The tension between the internet and trade secrets is clear. The internet can destroy trade secrets by exposing them to millions of viewers. Here are some practical tips on how to prevent release of secrets on the internet.
How Can Secrets Get on the Internet?
There are several ways:
- Companies actually post them deliberately, with no thought for or understanding of the consequences. Examples include web sites that thoughtfully list the company's new contracts and strategic visions for the future or that incorporate the company's proprietary software.
- Employees e-mail secrets to third parties for legitimate business purposes, but with inadequate precautions against retransmission.
- Employees deliberately e-mail secrets to third parties to spirit them out of the company.
- Employees or others publicly post secrets for the express purpose of sabotaging the company owning them.
- Hackers gain entrance to a company's internal computer system and access and copy stored secrets.
- Other means too new to be detected.
Each of these potential threats to trade secrets presents different legal issues and requires different preventive measures.
The Superhighway Has Many Lanes
Some people refer to the internet as if it consisted of a single method of displaying information, without recognizing that it is a communications device that operates in several very different ways. Each lane poses separate risks to secrets, some primarily in the control of the trade secret owner, and others under the primary control of third parties.
Steering Past Trouble
Websites
Many corporate websites are essentially extended corporate advertising, intended to provide consumers and the public with information about the company, its employees, products and business plans. Websites are typically designed by or for companies. That means that from both a practical and a legal standpoint (at least in the trade secrets context), the company has sole control over what appears on its web page. The company should exercise this control with an eye, among other things, to taking reasonable measures to protect trade secrets.
Keep in mind that it is not only potential customers who view websites. Actual competitors do, too. Corporate personnel familiar with the secrets the company wishes to protect should carefully review web postings before they are posted. Such personnel should also be mindful not to display others' secrets on the web page. While the company owning the web site may not mind displaying its customer list, the customers themselves may want to keep their source of supply secret. When in doubt, it is wise to check before posting information others can claim to be confidential.
Websites do not just display words. They also can reveal the source code for the software generating the often exciting graphics displayed on websites. That means that web watchers may be in a position to duplicate those graphics for others, diluting their visual distinctiveness. How to prevent this risk? A legend reserving all rights in the software may help from a legal standpoint, as will a copyright notice. Depending on the nature and value of the software, such a warning may occupy an entire page and may require the viewer's affirmative assent before permitting further access.
But such a warning may not fully protect the ideas underlying the software -- the domain of trade secrets -- as opposed to the specific expression incorporated in the software, which is the copyrighted material. A practical way of protecting most of the software used in connection with a website is to write it so that does not display the entire program. Many programs can be written so that all that appears in code transmitted via the internet is a series of instruction to merge in files or other programs in response to some action by the user. These other programs, which actually create the graphics, are executed on the web server itself and never get into the hands of those who would copy them.
Remember, too, that new software poses new challenges. Java® software, for example, embeds executable program code into downloadable Web materials. While reverse-engineering such code is currently very difficult, over time that may change. And over time, those using such software without clearly establishing that the viewer has assumed a duty of confidentiality may be found to have taken inadequate precautions to maintain secrecy. Thus, new precautions may need to be taken to prevent future leaks.
Finally, to the extent third parties are involved in creating a web page, the site owner should gain ownership of all appropriate software (a matter that will typically be the subject of negotiation) and require all who participated in developing the page to sign appropriate confidentiality and transfer agreements. While such agreements cannot protect as secrets information actually appearing on the Web page, they may protect both information and concepts underlying the display or pertaining to future plans.
In most cases, it is unlikely that e-mail messages will be any more readily intercepted than other means of communication. Moreover, interception of e-mail being transmitted over the Internet is unlawful under the Electronic Communications Privacy Act. Interception of stored e-mail, however, appears to fall outside the scope of this Act, which means that sensitive information should be password-protected so that it cannot be retrieved by unintended recipients.
These facts, while offering substantial comfort, do not mean that use of the internet to transmit trade secrets poses no risk. The primary risk, however, lies not in the mechanics of transmission, but rather in the fact that once information is transmitted via e-mail, it can then more readily be retransmitted by the recipient to larger numbers of unauthorized people than is true with more conventional means of communication.
How Can These Threats Be Reduced?
