The Cybersecurity Dimension of Trade Secret Protection: DOJ Guidance
A requirement that companies take reasonable steps to protect their trade secrets is written into the legal definition of “trade secret.” The Uniform Trade Secrets Act (UTSA), which is the basis for most state trade secret laws, and the federal Economic Espionage Act (EEA), as amended by the 2016 Defend Trade Secrets Act (DTSA), require that firms take reasonable steps to protect trade secrets. Moreover, “a business or possessor of a potential trade secret must take some active steps to maintain its secrecy in order to enjoy presumptive trade secret status because once material has been publicly disclosed, it loses any status it ever had as a trade secret.”
But what does “reasonable steps” mean in the context of cybersecurity? How can companies ensure that they are taking the specific, concrete “reasonable steps” necessary to attain the protection of state and federal trade secret protection laws and treaties?
While existing caselaw suggests some basic, common measures that constitute “reasonable steps”, (e.g., passwords, firewalls and encryption), firms will be under constant, increasing pressure to anticipate new waves of cyber-attacks on their trade secrets, and to deploy countermeasures that will subsequently hold up in court as “reasonable steps.” In addition, courts and lawmakers will be called upon to provide additional guidance to firms, as cyber-threats proliferate, and trade secrets come under closer scrutiny.
Remember, by the time a trade secret case reaches an overworked federal judge (often in the rushed context of a preliminary request for temporary restraining order), that judge will be learning in the first instance (1) what the asserted trade secret is; (2) how defendants were able to obtain it; and (3) what steps plaintiffs took to prevent disclosure. The judge’s initial reaction will likely determine the fate of the plaintiff’s trade secret claim. In such circumstances, the plaintiff—and its lawyer—must have good answers ready for judicial scrutiny.
Perhaps the single best source of concrete measures companies should take to ensure their trade secrets will hold up in court is a helpful guide from the Department of Justice’s Computer Crime & Intellectual Property Section. “[These] guidelines… seek information that, in the experience of Department of Justice prosecutors and investigators, is useful or even critical to the successful prosecution of the most common intellectual property crimes.” Although many companies will pursue their own claims in a civil action, it stands to reason that they would benefit by following the same guidelines DOJ uses in a criminal case, since “trade secret” is defined in exactly the same way whether the case proceeds pursuant to the EEA’s criminal provisions or the DTSA’s civil provision. And, while the guidelines are not law, surely any federal judge would look approvingly on a trade secret plaintiff who can credibly cite to DOJ guidance in support of its trade secret protection practices.
Specifically relevant in the cybersecurity context is the guidelines’ “Checklist for Reporting an Intellectual Property Crime.” As described by DOJ:
This checklist serves as a guide for the type of information that would be helpful for a victim or a victim’s authorized representative to include when reporting an intellectual property violation to law enforcement… Reviewing the checklist before an incident occurs may also help rights holders identify what type of information they should be generating on an ongoing basis to help protect their rights.”
Drilling down further, the checklist includes a section devoted to “Electronically‐Stored Trade Secrets.” This is the meat of DOJ’s guidance on reasonable cybersecurity measures. From this section, one can reasonably infer that the following practices should be followed by any firm that is serious about maintaining trade secrets:
Regulate access to any electronic files that contain the trade secret.
Give employees that have access to the trade secret files unique user names, passwords and electronic storage space.
Encrypt the files.
Store the trade secret files on a network protected by a firewall.
Limit remote access into the network.
Where remote access is allowed, utilize a virtual private network.
Maintain the trade secret files on a separate server from other company files.
Prohibit employees from using unauthorized programs or unapproved peripherals, such as high capacity portable storage devices (thumb drives).
Maintain electronic access records such as computer logs.
While additional practices may come to light from a review of other sources, or based on the specific attributes of a company’s operations, the DOJ guidelines are an excellent source for reasonably adequate trade secret protection in the cybersecurity context.