Cybersecurity has become
increasingly important and relevant to businesses. According to the Canadian federal
government, about 70% of Canadian businesses have been victims of cyberattacks. According to IBM the
average consolidated total cost of a data breach in 2016 was CAD 4 million.
This cost is likely to further increase.
A major reason for
cybersecurity is the protection of trade secrets. In Canada, trade secrets are,
as explained by Justice Biron in the Positron
Inc. v. Desroches et al. case “…usually formulas, manufacturing processes
unique to its owner and which have been revealed confidentially to an employee”.
Justice Biron further explained that “[a trade secret is] knowledge or
‘savoir-faire’ belonging to the employer and revealed by him for the sole
purpose of permitting the employee to produce what the trade secret enables him
to do.”
In the United States (US), the
Defend Trade Secrets Act (DTSA) defines a trade secret as “all forms and types
of financial, business, scientific, technical, economic, or engineering
information, including patterns, plans, compilations, program devices,
formulas, designs, prototypes, methods, techniques, processes, procedures,
programs, or codes, whether tangible or intangible, and whether or how stored,
compiled, or memorialized physically, electronically, graphically,
photographically, or in writing if (A) the owner thereof has taken reasonable
measures to keep such information secret; and (B) the information derives
independent economic value, actual or potential, from not being generally known
to, and not being readily ascertainable through proper means by, another person
who can obtain economic value from the disclosure or use of the information.”
A key characteristic of trade
secrets is that ownership is tied to confidentiality. If a trade secret is
discovered or revealed to the public, then the organization ceases to own the
trade secret. As explained in a previous blog post,
IP flight risk is the risk of losing valuable IP from a company. Specifically
then, the risk of losing a valuable trade secret is tied to its risk of loss of
confidentiality.
Then for trade secrets, IP flight risk reduction practice ties
together with cybersecurity policy closely. As explained previously, IP flight
risk reduction comprises three steps:
1) Instituting
an “IP aware” mindset within the company via the formulation, implementation
and dissemination of an effective IP policy. Such a policy will:
a) prompt
the employee to proactively consider whether valuable IP is being created;
b) explain
the processes necessary to identify and secure the ownership of the IP; and
c) identify
the key people and their responsibilities in carrying out the processes.
2) Securing
the company’s IP ownership by using appropriate IP ownership clauses, and
3) Running
periodic IP mining or discovery sessions to identify IP created within the
company.
Applying these steps specifically to trade secrets within the
cyber realm:
Step 1: Instituting an “IP aware” mindset within the company via
the IP policy.
A well formulated IP policy will:
a. Prompt
the employee to proactively consider whether a valuable trade secret is being
created;
b. Explain
the processes necessary to identify and secure the confidentiality of the trade
secret, including cybersecurity processes; and
c. Identify
the key people for process implementation, including cybersecurity processes.
Step 2: Securing the company’s trade secret ownership via
agreements or clauses in agreements
The following should be used to maintain trade secret confidentiality:
a. Appropriate
agreements such as non-disclosure agreements, including outlines of “best
practice” cybersecurity measures.
b. Appropriate
clauses in agreements such as employee, contractor and partnership agreements,
including cybersecurity specific clauses.
Step 3: Running periodic mining or discovery sessions
Periodic IP mining or discovery
sessions should be utilized to discover and document trade secrets created
within the company. By doing this, vital trade secrets can be identified and ownership
of the trade secret can also be documented. Finally, the value and importance
of the trade secret can also be documented. The cybersecurity team should be
informed of the results of these processes.
Good IP flight risk management practice complements cybersecurity
in the following ways:
- Identifying
valuable trade secrets as a precursor to being secured: Good
identification results in better tracking and securing of relevant trade secrets,
resulting in more complete coverage.
- Prioritizing
trade secrets based on the importance to the organization: Once
trade secrets have been identified and the value to the organization has been
determined, the cybersecurity team can set the required level of protection
accordingly.
- Better
regulation of access: As part of the prioritization process, the cybersecurity team can
determine who has access and provide temporary access on an “as-needed” basis
to trusted employees. This makes management and securing of trade secrets
easier.
- Deterrent
to misuse and misappropriation: If an action involves misuse
or misappropriation of a trade secret, then the party carrying out the action
may be punished. The determination of misuse/misappropriation and corresponding
punishment depend heavily on factors such as:
o
measures taken to maintain confidentiality;
o
the
degree to which the owner regards and treats the information as confidential;
o
the
degree to which the recipient regards and treats the information as
confidential; and
o
whether
the recipient ought to have known that the information was confidential;
Therefore
the combination of a strong IP flight risk reduction strategy and cybersecurity
policy makes it likely that misuse or misappropriation is likely to result in
harsh punishment. It also signals message that the organization takes trade
secret protection seriously. Together these act as deterrents to misuse and
misappropriation.
