Where Trade Secrets and Data Privacy Strategies Overlap
“Undoubtedly, the most critical aspect of protecting trade secrets and managing private data is being proactive.”
Innovation continues across industries at a rapid pace. Many companies maintain highly valuable trade secrets and private data that provide them with a competitive market advantage. The rapidly evolving technological landscape, however, leads to new and more sophisticated threats to a company’s trade secrets and other private information. Whether organizations are equipped to confront this challenge is an open question.
The widespread adoption of artificial intelligence (AI) and its use for malicious purposes create novel risks for companies to safeguard their valuable trade secrets, requiring an emphasis on securing their sensitive private information. While trade secrets and private data fall under different legal frameworks, there are important similarities and overlapping strategies in how companies protect these important assets. As detailed below, companies should implement sophisticated technological and physical frameworks to safeguard their trade secrets and private information.
I. What are Trade Secrets and Private Information?
The Defend Trade Secrets Act broadly defines trade secrets to mean “all forms and types of financial, business, scientific, technical, economic, or engineering information,” that the owner takes reasonable measures to keep secret and which derives economic value from not being generally known or readily ascertainable to another person who could obtain value from using it. 18 U.S.C. § 1839(3).
Likewise, personal data can take many forms and typically includes any information that relates to an identified person or that can be used to identify a person. For example, the California Consumer Privacy Act – arguably the United States’ most robust comprehensive privacy law – defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Cal. Civ. Code § 1798.140 (V)(1). Personal information can range from highly regulated sensitive patient health or financial information, see id. at § 1798.140(ae) (defining “Sensitive personal information”), to generally exchanged names or email addresses. Put simply, data privacy deals with the rules and processes for how personal data can be used, stored, protected, and shared.
Undoubtedly, the most critical aspect of protecting trade secrets and managing private data is being proactive. That entails taking a structured and meticulous approach to developing and implementing trade secret and data protection programs that comply with the applicable federal, state, or industry-specific legal requirements, educating employees, and developing a “privacy-first” corporate culture that respects intellectual property and the rights of individuals. A key first step in developing such a program is identifying the sensitive information an organization seeks to protect.
Whether a company should explicitly identify its trade secrets, and if so, what information it should label as such, have been continued topics of debate among stakeholders responsible for protecting this type of intellectual property. While there is no one-size fits all approach, it is hard to argue with the proposition that a company should at least identify its principal trade secrets, the ones that truly give its business an advantage in the marketplace because they are not known to competitors.
Organizations may not have a clear understanding of what information they have that could constitute a trade secret, such as unique compilations of information pulled from various sources. Identifying a company’s most valuable trade secrets is an important aspect of any trade secret management program that, once complete, allows it to implement the appropriate measures to protect that information. Simply stated, how can you properly protect what you don’t know you own?
II. Identifying and Limiting Access to Trade Secrets and Private Data
The potentially negative impact of a company not identifying and adequately safeguarding its most valuable trade secrets may be significant to its intellectual property portfolio. Consider, for a moment, if a company discovered that its valuable trade secret had been misappropriated by a former employee or a business competitor. However, while investigating the theft, the company discovered that it retained lackluster security management policies and practices. Were the company to file a lawsuit, seeking extensive damages for trade secret misappropriation, it may be hard-pressed to demonstrate that it took reasonable measures to protect what it claims in litigation is a highly valuable asset when it failed to classify that information as a trade secret in the normal course of its business. For trade secrets, this could involve identifying the formulas, methods, process, and compilations of data that are critical to its business. It all comes down to risk minimization, and several strategies have emerged that are key to ensuring a baseline of protection.
Similarly, companies that process or maintain private personal information about consumers or employees should inventory – or identify – what data they possess. This process is often referred to as “data mapping.” A data map informs a company about what data it has, where that information resides, and how it is being used and shared internally and externally. Importantly, a data map gives data privacy stakeholders a starting point to develop robust privacy protection policies and plans and to identify gaps in a company’s data security infrastructure.
Once a company has identified its sensitive information, a common practice to protect that information is to implement access controls, which are important measures that restricts one’s ability to view trade secrets and private personal information. Access to such information can depend on an employee’s role and need for access. With regard to trade secrets, for example, there may not be a legitimate business purpose for members of a company’s sales team to be able to access folders used by Research and Development personnel. Proper data privacy management often involves stringent employee access controls as well, such as need-to-know access or least privilege – providing access to the least amount of information needed to perform a task or function.
