In widely-publicized, contested privacy cases last year, the FTC advocated in favor of a high baseline for information security measures. Among the security practices attacked by the FTC as critical mistakes by companies suffering data breaches:
- Storing sensitive data in readable text;
- Any system that permits the use of easily-guessed passwords;
- Failure to use firewalls between internal systems, the corporate network and the Internet;
- Lack of adequate administrative security policies and procedures;
- Failure to adequately restrict third-party vendors from network and corporate servers;
- Failure to employ reasonable measures to detect and prevent unauthorized access; and,
- Failure to follow proper incident response procedures.
As part of settlement agreements last year and in previous years, the FTC has required entities to establish and maintain a “comprehensive information security program” that remains under FTC scrutiny for 20 years.
The concern over what constitutes reasonable information security measures is not limited to privacy enforcement actions by the FTC or government agencies overseeing regulated industries such as healthcare or financial institutions. Any commercial enterprise that maintains (or claims to maintain) trade secrets should be paying attention to what is expected in these privacy cases in terms of “reasonable” security measures.
Commercial trade secret protection just became a matter of federal law. On May 11, 2016, President Obama signed the Defend Trade Secrets Act (DTSA). The DTSA created a federal civil cause of action for the misappropriation of trade secrets. Before the DTSA, trade secret protection was a matter of state law governed by the Uniform Trade Secrets Act (UTSA), which had been adopted by 48 states, the District of Columbia, Puerto Rico and the U.S. Virgin Islands.
Under the federal DTSA and the state-based UTSA, information is given trade secret status only if the owner of the information takes reasonable measures to protect the information. Specifically, under the DTSA the owner must “have taken reasonable measures to keep such information secret.” Similarly, under the UTSA information becomes a protected trade secret only when it is “the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”
Case law interpreting what constitutes “reasonable” measures to protect trade secrets has established a fairly low standard for information security, compared to what the FTC and other enforcement authorities have required in privacy cases. Some courts have referred to the reasonableness required in trade secret cases as a “modest” standard. Measures found to be reasonable under this standard include:
- Security measures such as locked rooms, security guards, and document destruction labeling and document destruction policies;
- Requiring employees to sign confidentiality agreements respecting trade secrets;
- Limiting employee access to confidential information, requiring physical pass keys to areas where sensitive documents are maintained, employee training regarding confidentiality, employee handbooks (and acknowledgements) regarding confidentiality;
- Requiring passwords and using firewalls to restrict access to computer networks based on user authorization and classification of the information.
These are just a few of hundreds of examples of information security measures found to be reasonable regarding the protection of trade secrets. For the most part, they all have one thing in common: the reasonable information security measures in the trade secret realm do not measure up to the standards advocated by enforcement authorities in the privacy realm. The standards of reasonableness for the protection of trade secrets have not kept pace with the data privacy and security standards.
But as the FTC and other authorities engage in more enforcement actions, the overall standard of what is reasonable to protect sensitive information will rise across all industries and sectors of the economy. Owners of trade secrets may no longer be able to rely upon rudimentary security measures, such as passwords, firewalls and confidentiality agreements, to maintain the trade secret status of their confidential information. Reasonable measures of information security are becoming more sophisticated and require enterprise-wide security programs involving measures of deterrence, detection and response. Entities that seek to protect their information as trade secrets and pursue claims under the DTSA and UTSA should pay close attention to the evolving data security and privacy standards.