Does your company take confidentiality and trade secrets seriously?
This article was written in consultation with Amy B. Goldsmith, partner at Tarter Krinsky & Drogin LLP. It is not intended to serve as legal advice.
For many small and mid-sized companies, the issue of confidentiality and trade secrets is often an afterthought. Sure, you might have a confidentiality clause in your employment contracts, or an NDA template you use when hiring contractors, but does your company have official policies regarding the handling of confidential information?
You might think such policies are only important for companies involved in such industries as technology, healthcare, government or law. But even creative businesses can assume great risk if they don’t have processes in place to protect confidential information or trade secrets.
What is defined as confidential information or trade secrets?
Confidential information covers a range of information that can be broadly divided into two categories: information that gives you a competitive advantage, and personal or private information about people or entities.
Confidential information that gives you a competitive advantage can include your business plan, financial data, sales or marketing strategy, research data, business procedures, formulas, recipes, and more. Trade secrets are also included in this category. (All trade secrets are confidential information, but not all confidential information are trade secrets.)
Personal or private information includes things like your customer and vendor lists or employee lists and associated details, such as emails, addresses, bank account numbers, social security numbers, etc.
Trade secrets have their own special designation as part of intellectual property law (which also covers patents, trademarks, and copyrights). As defined by the Defend Trade Secrets Act, trade secrets are information used and kept secret by a business to give an opportunity or obtain an economic advantage over competitors who do not know or use it. This can include a formula, pattern, compilation, program, device, method, technique or process.
For example, if you were a craft distiller, your brewing recipe qualifies as a trade secret if you keep it secret and it cannot be reverse engineered. Specific processes or methods can also be considered trade secrets, such as how the NY Times selects its Bestseller list or how a retailer curates products that appear in the shop.
The thing about trade secrets: once they’re publicly known, they're no longer trade secrets. Although companies can pursue legal action against anyone who illegally reveals a trade secret, it’s much more difficult to do so if the company has not already taken reasonable measures to protect them. The same applies to confidential information. Companies cannot be lax about confidentiality policies and then expect the courts to find in their favor if something is leaked or revealed, whether intentionally or by accident.
Understanding the difference between "disclosing party" and "receiving party” obligations
There are two sides to consider when it comes to protecting confidential information: the disclosing party, or the party that discloses the confidential information; and the receiving party, or the party that receives the confidential information. Both sides have obligations to ensure information is protected.
For most confidential information, the company is the disclosing party and employees or contractors are the receiving party. Companies must have designated policies in place to protect confidential information, which they then communicate to employees or contractors. Employees or contractors are obligated to do their best to protect confidential information per the policy. In any case, the more explicit the company details these policies and procedures, the more protected the company will be in case of any breach.
In some cases, the company itself is considered the receiving party—for example, if taking on a special project with a client who will need to disclose confidential information as part of the process. Since employees act as agents of the company, any confidential information that they reveal (whether intentionally or not) could end up being the company’s responsibility. This is especially prescient in the age of social media, where even a casual post about a company project or client could be a serious breach of confidentiality. Thus, it is equally important to educate employees on how to handle confidential client or customer information, in addition to the company’s own confidential information.
Steps to protecting your confidential information
Audit your information and classify and mark all confidential information, including trade secrets. Go through all your company’s internal documents and data and specifically classify and mark what is considered confidential or a trade secret. Don’t forget to consider things like contact lists, images and diagrams, internal presentations, etc. For trade secrets in particular, a company should also keep the information in a password protected location and limit the visibility of the document to only those employees who are in roles required to know the secret to perform their jobs.
Create a company policy document. The document should outline important procedures such as 1) how to classify and identify confidential information and who is allowed access, 2) how information should be created, saved, accessed and handled within a company, such as through a secure VPN, and 3) safety precautions that employees are required to take to protect confidential information, including securing their devices from being stolen or hacked, and 4) what employees can or cannot say about the company in public, to media, or in social profiles.
Train your employees. Just having a written document isn’t enough. Training allows employees to fully learn and embrace these policies, and also helps to clarify any questions that they may have. Are LinkedIn contacts considered proprietary information? What can or can’t I share on social media about work? How do I send confidential documents? How do I secure my work laptop? This training must be a part of every employee’s onboarding process.
Embed confidentiality into your employment and vendor contracts. Companies should specifically address confidentiality clauses within all employee contracts, vendor contracts (via NDAs), and also in exit interview paperwork.
It’s never too late to start
Even if your company does not currently have confidentiality policies in place, you can still retroactively apply them—don’t wait until experiencing a loss of a trade secret or confidential information leak to start thinking about it! Law firms specializing in intellectual property law can assist you with document audits, policies and training procedures, as well as employment contracts and legal documentation.
Information in this article was provided by Amy B. Goldsmith, partner at Tarter Krinsky & Drogin LLP. Goldsmith is co-chair of the firm’s intellectual property group and her practices include consumer products, fashion, technology, publishing, e-commerce platforms, retail and hospitality and restaurant services. For more information, please contact her at firstname.lastname@example.org.