Access controls are important to protect AI systems where trade secrets and private personal information are maintained. A bad actor with unauthorized access to a company system could, for example, seek to extract sensitive information from a proprietary AI model or training data. For example, not having appropriate access safeguards may allow a bad actor to conduct a “poisoning attack,” which is the intentional injection of corrupt data, to cause the AI system to malfunction.
III. Implementing Best Practices to Protect Sensitive Non-Public Information
The reality is that no system can be guaranteed to be secure from a cyberattack or other attempted intrusion by a bad actor. However, there are best practices that can be used to reduce the risk of exposure of or unauthorized access to trade secrets and private data and comply with applicable legal requirements.
Encryption
One such best practice is encryption, which can be used to protect important information when it is in motion (exchanged between two parties), and at rest (stored on a company system). In plain terms, encryption scrambles data so that only users with the “secret code” or decryption key can read it. Only those with an appropriate business need should have access to the decryption key, and the identity of those with access should be monitored and recorded. Encrypting trade secrets and private data is a commonly used method of adding a layer of protection to sensitive information during its transmission and storage.
Encryption and other technological solutions are especially critical to maintaining the secrecy of non-public information as AI is increasingly being misused for malicious purposes. Generative AI tools are being used by bad actors to write malware and to enhance the success rates of their spoofing and phishing attacks. The risk of AI being used as a weapon to exfiltrate a company’s trade secrets is growing, as AI tools are becoming cheaper and more accessible.
Contracts
In addition to technological protections, contracts have an important role in protecting trade secrets and data security management. Contracts that require the confidentiality of trade secrets are one of the most common forms of protection that courts look for when determining whether the trade secret owner took reasonable measures to protect their intellectual property. These can include non-disclosure agreements as well as employee or consulting agreements that contain confidentiality clauses.
With respect to data privacy, there are several types of provisions that relate to the handling of data by third parties. For example, a data processing agreement may describe the steps the vendor will take to protect personal information, what data they may access, how they may use that data, how they can transfer or dispose of that data, and their responsibilities in the event of an incident or breach. And, because an organization may suffer significant harm if a third-party is responsible for the misuse of its trade secrets or private personal information, contracts often contain terms relating to liability, such as indemnification provisions. Moreover, contracts may require that a third-party vendor maintain cybersecurity insurance. This can be a point of contention because parties often negotiate who shall bear the risk of liability were a breach to occur.
Employee Training and Awareness
Next, employee training and awareness are important aspects of trade secret management and a data privacy protection program. While training and awareness programs aim to minimize the risk that sensitive information will be misused or inadvertently disclosed, they are different concepts. Training builds skills and proficiencies in performing certain tasks and can be used to familiarize employees with an organization’s policies and procedures. Awareness, on the other hand, reinforces the skills learned during training and is focused on helping personnel recognize specific concerns or situations and how to respond to them. When used conjunctively, training and awareness programs are key risk management tools that reinforce the importance of protecting confidential information to employees, their role in safeguarding that information, and what to do if they become aware of an incident involving unauthorized access to, use, or disclosure of an organization’s trade secrets or private data.
Security Incident Response Plan
Last, organizations should have a detailed security incident response plan implemented to address an event where its trade secrets and private personal data are improperly accessed, disclosed, or used. Among the many components of a comprehensive security incident response plan is signal detection (actively searching for and identifying security risks), which is a key practice to proactively address and discover the misuse of confidential information. For example, data loss prevention tools can identify suspicious electronic activity, such as the unauthorized access to servers and password protected folders, the downloading of sensitive information, or an employee’s atypically increased use of a personal email account.
A security incident response plan should identify the various cross-functional stakeholders who are assigned to assist in such a situation and establish clear lines of communication so a company can act promptly to preserve confidentiality. Legal counsel should be involved early in an investigation of a potential trade secret theft or personal data security incident. This will help to ensure that sensitive communications are protected by the attorney-client privilege. In addition, counsel should play an active role making sure that a company’s response complies with the applicable laws and regulations, including communicating with the relevant authorities and affected individuals, and that the appropriate steps are taken to mitigate a potential misappropriation of trade secrets.
Trade secret management and data privacy protection programs overlap in several respects. The best practices described above underscore the importance of being proactive and the adoption of a multifaceted strategy that encompasses a variety of protective measures, employee education, and acting quickly when confidential information is potentially misused. A holistic approach that incorporates these principles will help companies navigate the requirements to protect their valuable intellectual property and maintain the confidentiality of sensitive personal data.
Image Source: Deposit Photos
Author: Frank-Peters
Image ID: 29123921