How to Make a Trade Secret: An Introduction
Obtaining enforceable Intellectual Property rights over intangible assets is crucial for entrepreneurs and businesses. The statutory IP trio of patents, copyright, and trademarks have specific but fairly clear rules regarding ownership rights, and, without going into details, an application or registration process with the Canadian Intellectual Property Office. In contrast, rights to trade secrets in Canada are based in the common law, and are generally enforced as claims in contract and breach of confidence. There is no government office involved, and, as CIPO notes, no formal registration process for trade secrets. So just how do you go about establishing Intellectual Property rights over a trade secret?
The essence of obtaining trade secrecy rights is to take intentional steps to establish a system that reasonably ensures that you act as the effective gatekeeper to that information by:
- Planning out a real-world system that seeks to control and limit access to the non-public information that your organization is developing or is otherwise generating as an outgrowth of its activities;
- Formally documenting that system; and
- Implementing that system.
Controlling access to a trade secret or other forms of confidential information is typically achieved through a combination of physical, technological, and legal means.
Establishing the “Quality of Confidence”
Trade secrecy and confidentiality evolved into something of a flexible catch-all category some time ago. In principle, any information that provides commercial value or a competitive advantage by virtue of not being generally known may have the necessary “quality of confidence” to be legally protectable as a trade secret (see my post here). Although originally thought of in terms of technical or operational know-how or sensitive business material, these days legally protectable information may include Big Data products and other outgrowths of information technology and related services.
At root, asserting rights to the use and control of a trade secret or confidential business information involves its holder asserting that they are an effective gatekeeper to that secret. This means that the contents of the information or data in question must be relatively inaccessible (to use a British phrasing) or are not readily ascertainable by proper means (to use the American formulation) using publicly available sources. Yet what is and is not available in the public domain shifts over time, and is not fully within the control of the holder of a trade secret. Consequently, creating a legally enforceable right to a trade secret is primarily achieved by demonstrating that appropriate real-world steps and systems were put into place to reasonably ensure that secrecy was maintained.
Identifying Classes of Protected Information
The best starting point is to identify what class or classes of information are sensitive or valuable to your specific organization or enterprise. This exercise tends to be useful for its own sake. Further, documenting the systems and practices used to control access to trade secrets or proprietary information provides a basis to demonstrate this form of intellectual property right.
Implementing Systems and Protocols
The next step is to articulate and implement specific measures and systems designed to limit and control access to the secret or confidential information. Again, this is typically achieved through a combination of physical, technological, and legal means.
The appropriate mix of measures will vary and should be tailored depending on the size of the organisation involved and the nature and normal usage of the sensitive information. For example, virtually all companies should have certain measures in place aimed at preserving the confidentiality of customer information, operational data, market intelligence, and business proposals. Companies that physically manufacture or otherwise use products involving trade secrets will need another set of often similarly physical measures. Finally, efforts to commercialize research and development findings or artificial intelligence assisted Big Data products may rely more on encrypted IT systems and carefully orchestrated non-disclosure or licensing agreements – possibly in conjunction with significant physical security if prototypes or a laboratory are also involved.
Legally speaking, if these measures are violated by, for example, breaching non-disclosure clauses or departing with sensitive materials, being able to readily prove that the material was clearly intended to be kept confidential will facilitate recourse through the courts against those individuals and anyone who receives and misuses such information.
Examples of Specific Measures to Protect Secrecy
While by no means exhaustive, the following are examples of specific measures taken to treat information as secret or confidential:
- Mindfully Limiting Access: It is shocking how many large, otherwise sophisticated organizations simply move material onto their IT system and then allow all individuals within them the same, unlimited access. A crucial first step in treating material as secret or confidential involves maintaining lists or people who have access to different groups of records. This should be coupled with protocols that actively track or restrict access to more sensitive materials, and make it clear that the unauthorized copying or transmittal of materials is unacceptable.
- Need-to-Know Basis: A related root principle is that sensitive information should only be communicated on a need-to-know basis. The people in a “needs to know” category might be fairly wide in the case of, for example, customer contact information or project particulars. Defining this type of broad category nonetheless makes it clear that the information cannot be shared outside the organisation or kept for personal use. In contrast, technical secrets or active negotiation particulars might have quite a limited circulation list.
- Physical or Digital Control of Records: Traditionally, more robust systems aimed at ensuring the classified or secret nature of the information involved requiring physically signing out and returning the written documents recording it from a secure location. This type of system might also involve “clean desk” policies or other enforced limits to how long material could be kept or where it could be taken. For example, materials are to be returned to a locked cabinet by the end of each day, and not out of the building without expressly recorded permission.
