Call Now: 415.597.5500

Ninth Circuit to Employers, Investors, and Entrepreneurs: “Create and Enforce Computer-Use Policies to Deter Theft of Valuable Trade Secrets and Proprietary Information”

Intellectual capital – trade secrets, proprietary information, and confidential methods of performing services (collectively, “trade secrets”) – is many companies’ most significant asset. A recent surge of senior executives and professionals who have left their jobs to join competitors or start their own competing businesses has made robust trade secret protection essential for all businesses dependent on intellectual capital. Trade secret owners can employ reasonable measures to protect the confidentiality and limit the disclosure of trade secrets without significant expense or overhead. Indeed, in United States of America v. David Nosal, the Ninth Circuit Court of Appeals recently emphasized how a handful of relatively simple and inexpensive measures can serve as powerful deterrents against employees’ use of company electronic resources to steal trade secrets.

In Nosal, a former marketing officer of a large executive placement firm used a copy of the company’s executive candidate database to launch a competing business. In response to the U.S. Government’s criminal indictment for violation of the Computer Fraud and Abuse Act (CFAA), the former officer successfully argued to the trial court that because he had lawfully obtained a copy of the database while working for his former employer, he could not be in violation of the CFAA. The Court of Appeals reversed, however, holding that the former employee’s use of the company computer system to access the database for purposes unrelated to company business exceeded his authority in violation of the CFAA. In reaching this conclusion, the court pointed to the following protective measures that the employer had maintained to limit its employees’ use of electronic resources, including the specific database at issue:

  1. Strictly limiting electronic access to specific, particularly sensitive databases to those employees who needed to use the databases to perform their job duties
  2. Strictly controlling and limiting physical access to the computer servers that contained proprietary data bases to certain technical staff
  3. Giving each employee a unique username and password to company computer systems solely for use in performing job-related duties
  4. Requiring each employee to enter into an agreement that both explained the proprietary nature of the information to which access was being granted and expressly restricted the use and disclosure of that information for legitimate company business
  5. Clearly identifying confidential information by branding each page of every report containing proprietary data with the legend, “Proprietary and Confidential”
  6. At each login to the computer system informing computer users that: (a) the electronic information and processes were company property; (b) specific authority was required to access the company’s system and information; and (c) accessing the company’s system and information without specific authority could lead to disciplinary action and/or criminal prosecution

Company executives, investors, and entrepreneurs should ensure – at a minimum – that the protective measures identified above are in place at the outset and maintained at every stage of their company’s existence. In order to implement a best practices trade secrets protection plan, employers should also consider adopting the following measures:

  • During employees’, vendors’, and consultants’ initial orientation obtain a written acknowledgement of company data protection policies
  • Prevent employees who quit or are terminated from being able to access proprietary information and facilities by promptly
    • terminating or strictly supervising that person’s access to company email servers
    • retrieving company-provided computers, pads, and smart phones and forensically preserving all information stored on those devices
    • obtaining a written certification of compliance with company non-disclosure policies during each former employee’s exit interview
    • Prohibit employees, consultants, and vendors from using personal memory devices such as USB flash drives and memory sticks
    • Regulate and monitor the electronic information employees can access from outside of the office
    • For paper documents and other physical forms of confidential information, limit access, physically segregate, and require adherence to chain-of-custody procedures
    • Deploy computer security measures such as passwords, encryption, and fire walls
    • Require all persons to enter into non-disclosure agreements before gaining access to trade secrets and proprietary information
    • Include non-competition clauses in all employment, consulting, and service agreements in jurisdictions where such clauses are enforced

Management should either perform a self-audit or hire appropriate professional personnel to audit and upgrade their current trade secrets protection programs. Any company that derives significant value from trade secrets and proprietary information that does not have a robust trade secrets protection program should establish one immediately.