Global supply chains, open innovation, joint ventures, and other types of collaboration fuel innovation, speed-to-market, and other competitive advantages for companies. However as critical confidential business information passes hands and crosses networks and continents, opportunities for the theft of trade secrets also dramatically increases. And when crown jewels are stolen, it's incumbent upon the company to prove that it has taken 'reasonable steps' towards keeping information confidential.
The question for many companies is: what exactly constitutes reasonable steps? Although the definitions in laws are vague, insights can be drawn from court cases. A new whitepaper from the Center for Responsible Enterprise And Trade (CREATe.org) offers an overview of the 'reasonable steps' requirement. For those working in procurement and with third parties and supply chain partners, there are some key takeaways.
First, although it sounds basic, nondisclosure and other contractual agreements should address trade secret protection. These contracts have been regularly examined in court cases as evidence of “reasonable measures.” However it's important to note that contracts alone may not be adequate. Corporate policies — and importantly, trade secret protection procedures to support those policies — are vital. For example, there should be procedures around third party partner on-boarding and termination, trade secret handling and disclosure, and security measures. Many companies also will segregate confidential information or processes so that not one vender has access to all of the key information.
Security and confidentiality management is also critical both within a company and among third party partners. The 2013 Target data breach was started via a malware-laced email phishing attack sent to employees at a heating and ventilation company that was a vendor to Target and had access to the retailer's billing network. Given the heightened risk of cyber threats, it's important to include physical and IT security as part of due diligence and ongoing monitoring efforts. However, keep in mind that although a company may have implemented an IT security standard such as ISO 27001, if not factored into the planning, the system may not have controls specific to the protection of trade secrets and other confidential information.
Risk management is another top area to consider. As part of the effort to implement “reasonable steps,” companies should conduct some classic risk management as it relates to trade secrets. This includes creating a registry and identifying trade secrets, assessing potential risks and putting a management plan in place to minimize vulnerabilities.
Trade secrets cross an enterprise – from product launch plans to proprietary processing techniques. As such, it takes a team effort to ensure that corporate policies and associated procedures are being followed, both by employees and third parties. To manage this effort, companies should put a cross-functional information protection team in place with representation from key groups dealing with trade secrets.
What exactly is a trade secret? Many employees and third parties don't realize that trade secrets can range from something as simple as a customer list to a sophisticated product formula. In a majority of cases, it's insiders — including third parties — who compromise proprietary information, sometimes unwittingly and other times with malicious intent. To ensure employees and partners understand their role in protecting trade secrets — and the consequences of not doing so — companies should institute ongoing training, particularly for those who are dealing directly with confidential and critical business information. In addition to training, the importance of trade secret protection should be regularly communicated to third parties and also a topic of regular reviews.
Even with all these steps, a trade secret breach can happen. How a company responds against misappropriation can also factor into court decisions. Conducting a root-cause analysis of the breach and having incident response plans in place are two leading practices.
Third parties are often at the heart of trade secret theft. Enacting a trade secret protection program that embeds the protection of critical business information into processes across an organization not only is good business, it can also provide legal redress in the event trade secrets are compromised.