For cloud enabled organizations, a good first step is to carefully manage access controls to different groupings of information. For sensitive materials such as trade secrets or business proposals, the digital or soft copy of the records might be encrypted and password protected, or may only be accessible via a secure portal or specific devices.
- Visual Notice of Confidentiality: Prominently displaying “SECRET AND CONFIDENTIAL” on a cover sheet and similarly watermarking the entire document provides notice that it contains sensitive material. Traditionally, highly classified or secret material were also kept in specially marked sealed envelopes. The documents might be printed on coloured paper to visually flag that it was not to be copied or viewed in public. These days, encrypting and password protecting soft copy or digital records, or only allowing it to be accessed through a secure portal or specific devices, might play a similar role in providing notice that the information a record contains is confidential.
- Employment Agreements: Many employment agreements include provisions relating to non-disclosure and confidentiality. Similarly, many include provisions that assign rights over intellectual property to the employer, or otherwise assert the employer’s proprietary or ownership rights to know-how or trade secrets.
While an important step, relying on blanket assertions of confidentiality or proprietary rights alone carries some enforceability risks. Generally speaking, I would recommend adding out-procedure provisions relating to the return or destruction and deletion of workplace materials. You could also consider including a schedule that identifies the specific trade secrets or confidential materials an individual is working with. Since this often shifts over time, a more robust policy might include reviewing and updating this type of schedule periodically.
- Contractor Agreements: Employment relationships include an implied obligation of confidentiality. This is, however, less clearly the case for individual subcontractors or third-party service providers. The written contract governing these forms of relationships should be carefully reviewed to establish clear expectations and obligations relating to confidentiality. Ideally, it should also include provisions relating to the handling or return of records, including steps to follow once the project or relationship has concluded.
- Commercial or Service Agreements: Similarly, commercial or service agreements need to be assessed to ensure a precise delineation of obligations relating to, among other things, data use and collection, privacy, and intellectual property or proprietary rights. Particularly in the Software-as-a-Service or Big Data universe, be mindful of attempts to assert or carve out consents or independent rights to collect, use, or commercialize information.
- Non-Disclosure Agreements: If business negotiations or third-party experts needs to review trade secrets or other sensitive materials, it is, wherever possible, strongly recommended that you obtain a carefully worded NDA in advance.
- Education and Compliance: While crucial for establishing rights, it is the unavoidable truth that many people do not closely read or remember the finer points of organizational policies or the contracts they have entered in to. For larger organizations in particular, effectively implementing an IP or information governance policy should include employee education and compliance verification programs.
- Explicitly Informing People: Similarly, explicitly telling someone that the materials that they are about to gain access is confidential or secret and should not be copied or transmitted without your permission is an important but often overlooked step.
- Physical Security: In addition to actively controlling access to sensitive materials, suitable physical security measures provide unambiguous notice that individuals cannot legitimately be in an area without permission. It follows that accessing or copying records that are controlled in this way is strong evidence that such access is unlawful. At minimum, physical security includes locking doors, storing materials in locked storage areas, appropriate signage, and restricting after-hours access to workspaces. On the high end, a guarded and specially secured building may only allow access to individuals who have been vetted and who have entered into appropriate legal agreements.
- Dedicated Devices: Bring-Your-Own-Device situations and the general blurring between work and personal informational flows is a negative when it comes to trade secrecy rights. For enterprises that involve generating or handling secret or confidential materials, consider purchasing dedicated devices for this purpose. For highly sensitive materials, this might include strictly controlled IT systems and prohibiting personal devices in certain workspaces.
- IT Systems: I have suggested that most organizations using cloud-based IT systems should adopt access controls relating to, for example, customer or financial information. The document containing particularly sensitive materials should also be visually marked as secret or confidential. Enhanced measures include encrypting and password protecting documents. Appropriately designed IT systems can also monitor and record all incidences of access, and restrict how accessed records can be copied or transmitted.
Intentionally creating a trade secret or proprietary right is accomplished by developing valuable but non-publicly available information coupled with adopting real-world measures reasonably designed to ensure its ongoing secrecy. While this post has sought to provide a sense of the types of measures that might be deployed, the appropriate mix will vary. Legally speaking, trade secrets and proprietary data can be disclosed privately, but this should be done on terms that ensure that you unambiguously remain the rights holder controlling the further use and disclosure of that information (see my post here).
There are several important rewards to being able to demonstrate dependable rights to this form of intangible assets. Transactions ranging from licensing arrangements to the sale of a business require articulating just what trade secrets or proprietary information is involved. Similarly, at a more preliminary stage, showing that appropriate systems have been put in place may assist in raising financing or finding investors and business partners. Finally, if the need arises, documenting and being able to articulate what measures have been taken to keep information secret or confidential will greatly assist in enforcing your legal rights through the courts.