Protecting Trade Secrets in the Modern Workplace

For effective safeguarding of confidential information, companies should proactively promote a protective culture built on clear communication and sound procedures.

When it comes to your company’s sensitive private information, an important first step is ensuring that employees and management cultivate a protective culture. Too often, non-disclosure agreements (NDAs) or confidentiality terms are tucked away into a bunch of boilerplate-form documents that are hastily signed at the time of hiring, with little to no discussion later on.

Communication about company expectations needs to be clear and unambiguous from the outset. Explicit rules and procedures that everybody understands should be in place regarding the treatment of sensitive, confidential information.

To protect confidential information, companies typically:

•  Prohibit the use of private drives, USBs, computers, or similar devices in office premises or anywhere connected to company business.

•  Restrict physical or electronic access to your trade secrets information to those who are specifically designated to see it.

•  Only allow installation of company-approved software, with the installation being carried out by the company itself.

•  Prohibit or restrict the use of private messaging and email software to communicate from work computers. 

•  Require employees to mark documents (or use document templates that include markings on them) stating the confidential nature of those documents.

•  Maintain a “clean desk” policy throughout the company.

•  Employ additional security measures beyond mere passwords to access systems, including but not limited to verification software and the use of fingerprint readers.

Whatever rules you implement, they should be communicated clearly and unambiguously to the employees and management. An annual or even quarterly security meeting with employees to review any implemented requirements is a good way to ensure employees are aware of the expectations. Sign-offs, quizzes, and acknowledgments are also helpful ways to make sure that employees and management are not simply going through the motions without closely paying attention.

Companies should also keep in mind that confidential information is not limited to R&D activity or proprietary manufacturing formulas or processes. It should also cover customer data, business plans, the terms and conditions in agreements with trading counterparts, employee personal data, future targets, and any other items that could be of use to your competitors or counterparts.

The following are additional key points to keep in mind:

Follow strict procedures

It’s crucial to have a definitive plan in place for handling personnel departures. Template documents should be ready for handling ordinary resignations, terminations for poor performance or layoffs, and terminations for serious misconduct. Exit procedures should consistently address the safeguarding of any confidential information in the employee’s possession, outlining a timeline for its return. Additionally, these procedures must ensure the termination of the employee’s access to confidential information within the company’s systems.

Depending on the situation, many companies will have corporate security either present or prepared to step in if needed during termination. In some cases, corporate security may take the lead on certain exit procedures, such as retrieving company keycards, computers, smartphones, or car keys. Personal belongings in the individual’s office may be packed up separately and couriered to the employee’s home to avoid an emotional scene or gawking coworkers.

The plan used in a for-cause termination should aim at maximum efficiency and smoothness to help preserve the dignity of all parties concerned. Employees who are terminated without public humiliation or embarrassment are less likely to seek creative means to try to “get even” with their former employer.

The timing of the shutdown of access to email and company networks should reflect the nature of the departure. In cases involving an immediate termination for misconduct, the company should take special care to remove employee access to systems where they may attempt to download, erase, or otherwise disrupt company activity.

We were once brought into a case some weeks after a senior executive termination had gone sour. The Taiwan country manager had been flown to his U.S. headquarters for the termination, where he was informed of the decision on the first day upon arrival and before a final exit package agreement had been reached.

The parties exchanged goodbyes after negotiations in the evening, and at around 3 a.m. the Taiwan executive started accessing the company’s email and file systems, downloading about 28GB of sensitive data onto several thumb drives he had brought with him. Later, computer forensics experts were able to trace back much of what he had done, and legal actions were taken to stop him from moving the information to a competitor.

Remember basic psychology

A psychological basis nearly always underlies misbehavior, such as theft or misappropriation of trade secrets. Employees who take or share confidential information often do so under stress or pressure, perceiving the risk-reward ratio as favorable to them.

The motivation may even be love. Some years back we had a case where two married people were having an affair while working for separate companies that did business with each other. Our client’s IT team figured out that their employee was using his personal web-based email account to send future product plans to his lover, who worked for a distributor that also handled some competing products.

He didn’t benefit financially from the action, and a subsequent investigation found that no information had leaked through to competitors. However, for a few months he helped his lover appear extremely knowledgeable about future business and product plans to her managers.

Not all trade-secret theft involves a solid plan. Going back to the Taiwan country manager who downloaded massive amounts of documents in the middle of the night, a big question asked later was “Why?”

Certainly, jetlagged and stressed managers don’t sleep well or think straight. After nearly 20 years with the company, he also had a reputation as a leading figure in his industry and a “nano-manager,” so there weren’t any deals in Taiwan he hadn’t been directly involved in.

In considering his later conduct and his apparent lack of a coherent plan about what to do with the data, we think he may have been motivated under stress by vague notions of taking with him some sort of “souvenir” or record of what he had accomplished. Best not to expect a person in that situation to make the right decisions; instead, follow an orderly procedure to immediately remove access to company information.

