Trade secret protection is essential for two reasons.
- Instituting trade secret protection best practices reduces the risk of theft.
- Following these best practices provides legal protection should a theft occur.
Trade Secret Protection Best Practices
The following checklist is a best practices starting point, not a definitive list. It is also not legal advice. Work with your corporate counsel, or company law firm, to fill in any gaps which might be unique to your business. Just understand you can’t show up in court and whine, “They stole my trade secrets,” if you haven’t taken “reasonable measures to keep such information secret.” 18 U.S.C. § 1839 (3).
Written Confidentiality Policy
Create a written company confidentiality policy. It should describe specifically what is considered confidential, and what is not. How and where employees may (and may not) use and store the information should be stated is also important. Make sure the policy is in alignment with and does not conflict with other company policies, such as your Recording in the Workplace policy.
Obtain nondisclosure agreements from employees, visitors and vendors. Without this basic trade secret protection document the chances of winning your case in court are slim and… (you know the rest of the saying).
Proactive Security Measures
Locks, alarms and guards are fine, but they are considered average and minimal protection for the general business environment. Elevated security for confidential information, including the spoken word, requires special protection to obtain trade secret status in court. Here’s why…
Many of the technologies used in businesses these days are information sieves, literally bugs in a box, and hacking them isn’t the only concern. Business espionage is thriving, and employee spies are just as active as outsiders. The sophistication of bugging devices is up, and the prices are way down. Add to this, all the classic spy tricks still work, and are being used.
The solution to keeping the business environment free from hack-able office technologies, electronic eavesdropping, and detecting the classic spy vulnerabilities is the Technical Surveillance Countermeasures (TSCM) survey. Documentation of these periodic surveys goes a long way in court to show extra due diligence. Think of it as cheap security insurance, but better… TSCM surveys can prevent losses in the first place!
Not all information is created equal. You just can’t stamp TOP SECRET on everything and expect to be taken seriously. Figure out just how secret all your information is, and classify it accordingly. A common classification scheme is: Top Secret, Secret, Confidential, and Unclassified.
Once you have a written policy and procedures, and a classification scheme, the next step is to make sure employees know about it. Ensure they know their specific responsibilities and obligations when it comes to protecting trade secrets and sensitive company information. Include it in the employee handbook, new employee orientation, and periodically via a company-wide training session. Document your efforts.
Although password protection is a universally accepted security basic, some people still refuse to take it seriously. Some people use easy-to-guess passwords, some write them on post-it notes, and some refuse to use them at all. Your TSCM security survey will spot many of these loopholes, but make sure password protection is part of the written policy and employee education process.
Employ encryption when storing confidential data, and whenever sensitive communications take place between the same two points on a regular basis (e.g. between the office and regular clients; mobile phones, homes of executives, field offices, etc.).
The CIA has a policy of compartmentalization, and for good reason, not everybody needs-to-know everything. Also, when there is a leak, they know where to start looking for the leaker. Need-to-know access needs to be implemented evenhandedly if it is to be viewed as smart security rather than exclusionary.
Pay attention to employee, vendor and consultant suggestions about improving your trade secret information security. You don’t want your IT manager being cross-examined on the witness stand saying, “I tried to tell them, but nobody listened.”
Employees come and go, but when they go, make sure they are not taking anything with them. Have a standard exit procedure which includes a review of their nondisclosure agreement and a written statement acknowledging they understand obligations. If there is any doubt about their honesty, or it is a for cause firing, consider confiscating their company provided electronics and doing a data extraction inspection.
Kevin D. Murray CPP, CISM, CFE, CDPSE is a business counterespionage consultant and TSCM specialist with over four decades of experience.
Murray Associates is an independent security consulting firm, providing eavesdropping detection and counterespionage services to business, government and at-risk individuals.
Headquartered in the New York metropolitan area, a Murray Associates team can assist you quickly, anywhere in the United States, and internationally.