By counseling employees to use caution in selecting what they transmit over the internet (is it really necessary from a business standpoint?), in selecting intended recipients (do they truly need to know the information? have they executed a confidentiality agreement? have they been reliable in the past? have they been apprised that this particular information is confidential?), and in implementing protective measures such as password protection and encryption that both underscore the importance of the confidentiality obligation and make it more difficult to retransmit the message to third parties.
Companies can take other practical measures to prevent excessive or inappropriate use of e-mail to transmit secrets. First, many companies do not give all employees internet access for a variety of reasons, including security. If something needs to be e-mailed via the Internet, it must be given to a supervisor who reviews the need to transmit it.
Second, sophisticated monitoring software is becoming increasingly available to track what happens to particular documents, including whether they are downloaded, copied or e-mailed. Such software should be used in environments in which there is a high concern for security. Reports should be reviewed frequently as to particularly sensitive information, and certainly in connection with the departure of employees who have had access to highly confidential documents. They may pinpoint trouble.
Discussion Groups
Another "lane" on the information superhighway is the discussion groups. This is one of the places where secrets can be put at greatest risk. If a secret gets into a discussion group, the trade secret owner has effectively lost control of the secret. A single posting of a secret can, in time, lead to its replication throughout the internet. This fact -- the total loss of control over information -- is what gives most trade secret owners the greatest fear about the Internet.
What Are the Legal Consequences?
First, consider the person who originally posts a secret to a discussion group. Assuming he or she had no authorization to do so, that person is liable for trade secret misappropriation and all the consequences thereof -- including damages for the destruction of the secret.
The unauthorized poster may also have criminal liability, under either the recently enacted Economic Espionage Act or other statutes. Third parties acting in concert with the misappropriator may also be barred from using or retransmitting the secret.
But What About Innocent Third Parties?
Are they entitled to use with impunity a secret that has been posted on the internet under the theory that it is secret no longer? Several courts have said "yes." One court originally ruled, "Although a work posted to an internet newsgroup remains accessible to the public for only a limited amount of time, once that trade secret has been released into the public domain there is no retrieving it."
But this automatic conclusion does not fully mesh with settled trade secrets law. Unlike the patent field, where the existence of a single, though obscure reference anywhere in the world can destroy novelty and hence patentability, the test for trade secret status is whether the information is in fact generally known.
Does general availability (on the internet) equate with being generally known? Not necessarily. If one blares a trade secret over the loudspeaker in Yankee Stadium off-season and no one hears it, is it still a trade secret? Perhaps. In reconsidering the above-cited decision that posting a trade secret on the internet necessarily destroys the secret, Judge Whyte of the Northern District of California concluded that whether posting a secret destroys the secret requires a case-by-case analysis of the specific facts surrounding the posting and actual viewing of the secret.
This approach certainly argues for working to delete a secret from the internet as quickly and thoroughly as possible. It also leaves unanswered the exceedingly difficult question of how to prove that a secret has not become generally known. But it does offer the prospect that an unauthorized posting need not necessarily lead to cataclysmic loss.
Aside from the question of whether a trade secret, although for a time generally available, has in fact become generally known, another principle of the law of trade secrets may help a trade secret owner whose secret has been posted on the internet. Under traditional legal principles, a third party who acquires a misappropriated secret is not free to ignore evidence of misappropriation, whether that evidence arrives with the secret or subsequently. Thus, if a trade secret makes its way onto the internet, a trade secret owner should consider how best to get the word out that the public is not free to use it. Any given situation may be extremely delicate -- sending out postings to "ignore that valuable secret!" may not be a particularly effective way of stifling curiosity. Removing the secret from the principal places it has been posted (a browser can help identify sites) and replacing the original posting with a message to the effect that "the posting added to this site at 22:18 on January 14, 1997 concerning X Corp. has been removed because it was posted without X Corp.'s permission and may contain information misappropriated from X Corp." may help.
Conclusion
The thoughtful owner of trade secrets will implement strong policies and practical measures updated as technology evolves to insure that its secrets do not escape onto the internet. If secrets do make their way onto the internet, however, even briefly, the trade secret owner will work to pull them off and limit the damage. Finally, to ensure that its secrets are safe, the wise trade secret owner will take periodic cruises on the internet looking for signs of misuse. A good browser should point the way to any trouble.