In numerous cases involving the termination of IT staff, it’s vital not to provide advance notice and give them a chance to take swift and disastrous revenge. Client situations have included:

•  A publishing company that found that all copies of every article and photograph for an upcoming 48-page issue of a magazine had been completely deleted from their servers just a week before the issue was scheduled to be printed.

•  A public relations agency whose IT guy’s last 24 hours were spent loading every computer (including servers that were not otherwise even connected to monitors) with pirated versions of software. The ex-employee then reported his former employer to the software companies.

•  An employee who registered domain names similar to that of his employer under his own name and then, after termination, set them to forward automatically to the employer’s main competitor.

Be tough

After gathering evidence that an employee has mishandled company confidential information, it’s usually a challenge to determine the best course of action, balancing business management perspectives with legal considerations. However, building and maintaining a strong position is vital to prevent the case from dragging on and becoming a financial and emotional burden.

Even if the company’s management hopes that there’s a less damaging reason for an apparent theft of trade secrets (for example, “taking a souvenir”), it’s essential to act quickly to stop that data from getting to a competitor or upstream or downstream trading counterparts. Trade secrets cases are tough and require focus and discipline to get swift action from the courts and perhaps swifter action from the party who took the data.

In these situations, the adage “too many cooks spoil the broth” often holds true. A few years ago, we observed a company that essentially averaged the advice from several retained law firms to devise a case strategy. This approach resulted in a plan that was neither strong nor decisive. Going back and forth between hard and soft approaches doesn’t give you any strategic or tactical advantage and only costs a lot in lawyer fees.

To solve the problem, we persuaded the client to “reset” the case with a strong commitment to use the solid options available under Taiwan’s criminal laws. This strategic pivot quickly brought the opposing party to the negotiation table.

Think of it as using an axe to cut down a tree – you’ll get absolutely nowhere with the task if you just give a couple of gentle taps against the trunk and hope for the best. In a trade secrets case, you must move quickly to clarify to the other side that all hell will break loose if they don’t hand back the stolen information. The chances of securing effective court action or a swift settlement increase significantly if the opposing party knows you’re prepared to go the distance. Similarly, the probability of achieving long-term compliance from your employees rises if they understand that you take a firm stance against trade secrets theft.

Think flexibly

Is there an overlapping aspect to what the employee has done that might bring additional legal jurisdictions into the picture? In many cases, we see important conduct occurring offshore or even during trips to the United States, where the extremely tough U.S. Economic Espionage Act is in force. Former employees can find their future employment options greatly reduced if traveling internationally or returning home may include a possible arrest at the airport.

Also, most respectable global companies don’t want to get dragged into a trade-secret fight over an ex-employee. In a past case, an employee was terminated for reasons unrelated to trade secret matters. He turned in his company phone while remaining connected to a messaging app that miraculously started getting a slew of messages from a competitor.

It soon became clear from the constantly beeping phone that the ex-employee was trying to send confidential information to a competitor’s manager in Shanghai. We contacted that competitor’s senior management in Europe, and their response was proactive, responsible, and outstanding.

Don’t overdo it

We’ve also worked cases from the employee perspective and seen companies make the opposite mistake, pursuing spurious charges of trade-secret theft where no basis actually existed. Companies that hastily take strong action against employees who genuinely depart in good faith may expose themselves to substantial liability. Given the tough criminal sanctions for violations of Taiwan’s Personal Data Protection Act (PDPA), it is absolutely essential that companies act responsibly in their effort to investigate employees.

In one extreme case, the departing employee voluntarily turned over all of his personal computer drives to corporate security for a final requested review to ensure that he was not taking away any company data. The drives included his only copies of many years of his family photos, all his financial data, including his tax returns, and vast amounts of other highly personal data.

The former employer’s security team then retained the data for months, copied and kept all the employee’s drive contents (including the family photos and financial data) without the former employee’s permission, and only later thought to ask the former employee for signed permissions for what they had already done. The company soon found itself running into problems under Taiwan’s PDPA for its unnecessary and unauthorized copying of highly private data.

The bad faith of the former employer was also clear in emails accidentally included in a 200-page court complaint filing made by the company’s Taiwan counsel. The emails included notes from the company’s in-house counsel in America stating that they knew there was no actual legal or factual basis for making the claims against the departing employee. It was a pure act of legal harassment put together by an unethical company with an unethical counsel. The mistaken inclusion of the emails was more a matter of laziness and incompetence, of course.

The company could have saved itself considerable litigation costs if it had simply reviewed the employee’s personal computer drives in a timely manner and returned them with no further copying or retention beyond the scope of the employee’s consent. Good judgment is crucial in deciding which cases to pursue and the methods to employ. Given the abundance of legitimate trade secrets issues, burdening the courts with fabricated ones makes no sense.

John Eastwood and Heather Hsiao are partners at Eiger, a Taipei-based law firm, with extensive experience in intellectual property and employment matters.