Across the world, the penalties for trade secrets breaches are high. The FBI recently charged a US Apple employee with stealing trade secrets and he now faces 10 years’ imprisonment and a $250,000 fine.

In the UK, the EU Trade Secrets Directive was implemented this summer, and is a significant legislative step towards increased security for companies looking to protect against the unlawful acquisition, disclosure and use of their trade secrets.

It seeks to harmonise the approach to trade secrets across the EU, and provide a common standard of protection for businesses.

With increased employee mobility and a less formal, fast-moving environment, tech companies are particularly vulnerable to the risk of valuable information being made public, or worse falling into the hands of competitors.

The protection of information, such as technological knowhow and customer information, is fundamental to the preservation of a successful business.

Co-working arrangements and employees that work for several different businesses simultaneously are commonplace in the tech sector, so employers must ensure that they have appropriate measures in place to protect themselves.

The new Directive

The Directive defines “trade secret” as information which:

§  Is secret (not generally known or readily accessible to persons within the circles linked to the information in question);

§  Has commercial value because it is secret; and

§  Has been subject to reasonable steps to keep it secret by a person who is lawfully in control of that information.

This is broadly in line with existing UK law, but the express requirement to show that steps have been taken to protecting confidential information is significant. Taking such steps as a matter of course obviously makes it less likely that confidential information will be stolen or misused in the first place.

However, it will now also help show the court after the event that the information was in fact a trade secret. So, what can companies do?

What are you protecting?

Every company should constantly review exactly what information is confidential and valuable in its specific business. This information should be stored and used in a way which maintains its confidentiality as far as possible.

Do all employees need access to the full customer list? Have sensitive documents been password protected or stored on a commonly accessible server? Are client pitches covered by non-disclosure agreements? Can certain documents be kept ring-fenced from systems which could be susceptible to cyberattacks?

Employees

When employees move from one business to another, employer confidential information and trade secrets become vulnerable. Employers must not encourage new, over-zealous employees to bring confidential information with them to their new job and should obtain written confirmation that new employees have not done this.

When recruits enter the business, employers should check that their employment contracts contain well-drafted confidentiality provisions, applying both during and after employment. Employees should be taught which information is regarded as confidential and should only have access to the information they need to perform their role.

Co-working and hot-desk environments present particular risks, as do situations where employees are working away from the office, on public transport or on public Wi-Fi networks.

There should be a clear policy as to how employees access the systems they require if working from home; and emailing documents to personal accounts should be forbidden.

If possible, IT systems should log who accesses documents, from where; and in some circumstances it can be helpful to include tell-tale harmless “fake” entries in databases, so that copying can be proved if necessary.

Departing Employees

Employers must also endeavour to manage the employee termination/exit process in a way that reduces the chance of deliberate breaches by employees.

The process ought to be handled professionally and fairly, and employers should: reaffirm confidentiality obligations and restrictive covenants (by reference to specific clients if necessary), and reiterate that breaches will be taken seriously.

A well drafted IT “Acceptable Use”/“Email Monitoring” policy must be in place to warn employees that it may be necessary and proportionate to check their sent items for evidence of misconduct. This will also mitigate the risk of a GDPR breach or employee “privacy” claim.

Employers should also regularly review restrictive covenants to check that they are well drafted and updated to reflect the employee’s role if they progress through the business.

Action Stations

However well prepared you may be though, things can go wrong and companies must be ready to act quickly and decisively if an incident does arise. In the event of a trade secrets breach, consider the following:

§  Understand what information has been accessed and taken as soon as possible

§  Evaluate the potential risks to the business

§  Ascertain whether any personal data has been taken; which might give rise to an obligation under the GDPR to notify the Information Commissioner’s Office within 72 hours

§  Consider injunctions and court orders, to contain and minimise the damage of the breach quickly

§  After the breach, promptly evaluate the wider repercussions – consider if there has been adverse publicity and manage effectively to minimise potential reputational risk

Moving Forward

Whilst the Trade Secrets Directive does not radically alter the protection of confidential information in the UK, it definitely serves as a timely reminder that confidential information is an increasingly valuable asset, and almost every business could do more to protect itself.

By being both proactive and reactive, businesses can manage the protection of their trade secrets and ensure that their most valuable assets remain safe.

By Tom Lingard, partner, and Hannah Ford, partner, at Stevens & Bolton LLP.