Trade Secret Hygiene for Current Employees
Published on ACCDocket. By Walt Norfleet, Smiths Group plc and Eugene Y. Mar, Farella Braun + Martel LLP
In the first two parts of this series on best practices in protecting trade secrets, we addressed risks raised by the arrival and departure of key employees at companies, and failed potential customer-supplier or acquisition scenarios. In this third and final article, we discuss the importance of maintaining good trade secret hygiene for current employees and recommend a few best practices.
Information security policy
While preparing such a policy in the first instance can be a burdensome challenge, start small. Document basic policies around when employees are permitted to share confidential information outside the company and in what format. It can be helpful to define categories of information, such as public information, internal information, confidential information, and strictly confidential information. Including a menu of characteristics for each classification in your policy along with examples can go a long way in promoting compliance by employees.
You may also want to define protection strategies for each classification. For instance, technical or sales information valuable to a company may require basic password protection access restrictions based on an employee’s “need to know.” More critical information, such as highly valued trade secrets or strategic business information, may be characterized as strictly confidential, requiring more stringent controls, including signoffs from senior leadership prior to sharing.
For technology companies, the importance of documenting key changes to source code and architectural specifications cannot be overstated. Document the primary changes, when they happened, and by whom. Should a company find itself in litigation, being able to establish when particular features were developed will be an important issue.
If your company already has a policy, then be sure to train employees on it on a regular basis.
Train, train, train!
The adage that “you’re only as strong as your weakest link” is particularly true when it comes to training current employees. If one employee carelessly forgets a flash drive containing confidential technical or business files at an airport and compounds the error by failing to encrypt or password link the flash drive, the secrecy around that information could be lost.
Best practices for training come in all shapes and forms. The key is to have an information security policy in place and train employees on its content frequently. Commonly, information security training is done at the time the employee is hired — during new hire orientation. Additional training could be done during an employee’s performance review, right after a promotion, and when an employee departs.
These trainings can be conducted as an all-hands meeting or a lunch-and-learn. Having a quick guide on the classes of information in your policy, and how each class should be run, can provide a reminder and reference whenever questions come up. Such quick guides may include physical brochures that employees can place on their desks and electronic guides or apps that can help employees classify and mark information appropriately.
Often, companies will forego training because it is burdensome or disruptive to the workflow. To minimize this burden, one best practice is to train employees by having them fill out mandatory, online five- to 10-minute quizzes semi-annually or annually.
The quizzes can, for example, present hypothetical scenarios in the form of a cartoon filmstrip followed by a series of questions asking employees to identify the risks. These brief quizzes can be very effective in reminding employees of information security policies at the company.
Some companies have implemented annual renewals whereby employees have to click through an online portal to:
- Reaffirm their obligations under their employment contract (including confidentiality); and
- Complete the information security quiz.
Employees must complete this annual renewal in order to regain access to the company’s storage servers and central document repositories.
Enhancing training by promoting a culture of innovation
For technology companies, effectively competing in the marketplace requires constant innovation. A culture of innovation promotes the importance of protecting that technology, whether that protection is sought through patent protection, copyright, or as a trade secret. The idea is that employees who are invested in developing new technology will be most incentivized to protect them.
To further enhance this culture consider asking employees in their annual reviews to characterize their contributions to company trade secrets — of course being mindful not to share critical information that those viewing the review might not be entitled to see.
Don’t forget the obvious
What can a passerby see when they walk by the windows outside your conference room? What can a visitor see from the lobby? Try it and find out!
Some information security consultants literally walk around the outside of a building and use their mobile phones to photograph what can be seen through a window while casually walking by in a parking lot. These exercises reinforce the importance to employees of maintaining good hygiene practices.
Maintaining good trade secret hygiene doesn’t have to be a burden. Many of the best practices suggested are best implemented as part of semi-annual or annual employee reviews. Implementing these best practices will help minimize the risk of inadvertent disclosure of trade secrets.
In addition, should the company find itself in the position of having to enforce its trade secrets litigation, these best practices will be presented to the judge and jury as the company’s reasonable measures to protect its secret — one of the core legal requirements to proving that trade secrets existed.
About the Authors
Walton Norfleet is IP counsel at Smiths Group plc. He handles a wide variety of IP-related matters and has broad experience in the industrial, energy, medical, and software fields. [email protected]
Eugene Y. Mar leads the technology industry group at Farella Braun + Martel. He specializes in trade secrets, patent, and IP licensing litigation and advises both Fortune 100 and emerging companies on best practices for trade secret protection. [email protected]