Any emerging company interested in a joint venture with a large corporation quickly comes face to face with the reality of corporate security. Before you ever sit down at the negotiating table, you sign strict confidentiality agreements and run a gauntlet of physical security, electronic logs, identification badges, and restricted access.
Overkill? Not at all. Companies that budget large amounts of money for security generally have two primary goals: first, to protect all of their sensitive business information from falling into competitors' hands; and second, to demonstrate that they have taken all reasonable steps to preserve the secrecy of their confidential material.
That's what trade secrets are all about. The Uniform Trade Secrets Act defines a trade secret broadly to include any information that has actual or potential value because it is not widely known or readily obtainable and that its owner takes reasonable measures to keep secret. As long as they remain undisclosed, trade secrets last forever. But if you don't take formal steps to protect your trade secrets, then courts will likely conclude they weren't all that secret to begin with.
Not all companies, of course, have the budget resources to implement high-tech security systems worthy of Mission: Impossible. But a trade secret protection program doesn't have to be complicated or expensive. What companies need to do is recognize all the information they must protect (ranging from undisclosed patent applications and know-how to market research and business plans) and develop a thoughtful strategy for keeping that information secure. Usually, this involves three key areas: employees, physical security, and documentation.
Employees
Despite true stories of hidden microphones and intercepted phone calls, your employees, not corporate espionage, are the greatest threat to the integrity of your trade secrets. This may include accidental disclosure by employees who aren't even aware they're communicating trade secrets to deliberate theft or disclosure by employees looking for monetary gain or a new job. As a result, you need to educate your staff about the secrecy of corporate information, assure that sensitive material is distributed on a 'need to know' basis, and obtain signed confidentiality agreements from existing employees, new employees, independent contractors, potential collaborators, and vendors. You also need to have strict policies regarding non-disclosure of corporate information, not only to family, friends, and other outsiders, but also to insiders who do not have a legitimate need for the information. These policies should be reflected in employee handbooks and reiterated on a regular basis.
Obviously, once a program is in place, confidentiality issues are particularly important for all new employees. Companies should take care on new hires to:
- Discuss and verify in advance that new employees will not be bringing in trade secrets from their prior employer;
- Assign the employee to a different functional area, if necessary, during the term of any prior confidentiality agreement;
- Address general expectations of confidentiality in the letter of engagement;
- Get a signed confidentiality agreement;
- Provide a copy of the corporate confidentiality policy.
Similarly, trade secrets are probably most at risk when an employee leaves the organization. It's essential to conduct an exit interview with departing employees that follows a checklist dealing with confidentiality issues. Employees should sign an 'Exit Interview Acknowledgment' that reiterates the employee's responsibility not to divulge any trade secrets he or she may have acquired during employment at the company. Be clear, in writing, about what information can be taken by the employee in leaving and what can't. And monitor what they actually try to take with them. While employees interested in deliberate theft of trade secrets will likely remove information long before their last day, trade secrets can also be lost accidentally when employees take files, disks, and other documentation.
Physical Security
Lock your doors. Sounds simple, doesn't it? But many organizations neglect certain basic precautions regarding access to their physical premises and secure areas within the overall site. While you may want to present a welcoming front to the public, you should still maintain a designated reception area with a sign-in book, provide identification badges for visitors, and escort them while on your premises.
Controlling access to your facility and/or confidential information is relatively simple and inexpensive. Establish and communicate normal working hours. Control the distribution of employee access cards, and install a security system that utilizes one access code per employee, capable of creating an electronic login/logout report. Provide after-hours physical security, whether through guards or an electronic monitoring system.
You don't necessarily need the elaborate and expensive precautions that large public companies require. But you do need to take the basic steps to control who goes in and out of your facility, and where they go.
Documentation
Most of your trade secrets, of course, are documented in some fashion, whether in paper files or computer disks. Maintaining the security of your documents is one of the paramount responsibilities of keeping your trade secrets. To do so, here are some common sense precautions to follow:
- If it's a trade secret, label it. Mark confidential documents with the words CONFIDENTIAL or TRADE SECRET. But be selective. If all documents are labeled as secret, even those that aren't, the label may lose its effectiveness.
- Don't distribute confidential documents beyond the pool of people who need to see them
- Securely store your documents (protected from inappropriate access and disasters like fire)
- Back-up your computer information, and keep the backup tapes secure
- Shred documents before discarding them
- Know your cleaning staff and have them work during office hours if possible
- Erase boards and destroy flip charts after meetings
- Collect all excess documentation after meetings
With increasing use of Extranets, Intranets, and e-commerce, companies also need to set up appropriate policies for technology security, including hardware, software, and data. Using firewalls to protect Internet access, employing reputable encryption programs on e-mail, restricting access to servers, and developing sophisticated database security protocols are all valuable steps in assuring that electronic copies of your trade secrets are not deliberately or inadvertently released. Proper virus protection is also crucial to assure that critical documents are not damaged or destroyed.
In the era of telecommuting, too, be aware of the substantial risks posed by employees who take work home or work at home regularly. You may wish to address this situation specifically in your confidentiality agreements and employee policies. As recent headlines revealed, even highly secure organizations like the CIA can be embarrassed by employees (even directors) who work on confidential matters on their home computers with Internet connections offering potential access to hackers around the world.
Once It's Out, It's Gone
Many of these precautions are common sense steps that many companies will want to take as part of their ordinary business operations. But there's no substitute for a formal program to identify and protect your trade secrets. Without reasonable efforts at protection, trade secrets can be readily lost and stolen; and companies may lose their ability to enforce the secrets in court. In addition, the damages to the company's business plan from disclosure are often irreversible. It's important to take a pro-active approach to the private information that creates your competitive edge. As with any secret, once it's out, it's gone.