Protecting trade secrets: what measures should you take?

That sounds like good news for companies that want to protect information but cannot use, say, a patent.

But it is not obvious in all cases that information is protected as a trade secret. If the owner does not adequately secure the information, it is not a protected trade secret. That means it's up to companies whether they can invoke the new law. Attorney Douwe Linders explains.

When is a protected trade secret?
Under the Trade Secrets Protection Act, any type of information can be a trade secret. It can be technical methods, inventions, production processes, recipes or algorithms. Commercial information can also be a trade secret such as business plans, customer lists, customer data, supplier data, marketing plans and discount and bonus schemes.

In practice, protection as a trade secret will be used primarily for the commercial information mentioned or as an alternative to a patent. One can also think of concepts, designs or first sketches of products or services that are not (yet) eligible for copyright protection.

In all cases, however, information must meet the following legal requirements to be protected as a trade secret:

• The information must be secret;

• The information must possess commercial value precisely because it is secret; and

• The rights holder must have taken reasonable measures to keep the information secret.

Secret information
There is a "secret" when the information is not generally known or easily accessible to persons normally concerned with this type of information. Thus, it is not tested against the general public, but against experts. If the information is easily accessible to the relevant group of experts, then it is not a secret.

Experience and skills acquired by employees in the normal course of performing their jobs are outside the definition of trade secret.

Information with commercial value
Information that has "commercial value" is readily available. This is the case when the unlawful use or disclosure of the information may be harmful to the rights holder. That harmfulness may include harm to business or financial interests, strategic positions or the competitiveness of the rights holder.

Reasonable Measures to Keep Information Secret
The requirement that the holder take "reasonable measures" will be the most important for practice.

The requirement is part of the definition of a trade secret. Thus, the holder must take reasonable steps to make information qualify as a trade secret at all.

If a third party obtains the information from an employee who thereby violates a secrecy clause in his employment contract, it is thereby in itself established that the third party obtained the information without authority. However, if he can prove that the rights holder did not otherwise take reasonable measures, there is no trade secret at all and thus no breach. For example, the acquirer can argue that the information was also accessible via a poorly secured server or that trade secrets were regularly sent via unsecured e-mail.

Thus, to protect your trade secrets under the new law, it is necessary for you to take "reasonable measures" to keep the information secret.

But what are reasonable measures?
The legislature deliberately chose the open concept of "reasonable measures" rather than a list of measures that must be taken. However, some obvious examples are listed in the explanatory notes to the law:

• Including confidentiality clauses in commercial contracts and employment agreements;

• Adopting a need-to-know policy: only necessary employees have access to the secret;

• Guarding the premises;

• Explicitly naming and recording trade secrets, such as through an i-depot; and

• Encryption of digital information.

What to do
With this list, however, you are not there. To best protect valuable business information as a trade secret, work must be done.

1. Identify the risks
In any case, the bare minimum will have to be done, such as having confidentiality agreements signed by anyone to whom the trade secret is given. Determining what should be done on top of that will require an analysis addressing several questions:

• How valuable is the trade secret to the holder and to potential infringers?

• What is the potential damage in the event of a breach?

• How objectionable is it to take measures and how costly are those measures?

• In what geographic or economic market is the trade secret of value, and does it pose specific risks?

• Are there any indications that trade secret violations might occur?

• How many people must necessarily have the trade secret?

2. Information security policy and trade secrets register
In an information security policy you can record why certain measures have been taken and others not, based on the risk analysis above. This gives the court guidance in assessing whether there are "reasonable" measures.

Policies may include various measures such as:

• Marking sensitive documents as confidential;

• The separation of confidential information into separate parts so that no single person has complete control; and

• Holding exit interviews with employees where the return of confidential information is discussed.

It is also important to keep a record of what trade secrets exist and what measures apply to those various trade secrets.

3. Staff and Third Parties
Entering into confidentiality agreements is important. In addition, you should inform employees and third parties about what information qualifies as trade secrets and what their role is in protecting it.

• Enter into non-disclosure agreements;

• Include non-compete clauses in employment contracts of personnel with access to trade secrets;

• Include non-solicitation and relationship clauses in employment contracts of personnel in management positions;

• Inform staff of security policies; and

• To reinforce security awareness, have staff sign confidentiality agreements every year instead of just once.

4. Physical Security and Network Security
Obviously, the holder must properly secure buildings and grounds. The same, of course, applies to IT systems.

Such security requirements also flow from other legislation, such as the General Data Protection Regulation if personal data is processed. However, the requirements from those regulations may be entirely different than for protection as a trade secret. Companies making high-tech inventions will (generally) not process much sensitive personal data. Still, security is crucial.

The design of many IT systems does not specifically address the protection of trade secrets or intellectual property rights. Thus, an evaluation of these is often sorely needed. Measures such as:

• Access control with respect to certain network elements;

• Network shielding and partitioning;

• Firewalls;

• Virus protection;

• Patching;

• Monitoring and logging of network activity;

• Monitoring and management of Internet sites visited by employees; and

• Limiting the use of external devices such as USB drives and laptops.

5. Appoint an information security team
Different types of trade secrets are often located in different parts of an organization. Appointing a multidisciplinary team led by an individual with sufficient authority helps ensure adequate security and an effective response in the event of a breach.

6. Monitor and take enforcement action
When assessing whether a trade secret is protected, a judge will place importance on a systematic approach to security rather than ad hoc protection. Establishing, monitoring and improving procedures is important for robust trade secret protection. It may also help if the holder can show that it has previously taken action against trade secret violations.

This article can also be found in the Information Security dossier

More articles by SOLV Lawyers