Posted By: Andrew Thiery
The Uniform Trade Secrets Act (USTA) of 1979 is a document drafted by the National Conference of Commissioners on Uniform State Laws in an attempt to provide a uniform regulatory framework for the protection of trade secrets under state law. The USTA defines a trade secret as information, including a formula, pattern, compilation, program, device, method, technique, or process, that derives actual or potential independent economic value for its owner from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use. Furthermore, the USTA requires the owner of a trade secret to guard it against misappropriation by taking efforts to maintain its secrecy that are reasonable under the circumstances. The USTA definition of misappropriation includes the disclosure or use of a trade secret of another without express or implied consent by a person who used improper means to acquire knowledge of the trade secret or who knew or had reason to know that the trade secret was acquired by improper means. As a complete catalogue of proper and improper means is neither feasible nor practical, the USTA instead attempted to broadly categorize proper and improper means in their comments on the Act. According to the USTA, proper means includes the observation of the secret in public use or on public display, while improper means includes observation of the secret by means of otherwise lawful conduct which is improper under the circumstances.
Thus, the boundary between the lawful appropriation and misappropriation of a trade secret hinges on the distinction between what conduct is considered proper and improper with respect to observing a trade secret. Over the years, many courts have endeavored to brighten the line between proper and improper conduct, but the availability of information on the internet has once again muddied the waters. Specifically, increased capabilities in hacking have greatly expended the possibilities for state-sponsored and corporate reconnaissance and surveillance, and have posed new challenges for courts attempting to distinguish between proper and improper observation of a trade secret.
The propriety of the observation of a trade secret, and reasonable precautions against such observation, has been addressed by the United States Court of Appeals for the Fifth Circuit in E.I. du Pont deNemours & Co. v. Christopher.
In du Pont, two photographers were hired by an unknown third party to take aerial photographs of new construction at a manufacturing plant of E. I. duPont deNemours & Company, Inc. The plant in question was otherwise secured and hidden from public observation. Sixteen aerial photographs of the DuPont facility were taken, developed, and delivered to the third party. DuPont employees apparently noticed the airplane and immediately began an investigation to determine why the craft was circling over the plant. The investigation soon discovered the purpose of the expedition, and DuPont filed suit against the photographers, alleging that they had wrongfully obtained photographs revealing DuPont’s trade secrets which they then sold to the undisclosed third party. DuPont contended that it had developed a highly secret but unpatented process for producing methanol, a process which gave DuPont a competitive advantage over other producers. This process, DuPont alleged, was a trade secret developed after much expensive and time-consuming research, and a secret which the company had taken special precautions to safeguard. The area photographed was the plant designed to produce methanol by this secret process, and because the plant was still under construction parts of the process were exposed to view from directly above the construction area. Photographs of that area, DuPont alleged, would enable a skilled person to deduce the secret process for making methanol.
The defendants responded by arguing that their observation of DuPont’s trade secret was not improper because they were operating in public airspace, violated no government aviation standard, did not breach any confidential relation, and did not engage in any fraudulent or illegal conduct. The court, however, disagreed, noting that authorities have indicated that the proper means of gaining possession of a competitor’s secret process is “through inspection and analysis” of the product in order to create a duplicate. In other words, a means of discovering a trade secret is improper if it seeks to obtains the same knowledge as that of the original owner while circumventing the usual costs of discovering that knowledge.
The general rule given by the DuPont court was that it is improper to obtain a trade secret without spending the time and money to discover it independently, unless the holder voluntarily discloses it or fails to take reasonable precautions to ensure its secrecy. However, the court also acknowledged that an environment of healthy industrial competition should allow for some amount of corporate espionage. A free market dictates that a business can and must “shop his competition” for pricing, quality, components, and methods of manufacture, all while reasonably protecting itself from similar observation. Finally, the court noted that there is no requirement for a business to protect itself against unanticipated, undetectable, or unpreventable methods of espionage.
While reasonable precautions against espionage may be required, it would be unnecessarily burdensome to a business to guard completely against any conceivable method of observation. This balance between healthy competition and burdensome precautions is the crux of the question of trade secret misappropriation. As technology advances, courts must decide which methods of procurement are reasonable to guard against, and which are not. In DuPont, the court concluded that aerial photography of an otherwise secured construction site was an improper method of discovering the trade secrets contained in the site’s layout. However, as civilian and corporate hacking capabilities becomes more advanced and more widespread, the ruling of the DuPont court may need to be revisited.
When considering reasonable precautions against hacking, the first (and most important) fact to realize is that an estimated two-thirds of corporate data breaches are perpetrated from within the company itself. In such cases, employees typically obtain access not through the implementation of fancy gadgets and technical prowess, but rather through social engineering vis a vis casual and professional relationships. In such a scenario a “hack” may be simply accessing a co-worker’s unsecured access point, convincing them to divulge their password, or even guessing their credentials from nothing more than casual knowledge.
Obviously, security methods that would traditionally be considered “reasonable” such as encryption, firewalls, and malware scanners could not prevent such an incident. Instead, companies should educate their employees on end-user cyber-security best practices. Such practices would include creating and maintaining passwords that are not easily guessed (either by human or machine), locking their workstations when not in use, recognizing attempts to obtain personal information (even if made by a co-worker), and recognize unfamiliar emails, websites, or applications as potential phishing ploys. Even more importantly, employers should be vigilant in examining the accounts and devices of employees who are leaving or preparing to leave the company. Trade secrets can be prime targets for theft by an outgoing employee, especially if the employee is leaving to work for a competitor. Additionally, non-disclosure agreements and other restrictive covenants may be effective at deterring internal attacks on company information, or serve as the basis of recovery if such an attack is made.
Although genuine hacks by an external entity are less common threats to a company’s trade secrets, they are by no means any less dangerous. Anymore, no company should be without a cyber-attack response plan, and sufficient technical and executive personnel to coordinate its proper development and implementation.
The first line of defense against any cyber-attack is implementing policies to restrict employees’ access to information. Ideally, employees would have knowledge only of information related to their job functions, and would be restricted from unauthorized access to any other information. This “firewall” of sorts would limit the number of targets for potential hackers.
Secondly, companies should invest in computer security technologies and practices on all levels, including: separating the company’s database and application servers, keeping up-to-date on security patches, distributing read-only versions of documents and materials whenever possible, requiring strict input validation, developing corporate-wide network security architecture, and performing network scans to assess activity on the network.
The next step in preventing cyber-attacks is to have a reporting system in place so that employees can notify the proper corporate authorities and/or law enforcement whenever they suspect a breach. Such a reporting system would not only enable a swift response to a cyber-attack, but would also inform diagnosis and intervention procedures.
These personnel, policies, and procedures, although extensive, are nonetheless required for any modern company. Given the rate at which information technology and hacking capabilities have advanced, “reasonable” precautions against their unauthorized use has likewise expanded. Companies that are diligent to observe these practices can better prepare themselves against the inappropriate discovery of their trade secrets, and can lay the groundwork for legal recovery in the event that their trade secrets are misappropriated.