Embed Size (px)
Citation preview
Practical Steps for Protecting Trade Secrets and Confidential Information
Alexander P. Woollcott
Partner, Morris, Manning & Martin Atlanta, Georgia Office
B.S. Yale University (1980) J.D. Cornell Law School (1985)
I. Adopting a Trade Secret Protection Plan
EXAMPLE 1: InstallX Co. is in the business of helping large banks and other financial institutions select and integrate complex IT networks. InstallX operates in most large cities in the northeastern part of the U.S. InstallX doesn’t maintain its own installation staff. Rather it subcontracts the actual installation process (and ongoing systems support) to an installation firm in each of its major markets. By giving all of its installation work in a given market to one installer InstallX gets a very favorable price from the installation firm, allowing InstallX to have a relatively high profit margin since it does not have to maintain an internal installation division and sense the “exclusivity” given to the key installer in each market earns InstallX the most favorable pricing from that installer. The installation firms are probably the most important link in InstallX’s business model; they are also the most important because basically those firms are the “face” of InstallX to the customers since they provide ongoing support to InstallX’s clients. You are the in house general counsel for InstallX (your name is Joe) and you’re concerned that the company is not taking aggressive measures to protect its confidential information and trade secrets. You express your concerns to the CEO of the InstallX and he responds as follows: “Joe, I appreciate your concern, but as you know one of the beauties of our IT systems integration business is that we sell and arrange for the installation of someone else’s products. All we do is help our clients put together the right system and then we get one of our key installers to install the system and help the client maintain it. I just don’t see why we need anything more than basic confidentiality agreements with our employees. What’s this “trade secret protection plan” that you keep talking about? We don’t even have any trade secrets or any IP.” You’re Joe. How would you respond to the CEO?
• All companies in competitive industries should have a well-defined strategy for identifying and protecting their trade secrets, confidential information, intellectual property and strategic business relationships. All of these things are protected by a well-conceived, well-implemented and continually monitored TSPP. As used in this Outline, the term “trade secrets” is meant to include all of the foregoing types of proprietary information and relationships, regardless of whether they meet the applicable statutory or common law definition of “trade secret”.
• While common law and statutes give some limited protection to trade secrets, affirmative steps are required to provide meaningful protection. This Outline
© 2007. Thompson Hine LLP. All rights reserved.
summarizes some of the practical steps that a company can take to protect trade secrets.
• Developing an effective plan is not unduly expensive, time consuming or distracting. Moreover, the loss of a trade secret to a competitor or the public domain can be devastating. TSPP are good investments in light of the risks of not having one. Bear in mind that even in some very competitive industries or with some companies whose products include very proprietary technology, the need to protect trade secrets with anything other than rudimentary protection will not always be apparent to corporate decision-makers. Both inside counsel and outside firms should be proactive in advising clients to consider adopting an appropriately solid TSPP.
• For companies that are possible candidates for sale or outside investment, one of the first things that well-informed buyers, investment banks, venture capital firms or private equity firms look at is whether there is a comprehensive trade secret protection plan in place. The absence of one can lead to a substantial devaluation of a company, whereas the presence of a strong plan can increase the stated value.
II. Phases for Implementation of Trade Secret Protection Plan
• One size does not necessarily fit all. TSPPs can be elaborate or relatively simple. There is no need for a company with a relatively low risk profile to invest in an elaborate TSPP. However, few if any companies have no trade secrets worthy of protection. (Ironically, information may not qualify as a trade secret under common statutory definitions if the company doesn’t take reasonable steps to protect the secrecy of the information in the first place. Note the circularity of the risk.)
