by Russell Beck & Matt Karlyn

IT Security: A Practical Approach to Protecting Trade Secrets

Nov 11, 2009

Trade secret protection depends upon close cooperation between IT security and your company's lawyers.

Trade secrets are increasingly becoming a company’s most valuable assets, and not surprisingly, threats to those assets have increased concomitantly. The greatest threat to company data is, of course, not outsiders but a company’s own employees A company’s ability to protect against rogue employees (as well as against unintentional harm) is governed by both federal and state laws, which vary by jurisdiction and, worse, are in a state of flux in many of those jurisdictions.

As with most security challenges, it isn’t possible to eliminate the threat. But working together, your IT department and company counsel can and should maximize the establishment and implementation of trade secret protections. Here’s how:

Define the Problem

Your company must understand the scope of the problem in order to mitigate its effects. A “trade secret audit” —which includes steps similar to those in any security audit—is a critical tool your company can use to ascertain what confidential information it currently has. Confidential information is defined more broadly than true trade secrets.

To read more on this topic see: Fed Agencies Push New Security Audits and More Than Half of Fired Employees Steal Data.

Though they come in all shapes and sizes, most trade secret audits include the following elements: (i) determination of which information ought to be protected; (ii) review of the procedures already in place to protect that information; and (iii) analysis of the sufficiency of those protections, including identification of gaps in the existing protections, both generally and as applied to the specific information to which the gaps pertain.

The sufficiency of the existing protections turns largely, on the value of the information along with the practical need for and cost of properly protecting it. For example, while Coca-Cola quite properly takes extraordinary measures to protect the secret formula to Coke, no one would expect Coca-Cola to take similar measures to protect trade secrets with only marginal value.

Establish a realistic protection program

After your company has completed assessing the scope of the problem, you can develop a comprehensive protection program. Such a program commonly involves a combination of policies, procedures, and contracts, as well as the IT infrastructure necessary to support each. While these programs share many general characteristics, each is unique to the particular requirements of your company, including the nature of your company’s confidential information, the number and circumstances of your company’s current and planned personnel, your company’s corporate culture, available financial resources, and overall IT infrastructure. In its most basic form, a proper protection program involves:

(1) computer safeguards, including appropriate levels of access

(2) security measures for all electronic technologies such as USB drives, flash cards, smart phones, FTP sites and social media sites)

(3) restrictions and protocols regarding access to and use of facilities that store confidential information (4) technology use policies

(5) confidential information use and preservation policies

(6) protocols for handling departing employees, including computer and network access, cell phones, facility access, and the like

(7) post-departure reviews of possible security breaches, and

(8) restrictive covenants, such as noncompetition agreements and nondisclosure agreements.

While these policies generally focus on limitations for employees, the program must also include appropriate restrictions tailored to independent contractors, joint venturers, possible merger candidates, and other outside parties.

No matter what your company’s policy ultimately looks like, practical and legal considerations are critical. If, for example, your company’s program calls for procedures that cannot be implemented — either because the technology does not exist or cannot be developed at a reasonable cost — the procedures should not be used. Likewise, if state or federal laws will not recognize the program as appropriate, there is no point in having it, other than the hope that employees and others will nevertheless abide by it. These are critical considerations that obviously must be addressed from the outset. It is imperative that your company involves not only your IT organization in the development of these programs, but also other key stakeholders in the business, including human resources, finance, and legal. Given the legal requirements with respect to development and implementation of these programs, competent legal counsel should be retained to advise the company.

Follow your rules

Assessing the scope of your company’s problem and establishing an appropriate protection program are foundational steps your company can take to protect trade secrets and other information. However, programs and policies are worthless if your company fails to properly implement them. For example, if you have a program that includes carefully-developed steps for locking down a former employee’s access to technologies and properties, but you fail to follow those steps, your company has wasted its time and money on developing the program. Worse, you’ve risked company assets even after having your eyes opened to the dangers.

Don’t blame your budget if you neglect to apply your policies. You have no legitimate financial excuse for failing to implement the program because you should have factored in the implementation costs from the start. This is an important consideration, as courts will take it into account in determining whether a company is entitled to have its trades secrets protected.

In today’s world, IT professionals and lawyers are, together, in a unique position to protect their companies from the threats posed to trade secrets and other confidential information. Working together, you and your legal counsel should lead the cause to maximize the establishment and implementation of those protections in order to ensure your company abides by applicable law and safeguards itsmost valuable information.

Russell Beck is a litigation partner in the Boston office of Foley & Lardner and heads the firm’s interdisciplinary trade secret/noncompete practice. He wrote the book Negotiating, Drafting, & Enforcing Noncompetition Agreements & Related Restrictive Covenants (MCLE 2009) and is also a certified mediator.

Matthew Karlyn is a senior counsel in the Boston office of Foley & Lardner He is a member of the firm’s Information Technology & Outsourcing practice group and is a nationally-recognized speaker and writer about these topics.