Cybersecurity is a hot button for all businesses these days. However, in the flurry of new privacy regulations and the focus on protection of consumer data, many businesses are not paying enough attention to how they could – and should – be using cybersecurity protocols to protect valuable trade secrets.
Trade secret protections apply broadly to business, financial and technical information, so long as: (1) the information is not generally known or ascertainable outside the owner’s organization and control; (2) the owner derives independent economic value or business advantage from the information not being known; and (3) the owner makes reasonable efforts to preserve its secrecy. The unauthorized disclosure of trade secrets can lead to loss of strategic advantage over competitors and harm to your company’s finances and reputation. Failing to adequately protect trade secrets could also result in losing a misappropriation case against a bad actor.
Trade secret rights are secured and maintained solely by “reasonable efforts” to preserve their secrecy, which must be both internal (i.e., with employees) and external (i.e. with third party vendors). While appropriate steps to protect trade secrets include offline actions like using non-disclosure agreements or physically locking confidential information away, courts are also now considering the adequacy of cybersecurity measures when they analyze reasonable efforts.
So, in the trade secret world, what is a reasonable “cyber” effort? Like cybersecurity technology, case law on this issue is continuously evolving. However, if you possess any trade secret information that is stored or communicated electronically, we recommend, at a minimum, the following:
- Ensure you have appropriate access protections in place. Trade secret information should be password protected and stored on a secure server. Review your firewalls, encryption procedures, anti-virus software and the like. Stay current with software patches and consider encryption for data at rest as well as for data in motion. Access credentials should require multi-factor authentication.
- Limit the people who have access to your electronic information (think “least rights” access). Consider limiting electronic access to those specific employees or agents who actually need the information. The more people who have access to trade secrets (and the ability to share it with just the click of a mouse), the higher your risk of breach or misappropriation.
- Train your employees and agents on appropriate use of your electronic systems. For example, remind them not share their passwords with anyone (even co-workers) and educate them on using company devices (like laptops and smartphones) correctly when they are offsite. Consider how your employees connect to your system when working remotely (i.e. require them to only use password protected Wi-Fi networks, and not public Wi-Fi). Think about limiting or prohibiting use of USB ports or other portable drives on company computers. Teach your employees how to recognize phishing attempts.
- If you allow employees to access your systems from personal devices, consider an appropriate “BYOD” (bring your own device) policy and technology to secure the work environment on those devices.
- Restrict departing employees’ access to electronically stored information. Following termination, disable access to IT systems, change passwords, and make sure company-owned devices are returned.
- Ensure that you are monitoring and improving your cybersecurity efforts periodically. Consult experts about the latest developments in technology. Conduct regular training about appropriate use of electronic systems and advise your employees of the risks of failure to follow protocol.
- Revisit confidentiality agreements with third parties and consider whether they reflect cybersecurity protocols.
Once your “crown jewels” are exposed, you cannot “recapture” them. Be smart, be secure and be prepared.