• The appropriate scale for your company’s TSPP will need to account for the following factors, among others, all of which affect the risk profile of the company:
o Degree of competition within the industry segment
o Whether the industry segment can support multiple players within a given geographical area
o Presence of particularly aggressive or predatory players in the industry segment
o Tendency of key employees (particularly those in management, sales or
R&D) to make moves within the industry
o Presence of rapidly escalating technology
2
3
o Past instances of employee defections from the company
o Discontent within the employee base
o Heavy involvement of subcontractors, consultants and third parties in the company’s business
o Presence of actual and potential intellectual property rights in the business
A. Trade Secret and Confidential Information Audit
EXAMPLE 2: Marvelous Mattress Company (“MMC”) is a family owned company that designs mattresses specifically for use by mid-tier motel and hotel chains. MMC’s claim to fame is that their mattresses incorporate certain “technology” that make their mattresses notably more comfortable than the mattresses that are economically feasible for mid-tier motel and hotel chains. MMC has a long history of obtaining patents on its mattress technology in order to keep competitors from honing in on its business. MMC’s long-time CEO and Founder, Mitchell Moberly, now age 75, has a philosophy that he doesn’t believe in contracts and paperwork. Therefore, MMC’s business relationships as well as its relationships with employees are handled on a “hand-shake” basis only. MMC has a loyal basis of employees and low turnover because the employees are treated well and compensated generously. Moberly believes that his legal dollars are best spent on promptly seeking patent protection for all new mattress innovations developed by MMC and the numerous consultants it engages. One of the newest technologies developed by MMC and one of its leading consultants is a software program that allows a hotel operator to assess and manage its inventory of mattresses based on a variety of criteria. This is MMC’s first foray outside of technology associated with the mattress itself. You are outside counsel to MMC. You read a compelling article about the increasing importance of companies having a good trade secret protection program. Problem is, you have to convince Mitchell “No Paperwork” Mobley. He seems to feel that the patent protection for the current products is all that is needed to protect the company adequately. Do you agree? Do you see any value to the company investing in any measures to protect the confidentiality of technology that is no longer current (some of which may be still under patent protection and some of which are no longer covered by patents)?
• The first step in developing the TSPP is to compile a list of all actual and potential trade secrets associated with the business. Remember that "trade secrets" should be regarded in the broadest sense possible and should include all of the items listed in the first bullet of this Outline. Don’t think of trade secrets in terms of just information or data or even inventions. Anything that is proprietary or unique to a company could likely embody trade secrets. For example, relationships are worthy of protection because in some instances it could be argued that those relationships are, in essence, trade secrets.
4
• Counsel should be involved in this process since counsel will likely be more attuned and sensitized to what might be proprietary. Trade secrets can be subtle and many of the most valuable trade secrets are also intangible.
• A reliable list of trade secrets requires interviews with key employees, consultants and others in the business, both from the management, sales and marketing and research and development sectors.
• An adjunct to the development of the TSPP is to create a plan for registering and protecting all intellectual property suitable for such protection. That is not formally a part of the TSPP but is a separate step that should be promptly taken by the company if it already hasn’t been taken.
B. Review and Revision of Company Contracts
EXAMPLE 3: You are one of the founders of a small start up company that is developing software and related services for clients in the securities brokerage industry. You are also the company’s only lawyer. Your company has great ideas and a few very talented R&D personnel, but you need some strategic muscle to develop your company’s products in such a manner that the large companies that would be your best customers take note of you. You engage McKenzie to provide you with strategic consulting services. You are reading through the standard McKenzie Client Services Agreement and you run across the following provision tacked on to the end of the confidentiality section of the Agreement:
Nothing in this Client Services Agreement, however, prevents McKenzie from using knowledge, retained in intangible form in the unaided memories of its employees, contractors or representatives, as a result of provision of services to Client.
How would you react to this provision?
• Your company should review all of its standard contracting procedures and contract forms with counsel to ensure that they enhance the company's protection of its trade secrets. The laws constantly change and form agreements that are not updated and fine-tuned in accordance with changes in the laws are risky. Moreover, most companies’ business operations and their industries are subject to change, sometimes very abrupt change. Our perception is that at least 85% of the commercial contracts and agreements in place with high risk companies are B grade or lower and some of those were prepared by big name law firms.
• All employees in many companies, including the most senior employees, should sign a comprehensive agreement (which doesn’t necessarily mean a long agreement) that includes confidentiality, invention assignment, and no conflict of interest provisions. Certain classes of competitively sensitive employees should have restrictive covenants in their agreement, limiting their ability to compete with the company, solicit the company's customers and prospects and to solicit the company's employees. Those covenants should apply during and for a reasonable time after the employee’s employment. Remember that in many situations much
5
competitive harm is done by a defecting employee prior to his or her leaving the current employment. Such restrictive covenants are subject to a complex maze of case law and sometimes statutory law that is beyond the focus of this Outline. However, in selecting your company’s trade secrets counsel, you should look for firms with broad experience not only in the core issues associated with trade secret and confidential information protection, but who are also experienced in various areas of competition law, both from a drafting and prevention standpoint as well as a dispute resolution and litigation standpoint. Having a strong IP practice is also essential given the cross-over of issues among the related areas of trade secret law, competition law and IP law.
