The trade secret laws of most countries – including the recent U.S. federal Defend Trade Secrets Act – contain the same requirement: in order to enforce its rights, a trade secret owner has to show that it has made “reasonable efforts” to protect its information from loss. In other words, before judges get involved in your dispute, they want to know what you’ve done to help yourself.
But what’s “reasonable?” The laws don’t tell us. Like the “reasonable person” standard in negligence, courts are supposed to decide each case in the context of its unique facts. That said, looking back at several decades of decisions, we can get a good sense of the principles at work, and also how they may be shifting as the business environment becomes more digital and more global.
The good news is that the standard is flexible, taking into account the value of the information, the risk of loss or contamination, and the cost (in money and effort) of measures to reduce those risks. For most businesses, this means simply taking a close look at what drives your competitive advantage, and then applying ordinary risk management analysis to define the broad outlines of a protection plan. In practical terms, this can lead to a variety of specific actions, including the basic ones you find on a lot of checklists with items like confidentiality agreements, IT system access controls, staff rules and training, and facilities security.
So if you’re following one of those checklists, you should be fine, right? Not necessarily. Although judges historically have been forgiving of less-than-robust security measures, they now seem to be paying much closer attention to this issue, and have even thrown out claims without trial where the trade secret owner has been sloppy in its practices.
The best known of the early cases was decided in 1970. DuPont had been building a new chemical processing plant when the construction manager noticed a low-flying plane making several passes over the site. It turned out that a competitor had hired the plane to take aerial photographs of the layout of the facility, which would reveal information about the secret process that DuPont intended to use. Forced to defend its actions in court, the competitor argued that it was just taking a look at what was in plain view. The judge thought that was preposterous, calling the surveillance a “schoolboy’s trick,” explaining that DuPont didn’t have to pitch a tent over the construction site in order to protect its secrets, and that the competitor was guilty of misappropriation by “unfair means.”
So the DuPont case taught that judges will not be too demanding when it comes to the amount of self-help that they expect from trade secret owners. However, in a 1999 case a federal judge granted summary judgment to a defendant in part because the confidentiality legend on the plaintiff’s secret document was deemed not large enough. This result aligns with my personal experience, indicating that today’s courts – and federal courts in particular – are more skeptical and less forgiving than they used to be on this subject.
Context is everything, and circumstances change with time. The expectation of privacy from the skies is less settled today, with Google Earth and other satellite imagery readily available, not to mention the thousands of privately owned drones. The same point applies with even greater force when it comes to computer system security. With the proliferation and increasing sophistication of hacker networks, the risk profile for most businesses has changed dramatically in the last several years. Just ask Target, Sony, Anthem, and J.P. Morgan.
Naturally, as the risks increase, the market responds with tools and systems to prevent cyber attacks, or at least discover them early and frame an appropriate response. And government agencies, most notably the National Institute of Standards and Technology, have suggested frameworks for managing cybersecurity risks. It’s not hard to imagine that these voluntary processes may over time be interpreted by courts as best practices, and even as minimum standards of conduct.
Bottom line: what constitutes “reasonable” efforts is dynamic, and expectations may be increasing, so pay attention. Of course, there’s more to self-help than just preparing for litigation. Don’t confuse the minimum requirement to get into court with the practical goal to prevent loss and contamination of your most valuable assets. To keep your information secure and clean, you should think beyond “reasonable” efforts.