Trade Secret Governance: Aligning Policy & procedure
THE TRADE SECRET GOVERNANCE MODEL
Given how thoroughly trade secret and business know-how is woven through every area of an enterprise it is only to be expected that the governance of this information will require a multifaceted policy approach and a number of layered procedures to be successful.
POLicies in play
As we discussed in our previous article, trade secrets are created and uses throughout the typical organization. As such they are governed by a number of policies that address how employees work, many of which already exist at most companies today.
- IT Guidelines on Acceptable Use – Clear guidelines and prohibitions on how data is to be accessed, stored and shared. It governs all employees throughout their use of ANY company IT asset.
- Use of Specific Media Policies – Explicit policies on what information can be shared and what activities can or cannot be done using different technical media. From physical device restrictions related to BYOD devices, flash drives and encryption requirements to content guidelines about for social media, 3rd party cloud systems and remote access.
- Electronic Monitoring – Protocol for monitoring access and activity. This can be digital access of networks, systems and individual files and/or physical access of buildings, labs and secure rooms. Also includes process documentation for the review of and response to alerts and reports generated by this monitoring.
- Classification Requirements – A standardization of requirements for how work product needs to be classified at creation and transmission typically using a gradient scale for degrees of sensitivity and the protective confidentiality measures required for each.
- Specific Trade Secret Program Policy – A policy specifically designed to identify individual trade secrets and govern how they must be documented, handled and secured.
These policies should be updated to specifically reference trade secret protection as a company priority and help define the potential of proprietary know-how in each area.
The speed of business is only increasing and a company’s departments, leaders and product teams will often innovate independently. It is absolutely vital, albeit more than a bit daunting, that these policies are reviewed frequently enough to keep pace with business developments. It is precisely those new developments, changes and product initiatives that will contain some of the most marketable (and therefore most valuable!) trade secrets a company owns.
ORGANIZATION and PRIORITY
The first step in governing any kind of data is to properly organize it – and trade secrets are no different. While there are a number of technical tools to assist in organizing and tracking trade secrets, this is still an inherently manual process given the subjective nature and wildly differening contexts of the different types of trade secrets a company would want to protect.
The overall goal should be a formal Trade Secret Registry: an active database of anything, from any area of the company, that is deemed proprietary and protectable.
These secrets can then be categorized by the systems and type of data involved, the employees associated with creating or holding it, the products or services it relates to, and the overall risk of losing ownership of the secret itself.
The Trade Secret Registry would provide the one uniform and centralized tool to manage and track the various different policies, proactive measures and technical controls required for all the different types of secrets that get cataloged.
Once this matrixed ecosystem is mapped out around each trade secret it allows for the
- Appropriate polices to be updated and applied
- Use of metadata to contextually label and track data throughout its lifecycle
- Proactively restrict access based on sensitivity and business needs
- Leverage reporting and business intelligence tools for monitoring
- Establish appropriate protocols for priority
Trade secret governance can never be a “one size fits all” methodology. It is inconceivable that the same standardized approach that lays out requirements and protocols for R&D’s work product and documentation would be the same for IT’s network system access or that the methods used to organize and manage email communications would apply to trade secrets that literally exist as part of the human intelligence of key leaders and designers.
One thing that can be applied across these disparate forms of know-how is priority. Not all trade secrets are equal and therefore not all require the same levels of effort to protect them. The key is to develop a way to quantify this value.
The value of a trade secret will partly be a subjective calculation based on business criticality, but there are objective metrics that can be factored in such as the Lost Profits or Reasonable Royalty methodologies often used by the courts when deciding IP cases.
Taken together all these factors should combine to formulate an overall priority score that can entered and tracked in the registry. These scores should be applied not only to the trade secrets themselves, but also to the people that hold them.
Make no mistake: The most valuable components of a company’s business know-how are not the cataloged data and work products; it is the EMPLOYEES that use them every day to innovate and create.
Human Capital is at the Center of everything
Since trade secrets, unlike patents, lose their protections as soon as they are no longer secret, one of the greatest threats to trade secret protection are employees. But they do not have to be.
The most direct methods to control this are non-disclosure agreements for external contacts and partners and written employee agreements for internal resources. These need to be managed closely, with terms as standardized as possible and kept current to comply with DTSA.
Yet the most effective tool of all is also the most obvious one: TRAINING.
Consistent training at all levels is critical to convey the importance of trade secrets and the value the company places on them. It should be conducted as a relentless awareness campaign across all levels to make sure everyone not only understands what trade secrets are but exactly where, when and how they personally possess them and the obligations they have to make sure they are handled appropriately.
READ THE CASE STUDY
Top Agent Network v. Zillow
DATE: OCTOBER 2014
Top Agent Network recognized the strong market value of their proprietary method of identifying “Coming Soon” listings in the real estate industry to the extent that they used it as the key bargaining point in soliciting a major investment and partnership with Zillow.
As part of these discussions, TAN’s CEO granted Zillow access to proprietary information and shared the business strategy and metrics they use in their model of collecting and disseminating pre-MLS listings.
Those talks were ultimately terminated by Zillow, who decided not to invest in Top Agent Network and who then went on to roll-out their own “Coming Soon” feature.
Top Agent Networks filed suit alleging a number of fraud and theft-based trade secret claims.
However, the court dismissed all but one minor claim due to 2 key findings:
- Top Agent Network entered the negotiations and their CEO voluntarily shared all of their “secrets” with Zillow executives without an NDA in place.
- Top Agent Networks could not describe its own “know how” and processes in anything more than broad strokes and therefore were ineligible to claim trade secret protection for what were essentially “non-protectable ideas and features”.
The failure to prioritize and define business-critical information and processes with key policies that should have ensured that this information was protected resulted in Top Agent Network desperately relying on the courts to retroactively correct for their own information management shortcomings. To make matters worse, not only did the courts rule against them but went even further to define one of their key branding differentiators as “unprotectable”.
Employee awareness of what they know, how valuable it is and how they should (and should not) handle and share that information is absolutely critical. That awareness comes from effective and consistently reinforced training that needs to happen at every level. Up to and including the CEO.