• All consultants and independent contractors should be under contract with the company. Those contracts need to be vetted carefully to ensure that the company owns all work product and technology developed by the contractors and consultants. Otherwise ownership of that work product and technology, in some instances, resides with the consultant or contractor. Loss of trade secrets to consultants and third parties is an every day risk for companies that haven’t protected themselves adequately. The reality is that many of those consultants are in the business of aggregating, at least at a high level, the knowledge that they gain in individual consulting relationships and parlaying that into additional work.
• Important classes of contracts include the agreements that cover the company's provision of services and products to its customers. A company should always do this under a contract, and preferably its own form of agreement. Simple purchase orders or statements of work are not sufficient unless they are tied into a comprehensive commercial agreement.
• An important class of contracts are those between the company and "strategic partners" or joint venture partners or joint developers. These agreements can be treacherous if they do not clearly and fairly allocate IP rights between the parties (and they often don't). Joint ownership is a concept that is fair sounding but is largely unworkable in the real world and should be avoided.
• A standard, simple, multi-purpose non-disclosure agreement should be used in all instances where the company is in discussions with a potential business partner, a potential key employee, potential customers, where there is any risk that any confidential information is going to be discussed or provided or where the other party is given a tour of or access to the company premises. This is not offensive. It is good sense.
C. Corporate Policy/Employee Policies
• Employees should be cognizant of the importance company wide of protecting trade secrets. The roll-out of the TSPP should be a visible, informative process and should be a team effort and commitment.
6
• The employee manual should have a section devoted to the TSPP and written in “plain English” and not legalese.
• As noted above, employees should be under contract with the company to protect trade secrets and to refrain from unfairly competing with the company.
• The company should police violations of the TSPP by employees and should take firm and definitive action against violations.
• A corporate officer should be designated to deal specifically with TSPP matters. Often this is the Chief Information Officer or Chief Technology Officer. It can also be someone in the legal department or the HR department.
• The company should consider appointing a "neutral" officer to receive reports (anonymous if preferred) of potential misuse of trade secrets or competitive misconduct.
7
D. Internet, Intranet and IT Based Protections
• The company’s IT infrastructure poses high risks of trade secret misuse, theft or inadvertent loss. The IT infrastructure often contains digitized information about critical products, services, client relationships and financial data. Often sensitive client data (entrusted by clients to a company) resides on the infrastructure.
• The risks to a company are exacerbated if the company’s website is “interactive” and is designed to allow customers to access information about their accounts and the company’s products and services.
• The company should include appropriate notices and disclaimers on its website as well as on all "public-facing" marketing and sales materials that describe the company and its products. The notices should be focused on noting intellectual property rights of the company, and any disclaimers associated with use of the website or information on it. If the company’s website is co-branded with customers’ trademarks, then the risks are compounded.
• Client specific Intranets are highly useful features for customers, but present great risks of loss of both company trade secrets as well as client information and data.
• Does your company use off-site servers for the storage of important data or documents? Does it own those offsite servers or does it rent space from a hosting company? If the answer is “yes” to either of these questions, then understand that the risk of loss of trade secrets is higher.
• Does your company have a disaster recovery and business continuity plan in place? These are typically third party products and services that can be fairly reasonable in price but offer great protection in the event of loss of data on the system or in the event of any disaster involving the company’s IT system. Increasingly, sophisticated customers are demanding evidence of a service or product vendor’s disaster recovery and business continuity systems.
• Has your company adopted a privacy policy that is tailored to the kinds of customer information that might be provided through its website? Where is that policy posted?
8
E. Physical Protections
• While many trade secrets are intangible by their very nature, there are always physical repositories for trade secrets. Some companies invest substantially in elaborate data protection systems but fail to implement some of most obvious protections relating to physical protection of files, PCs, servers, etc.
• The company should review all of its facilities to ensure that unauthorized persons do not have physical access to confidential data or information or systems. Remember that a person’s status as an authorized employee can change on a moment’s notice. Your company should have a clearly defined plan of action to restrict someone whose authorization to access the IT system, files, programs lapses.
• Company servers and PCs that host confidential client and company information should not be readily accessible to unauthorized persons.
• The company should have a system in place that monitors electronically who accesses the IT system, for what purpose and when. This feature should not be de-activated by anyone for any reason.
• If the company has third party consultants or contractors on site or accessing the IT system, the need for physical protections is heightened.
• Tangible physical embodiments of confidential or proprietary information should be duly marked as confidential and should be stored in secure areas.
9
FORM CONFIDENTIALITY AGREEMENT [bilateral] _____________________________________________________________________ This Confidentiality Agreement is between [Company] (“[Company]”) and the party identified on the signature page as “SECOND PARTY.” [Company] and Second Party are referred to together as the “Parties.”
