Most of us have seen the headlines over the past couple years about massive data breaches affecting millions of people. We have all likely received at least one letter notifying us that our confidential information may have been implicated in one of these breaches. The reason for this is that most states have breach notification laws that require a company to notify individuals if the company has reason to believe that certain types of personal identifying information has been taken by a third party. While businesses of all sizes would do well to carefully consider their approach to securing such information, an additional important consideration is the protection of the trade secrets that represent the lifeblood of many companies.
Trade secrets come in many forms such as research and development, business strategy, market research, and client lists. Many of these trade secrets comprise the foundation of companies and provide the differentiators that give them an edge over their competitors. Yet many of the trade secrets do not implicate the types of personal identifying information that trigger notice requirements. For example, North Carolina requires businesses to notify people of a breach involving their personal identifying information, which includes data such as a social security number, driver’s license number, and financial account information. North Carolina’s law is consistent with the approach taken by most states and federal agencies in that its notice provisions relate primarily to concerns of individual financial harm.
The lack of notice requirements for breaches involving other types of information, such as many types of corporate trade secrets, shields such breaches from the public eye. Unfortunately, it does not diminish the prevalence and detrimental effects of such breaches. Several years ago then-Attorney General Eric Holder made the statement that there are two types of companies, “[t]hose that know they’ve been compromised and those that don’t know it yet.” I have personally heard this statement quoted or paraphrased many times but in almost every circumstance it was in the context of breaches of personal identifying information. However, the statement was specifically made in reference to the two types of companies “affected by trade secret theft.” The use of the two types of companies quote is reflective of information security in the past several years, which has been disproportionately focused on personal identifying information.
Hopefully, industry focus is shifting towards giving securing trade secrets proper consideration. Earlier this year, Congress passed the Defend Trade Secrets Act of 2016 (DTSA). The DTSA does not preempt state trade secret laws, but strengthens trade secret protection by providing companies a federal right of action if their trade secret is related to products or services used in interstate commerce. In any case, whether or not a company avails itself of the DTSA, it should be giving special consideration to securing trade secrets. Fortunately much of trade secret protection aligns with the security of non-trade secret data such as the personal identifying information of employees or customers. But there are some trade secret specific considerations that should be taken into account.
For many types of trade secrets, insiders represent the biggest threats. They may be the only ones that fully understand the value of trade secrets to the company and to a competitor. There are several measures such as access controls, logging, and comprehensive employee exit procedures that can help reduce risks of trade secret theft or provide the necessary evidence should legal action be necessary. Another trade secret concern is cataloging and the ability to explicitly identify trade secrets. If a company suffers a breach of personal identifying information, it may suffice to make a reasonable good faith effort to notify those whose information may have been acquired even if the company cannot precisely assess the scope of the breach. Such a showing is less likely to win the day on establishing misappropriation of trade secrets. Trade secrets need to be described with particularity for reasons such as establishing that reasonable measures were taken to protect them, and to demonstrate the economic value of the trade secrets. If a company cannot pinpoint the scope of an alleged misappropriation such showings will be difficult.
The takeaway is that trade secrets should be made a priority in any robust cyber security assessment and program. Because trade secret protection involves intertwined legal and technical considerations in a way that protecting personally identifying information does not, companies should involve legal stakeholders to ensure such considerations are adequately addressed. If companies take these efforts, they just might be able to keep their secrets.