Trade Secrets Directive: practical steps to protecting trade secrets

In light of the Trade Secrets Directive, we consider some practical steps any business can take to ensure the confidentiality of its trade secrets.

Introduction

The Trade Secrets Directive (2016/943) (the TSD) was introduced on 08 June 2016 and required EU Member States to implement corresponding changes to their national laws by 09 June 2018.

The UK government is of the view that the majority of the TSD’s requirements already exist in UK law, therefore substantial changes have not been introduced. However, The Trade Secrets (Enforcement, etc.) Regulations 2018 (the Regulations) were introduced to comply with certain provisions which were not covered.

What is a Trade Secret?

A trade secret is defined by the Regulations as information which:

  1. is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among, or readily accessible to, persons within the circles that normally deal with the kind of information in question
  2. has commercial value because it is secret, and
  3. has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

Practical steps

Although the TSD largely reflects the UK’s common law confidentiality laws, and some have commented that it will be “business as usual” for UK companies, there are some practical steps which may be helpful to consider for any business in order to demonstrate that “reasonable steps” have been taken to keep their information secret.

  • Type of protection: Decide whether trade secret protection is the best form of protection rather than other intellectual property rights protection, eg patents.

  • Identify: Identify what information should be protected and create a process to identify, categorise and label new and existing pieces of information as “confidential”. Businesses should take care to ensure that such process or system is robust and balanced enough to only classify genuine trade secrets as such. This will avoid the risk of diluting the “confidential” label.

  • Implement appropriate systems:
    • IT: Businesses should invest in reviewing and upgrading their digital security. Specific measures in relation to confidential information should be imposed, including (but not limited to):
      • password protecting computers
      • encrypting documents
      • using firewalls
      • using an automated intrusion detection and prevention system, and
      • restricting remote access to confidential documents.
    • Inventory: Keep a record of what confidential information is in a business’ possession. This includes any third-party confidential information to which a business has access. Records should indicate:
      • the confidential information (with enough detail to identify, but not enough to disclose, the information)
      • the owner of the confidential information
      • who has access to the confidential information
      • who has worked with the confidential information, and
      • the country in which the confidential information is stored (if appropriate).
  • Access: Public access to a business’ premises should be limited and all visitors should be required to sign in with the building’s reception or security team. Recipients of confidential information should be controlled by limiting those on email distribution lists and attendees at meetings. Destruction of confidential information should be carefully carried out by a designated team and a record made.

  • Contracts: A company’s business is likely to rely on several contracts in its day to day operations. It is therefore possible that a number of different stakeholders, both inside and outside of a company, will interact with pieces of confidential information. Client/customer, supplier and employee contracts should be assessed for the inclusion of confidentiality and use provisions, and appropriate dispute resolution clauses. Businesses should also consider procuring the signature of NDAs to supplement any existing agreements, where appropriate.

    As part of the overall management of clients/customer or supplier relationships, businesses may consider whether it is possible to align their trade secret protection policies with those of key stakeholders. This may be through the inclusion of corresponding confidentiality clauses across key contracts and the offer of training on trade secret protection.

    Stakeholders should again be reminded of their continuing confidentiality obligations when their contract is terminated.

  • Disclosure: Confidential information may sometimes need to be disclosed during business negotiations. There are steps that may be taken here to ensure that the information is not unduly disclosed:
    • Sharing of confidential information should be strictly controlled on a ‘need to know’ basis. Businesses should consider, where possible, only providing numbered hard copies of confidential information which can later be collected.
    • Where electronic copies must be shared, consider sending in PDF format to help avoid revealing more information than intended through a document’s meta-data.
    • Where possible, information should be disclosed in a staggered manner so that it is not all revealed until the most advanced stages of negotiations have been reached.
  • Training: Employees should be trained on the importance of trade secret protection. This should include IT as well as physical security. All employees working with confidential information should be mandated to attend training sessions (and any supplementary sessions) and to sign confidentiality agreements (if not adequately covered by their employment contracts). A policy against using personal external storage devices on company computers should be introduced and publicised to employees.

    Guidance for employees should aim to address the "human" element of trade secret protection. Employees should be cautioned not to discuss company business in public places, such as on public transport. At networking events, discussions should be strictly within the confines of an employee’s duty of confidentiality. Laptops and mobile phones should never be left unlocked and/or unattended in public places or at home, where unauthorised individuals may have access - including family.

  • Termination of employment: On termination of employment, employees should be reminded of their confidentiality and non-disclosure obligations. They should be required to return any materials/items containing or providing access to trade secrets.

  • Crisis action plan: In the event that trade secrets are unlawfully disseminated, a robust pre-agreed action plan could help significantly mitigate potential damage to the business. The action plan should include and set out responsibility for the following steps:
    • evaluation to determine the significance of the breach or potential breach
    • containment of the breach
    • notification to the relevant individuals or authorities, inside and outside the business, and
    • remedies to be sought, including an injunction.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.