’s existence and value.
But practically speaking, taking too many precautions can pose problems, particularly when the owner tries to police them. Implementing measures can be costly, and poorly crafted (or overly broad) protections may impede the flow of business. So how can an owner find the right balance?
How do the UTSA and DTSA define “reasonable measures”?
The Uniform Trade Secrets Act (UTSA) requires a trade secret owner to take protective measures that are “reasonable under the circumstances.” Similarly, the Defend Trade Secrets Act (DTSA) requires an owner to take “reasonable measures to keep [trade secret] information secret . . . .” But neither the UTSA nor the DTSA expressly defines the term “reasonable.”
When addressing issues pertaining to “reasonableness,” courts typically have opted for a nuanced case-by-case approach, making clear that what is “reasonable” depends heavily on the facts. No single answer exists.
Given this backdrop, trade secret owners should take care to position themselves for potential litigation by preparing a tailored set of protective measures that meet business needs and have the potential to survive court scrutiny.
With ample preparation, trade secret owners can use the courts’ case-by-case analytical approach to their advantage—by building their very own “track record” of protections that can be quickly repurposed into evidence for the court.
What are some illustrative cases?
Over time, courts have taken a “goldilocks” approach to the “reasonableness” inquiry, going from finding that certain measures are “not enough,” to deeming that the expectation of protective measures cannot be “too excessive,” to finally determining what might be “just right.”
Not Enough. First, something must be done to protect trade secrets. Courts have repeatedly emphasized that trade secrets do not exist on their own. In other words, a mere allegation that a trade secret exists—without more—will likely lead a court to conclude that no trade secret exists.
For example, in M.C. Dean, Inc. v. City of Miami Beach, Fla., the court pointed to “clear authority” to hold that, because the plaintiff “[did] not allege it took any steps to maintain the secrecy,” no trade secret existed. Not a single confidentiality agreement was alleged to have been implemented, let alone “any other means” of protection, such as labeling trade secrets. The court went as far as to suggest that a promise to redact potentially sensitive information may not be enough. The case was dismissed just days later.
Similarly, in McKee v. James, the court found that no trade secret existed because the owner did not put forth any reasonable measures taken to maintain secrecy. Although password protection had been used to protected financial information that was relatedto the alleged trade secret, the plaintiff failed to allege that it took steps to protect the alleged trade secret itself. Thus, the court dismissed the claim for misappropriation of trade secrets.
Moreover, where protective measures were in place but the owner failed to follow them, courts have concluded that reasonable precautions were not taken. In Call One, Inc. v. Anzine, the trade secret owner failed to mark its alleged trade secrets “CONFIDENTIAL” despite company policy that required such marking. The court granted the defendant’s motion for summary judgment as to the trade secret owner’s DTSA claim. Also, in GTAT Corp. v. Fero, the owner had safeguards in place but failed to consistently enforce them. Among other reasons, this failure to take reasonable protective measures resulted in the denial of a request for a preliminary injunction.
Thus, to be “reasonable,” protective measures must be established and followed.
Not Absolute. On the other hand, courts have stressed that “total silence” or “absolute secrecy” is not required either. See, e.g., Surgidev Corp. v. Eye Tech., Inc., 828 F.2d 452 (8th Cir. 1987) (explaining that “[o]nly reasonable efforts, not all conceivable efforts, are required to protect the confidentiality of putative trade secrets”); see alsoTaiDoc Tech. Vorp. v. OK Biotech Co., No. 12 CVS 20909, 2016 NCBC LEXIS 26 (N.C. Super. Ct. Mar. 28, 2016) (pointing out that “absolute secrecy at all times and in all circumstances” is not required). Courts will weigh the added cost of taking a particular safeguard against its protective benefit. If the cost is overly burdensome, a court may be more likely to see past it.
Reasonable precautions against predatory eyes may [be] require[d], but an impenetrable fortress is an unreasonable requirement, and we are not disposed to burden industrial inventors with such a duty in order to protect the fruits of their efforts.”
