Best Practices for the Safeguarding of Company Trade Secrets
Friday, April 26, 2019
Posted by: Kaylin Berg
Daniel Saeedi, Partner, Taft Law
A recent court decision clarifies the types of best practices that are needed in order to invoke the trade secret protections of the federal Defend Trade Secrets Act (DTSA) and parallel state law. The case provides important guidance for employers as to best practices for safeguarding proprietary information, and it also serves as a warning to employers who seek legal relief but have not implemented these best practices.
In Abrasic 90 Inc. v. Weldcote Metals, Inc., defendant Joseph O’Mera was president of the plaintiff abrasives manufacturer (CGW). O’Mera set all of CGW’s prices and approved all pricing discounts. In 2018, O’Mera resigned to join a competitor, Weldcote Metals. A few other employees followed O’Mera to Weldcote, and O’Mera convinced them to bring certain customer pricing documents from CGW’s shared drive. One of these employees also deleted her tracks on CGW’s computer systems.
CGW filed suit against its former employees and Weldcote in the United States District Court for the Northern District of Illinois, and moved to enjoin the defendants from further unfairly competing with CGW. The court denied CGW’s motion for a preliminary injunction.
The Court’s Discussion on Safeguarding Best Practices
The DTSA provides a civil remedy to employers for the misappropriation of company trade secrets by employees. However, in order to invoke the protections of the DTSA, a company must first establish that it actually has trade secrets. This is a two-part test. First, the DTSA requires that the information at issue must have economic value because of its relative secrecy. Second, the DTSA requires that the owner of the information take “reasonable measures to keep such information secret.” 18 U.S.C. § 1839(3).
In Abrasic, the information at issue was pricing compilation documents related to customers, which CGW kept on its company shared drive. Notably, the court held that this type of information was of the category that could be a trade secret under the law. Nevertheless, the court denied CGW’s motion for a preliminary injunction primarily because CGW could not show that it took “fundamental and routine safeguards” to protect its information.
A Company Policy Regarding Confidentiality
The court held that CGW did not have an adequate company policy regarding the protection of confidential information. The company handbook contained a confidentiality section that was “too broad and vague to confer meaningful protection over the information at issue.” The court interpreted the nondisclosure policy (applying to any “information about CGW”) to be infringed if an employee “had a conversation with his wife about how his workday at CGW went.” Thus, the policy did not provide any actual notice to employees as to what was confidential and deserving of heightened protection.
The Use of Nondisclosure Agreements
CGW also failed to use nondisclosure agreements for its employees, customers and vendors who had access to this information. The court described this as “among the most fundamental omissions by the company.” The court noted that those employed by or doing business with CGW who had access to the information at issue “were not required to agree not to disclose it.” This was especially troublesome given that CGW did not have exclusive relationships with its suppliers or distributors, and these third parties “were not generally required to keep the information confidential or enter [into] non-disclosure agreements.”
The court also found that CGW “did nothing to train or instruct employees as to their obligation to keep certain categories of information confidential.” Employees were never specifically told which company files on the shared drive were confidential in nature and deserving of heightened care. Furthermore, CGW’s IT management point-person, who was responsible for maintaining the security of CGW’s data and information, had “no training in data security (or virtually any other area of IT management) and was ill-equipped to identify, much less champion, sound data security practices.”
Access on a Need-to-Know Basis
According to the court, “[r]estricting access to sensitive information by assigning employees passwords on a need-to-know basis is a step in the right direction to obtain trade secret protection.” CGW failed this standard. The entire contents of the company shared drive were accessible to 39 of CGW’s 108 employees, many of which did not need access to this information. Furthermore, the IT point person had authority to grant employees access, and always granted any request that was made of her; she “did not make any meaningful inquiry into whether the person needed access to the information.”
Document Labeling, Password Protection and Encryption
The court also disfavored the manner in which the information was stored on CGW’s shared drive. The customer pricing files were not encrypted, and there were no restrictions on employees’ ability to access, save, copy, print or email the information. Furthermore, the documents were not segregated from other files that were not trade secrets, nor were the documents labeled in any manner as “confidential” or “proprietary.” The court noted that it “takes virtually no effort and little sophistication to include a heading on an Excel spreadsheet identifying a document as ‘proprietary’ or ‘confidential,’ yet CGW failed even to do that much with respect to the information at issue.” And, as to password-protection, the court noted that CGW made the mistake of providing all employees with the same password to obtain access to the shared drive.
Failure to Heed Internal Recommendations
The court also focused on the fact that CGW’s IT point-person recommended to the company internally that it “take some basic steps to improve the security of the information at issue,” such as segregating access to documents on a need-to-know basis and adopting an “acceptable device use policy.” CGW, however, failed to implement “even these modest suggestions, further undermining its trade secret claim.”
The Company Exit Plan
Finally, the court noted that CGW did not have a reasonable exit plan regarding employees who resign or are terminated from the company. Although CGW instructed departing employees to return CGW “property,” these employees “were not asked whether they possessed any of the information at issue or instructed to return or delete such information.” The court noted that merely requiring that departing employees return company property is not enough, and that company precautions “must go beyond normal business practices for the information to qualify for trade secret protection.” This is especially true because the company was aware that O’Mera had confidential information on his personal devices.
The Abrasic decision affects all private entities that possess trade secrets in electronic form, and serves as a reminder of best practices regarding the safeguarding of these secrets. This includes guidance for company IT and human resource departments, which both play important roles regarding the use of reasonable security measures. It is imperative that companies follow the Abrasic best practices in order to maintain statutory enforcement rights under the DTSA. Taft attorneys are available to consult with businesses regarding confidential information, data storage and security, in addition to issues related to employee theft and unfair competition.
This post originally appeared on the Taft Law blog, here.