III. Background A. The Parties are contemplating a business transaction, relationship or an exchange of information (the
“Relationship”), which may be briefly described on the next page of this Agreement. The term “Relationship” is intended to cover both the preliminary discussions of the Relationship as well as the Relationship itself, if it is consummated. The Relationship may simply be a visit by one of the Parties to the facilities of the other Party or a presentation.
B. The Parties may wish to share confidential and proprietary information with one another, and in order to protect
that information they have agreed to enter into this Agreement. C. For purposes of this Agreement, the “Receiving Party” refers to the party who is in receipt of or comes to
know confidential information of the other Party (the “Disclosing Party”). In consideration of the right to enter into discussions regarding the Relationship and to be privy to confidential information of one another, the Parties, intending to be legally bound, agree as follows: 1. Non-Disclosure Obligation. The Receiving Party agrees not to disclose, communicate, transfer, give, sell,
license or lease any Confidential Information (as defined below) of the Disclosing Party to any person or entity other than the employees of the Receiving Party who need to have such information in order to fulfill the Receiving Party’s obligations or rights in connection with the Relationship. The Receiving Party may use the Disclosing Party’s Confidential Information for the sole purpose of fulfilling the Receiving Party’s obligations or exercising the Receiving Party’s express rights in connection with the Relationship. “Confidential Information” of the Disclosing Party is non-public or proprietary information or data of the Disclosing Party and its business, products, technology, customers and clients, regardless of the form of the information or data (e.g. written, oral or electronic). “Confidential Information” also includes any trade secrets and intellectual property (e.g. patents, copyrights, trademarks) of the Disclosing Party.
2. Duration of Obligation. The Parties shall be bound by their non-disclosure and non-use obligations under this
Agreement for the duration of the Relationship and for two (2) years after the termination of the Relationship or discussions regarding the Relationship if it is not consummated or the cessation of activities between the Parties. However, that with respect to any Confidential Information that constitutes a “Trade Secret” under [Georgia] law, the Parties’ obligations shall last for as long as such information continues to meet the definition of Trade Secret. The Parties intend for the rights and obligations of the Parties under this Agreement to exist independently of rights and obligations imposed under applicable law. The Parties do not intend for any of the terms of this Agreement to limit or eliminate broader rights available under applicable law with respect to the protection of confidential or proprietary information or Trade Secrets.
3. Ancillary Obligations. The Receiving Party shall ensure that all employees to whom it communicates the
Disclosing Party’s Confidential Information understand fully the confidentiality obligations of the Receiving Party with respect to such information. The Receiving Party shall promptly notify the Disclosing Party of any unauthorized use or disclosure of the Confidential Information of the Disclosing Party, and Receiving Party shall diligently assist Disclosing Party in minimizing the scope and impact of such unauthorized use or disclosure. The Receiving Party shall promptly return any of the Disclosing Party’s Confidential Information upon the request of the Disclosing Party, including any copies or extracts of such Confidential Information.
10
4. Miscellaneous. This Agreement shall be governed by the laws of the State of [Georgia]. Any legal action relating to this Agreement shall be conducted in the state or federal courts of [Georgia]. This Agreement shall be binding on and inure to the benefit of the Parties, their successors and assigns. This Agreement contains the entire agreement of the Parties with respect to its subject matter, and it supersedes all prior agreements or understandings with respect to its subject matter. This Agreement may be legally modified or amended only by a written amendment signed by both Parties. This Agreement may be superseded by other non-disclosure provisions if the Parties agree to proceed with the Relationship. Any work product or deliverables (documents, proposals, prototypes, code or others) produced in connection with the Relationship shall be owned solely by [Company], and in the case of works of authorship such as software as “work made for hire,” and the Second Party shall take all necessary action to convey all rights to [Company]. In providing information to the Receiving Party, the Disclosing Party shall not be deemed to be making any representations, express or implied, as to the information’s adequacy, sufficiency or freedom from error of any kind. Nothing in this Agreement shall grant any express or implied right, title, interest or license in or to the Confidential Information of the Disclosing Party other than the conditional right to use such information for purposes of the Relationship. The rights of the Receiving Party to use the Confidential Information of the Disclosing Party may not be assigned to a third party without the Disclosing Party’s prior written consent.
EFFECTIVE DATE OF AGREEMENT DESCRIPTION OF RELATIONSHIP OR TRANSACTION (optional) SIGNATURES [Company] Authorized signature Printed name Title SECOND PARTY Full legal name Authorized signature Printed name Title