There, defendant photographers had been hired to fly over new construction at DuPont’s chemical plant and photograph trade secret information. The court concluded that requiring DuPont to build a roof over unfinished construction to protect its trade secrets would require “enormous expense to prevent nothing more than a school boy’s trick.” Thus, precautions need not protect against improper means of acquisition, here, espionage.
Just Right. Protective measures should therefore fall somewhere in between to be deemed “reasonable.” The protections need not be extraordinary, but they should not be too casual, either. As the court stated in Starsurgical Inc. v. Aperta, LLC, precautions for safeguarding should go beyond “normal business practices,” and “an employer must use additional measures to protect the confidentiality of information he considers to be a trade secret.” The court pointed to measures such as: “whether the company negotiated confidentiality agreements, kept documents locked up, limited access to information, restricted building access, denoted documents as ‘confidential,’ informed individuals that information was confidential, and allowed individuals to keep information after the business relationship had ended.”
What can a business do to protect their trade secrets?
Given the legal framework, the range of protection measures is broad and the options are virtually limitless. As a rule of thumb, the more valuable the proprietary information, the more protective measures that should be taken, with trade secrets at the top of the list. Here are some best practices:
Designate a Trade Secret Czar. Make someone responsible for policing your program, who can interface with other staff to make sure your plan is followed and follow through when it is not.
Require NDAs. From the get-go, require every trade secret recipient to sign a non-disclosure agreement. Revise them from time to time to ensure that they are up to date and accurate.
Mark/Label Trade Secrets. Clearly mark documents that contain trade secrets, confidential information, or other proprietary information. Ensure that any labels intended to distinguish between these categories are consistent. That way, it will be clear to everyone what is considered a trade secret and what is not.
Limit Access to Trade Secrets. Control distribution on a need-to-know basis. Limit internal network access through password protection and encryption. Keep tangibles locked securely in a controlled-access facility. Avoid sharing trade secrets via email—use more secure file transfer tools like file-sharing programs with encryption capabilities. Indicate whether transmissions contain sensitive information. Install security systems on company premises. For example, consider using cameras, requiring badge access for visitors, having an alarm system in place. For all these recommendations, look to industry custom for guidance.
Put Your Plan in Writing. Work with management and the heads of each internal division to brainstorm and develop a synchronized set of protective measures. Your plan should specifically address how employees should handle sensitive information. For example:
Require new employees to disclose whether they were exposed to trade secrets at a prior job
Include trade secret policies in the Employee Handbook
Include confidentiality provisions in employment agreements
Restrict and monitor employee access to trade secret databases (g., through limited badge access)
Require departing employees to return trade secret information and have them acknowledge, in writing, company policy for handling sensitive information going forward
Follow the Program. What good is a program if it is not followed? Routinely conduct audits to ensure consistent application of, and compliance with, the established protection protocol. Periodically evaluate and update the protocols as needed. If, over time, certain protective measures are no longer necessary, feasible, or relevant, consider dropping them. And document changes meticulously.
Take Prompt Legal Action. Failing to take legal action has been seen as a failure to take reasonable efforts to protect secrecy. This is worth considering particularly because the opposite is not true: one cannot take legal action to satisfy the “reasonable measures” requirement.
 We note that the UTSA indirectly addresses this issue by stating that “reasonable efforts to maintain secrecy have been held to include advising employees of the existence of a trade secret, limiting access to a trade secret on ‘need to know basis’, and controlling plant access. On the other hand, public disclosure of information through display, trade journal publications, advertising, or other carelessness can preclude protection.” Uniform Trade Secrets Act § 1 (1985).
M.C. Dean, Inc. v. City of Miami Beach, Fla., 199 F. Supp. 3d 1349, 1356 (S.D. Fla. 2016).
The opinions expressed are those of the authors on the date noted above and do not necessarily reflect the views of Fish & Richardson P.C., any other of its lawyers, its clients, or any of its or their respective affiliates. This post is for general information purposes only and is not intended to be and should not be taken as legal advice. No attorney-client relationship is formed.
Esha Bandyopadhyay, a principal in the Silicon Valley office of Fish & Richardson P.C., has been practicing intellectual property and technology-related commercial litigation and counseling in the Bay Area for close to two decades. She has successfully tried and...