The legislators of the EU member states have until 9 June 2018 to implement the new Trade Secrets Directive (2016/943/EU) into their national laws.
European companies are well advised to start well ahead of his date with their preparations for the new legal framework. Whereas the new directive promises better and more aligned legal protection across the EU, it also introduces stricter prerequisites for benefitting from the directive's legal protection: As a result of the new uniform definition of what is considered a ‘trade secret’, businesses will have to prove that they have taken ‘reasonable steps’ to keep their know-how and confidential business information secret (Article 2 para 1 lit c).
In other words: European businesses have to actively protect their confidential information and prove this in the event of a dispute. This is why businesses are advised to review the ways their internal processes deal with confidential information and know-how.
What should companies do?
There is no legal guidance yet on what kind of measures will be considered to meet the “reasonable steps” requirement, but we believe that any industry-standard secrecy strategy should entail a number of organisational, technological and legal measures aimed at keeping sensitive information secret. While the set-up for such strategy will vary on a case-by-case basis, we see three key areas to watch:
Know and structure your secrets
- Implement adequate "secrecy" policy and process to that everyone at the business clear about what information is to be treated as confidential
- Train employees on an ongoing basis
- Classify and mark confidential materials as such
- Structure internal processes on a need-to-know basis: Segregate production and development, limit the number of people having access to the relevant information and bind such people by appropriate NDAs
Track and control your secrets
- Monitor and document compliance with internal policies, in particular in relation to new and departing employees
- Track the flow of confidential information to (and from) customers, suppliers and external business partners
- "Black-box" or directly supervise certain sensitive departments
- Check and possibly revise confidentiality clauses in contracts with employees and external business partners
- Check (and regularly maintain) IT security for adequate internal protocols, access controls and encryption (especially on mobile devices)
Be prepared for crisis
- Establish enforcement and crisis protocols in case of trade secret theft
Any measures relating to employees must be in in accordance with employment law requirements (e.g. consent of works council) and data protection laws.
Focus on departing and new employees
Recent studies[1] clearly suggest that the greatest threat of trade secret misappropriation does not come from outside (e.g. cyber-attacks), but in fact from former employees who use confidential information for their own gain and/or competitive purposes. Former employees are, by numbers, the biggest group of trade secret thieves. Hence, any trade secret strategy should focus in particular on how departing employees are trained, briefed and monitored.
The same applies to new employees: Under the directive, the acquisition, use and disclosure of a trade secret is unlawful if the user knew or ought to have known that the trade secret was acquired from a person who was using or disclosing it unlawfully (Article 4 para 4 and 5). This means that employers will have to be careful with know-how and sensitive information brought into the company by new employees. Without a due diligence review, the use of such know-how and information may result in a liability under the directive.
Key take-aways
Companies should carefully review their set-up to protect the secrecy of their know-how and confidential business information. As soon as the directive has been implemented – by 9 June 2018 at the latest – companies will have to prove that ‘reasonable steps” have been taken to keep trade secrets safe. By failing to do so, companies may lose their right to legal protection under the directive.
As member states have room to manoeuvre regarding the directive’s implementation and are allowed to introduce stricter rules, the national implementation laws should be reviewed carefully.
[1] See e.g.: https://www.bitkom.org/Presse/Anhaenge-an-PIs/2015/04-April/Digitale-Angriffe-auf-jedes-zweite-Unternehmen/BITKOM-Charts-PK-Digitaler-Wirtschaftsschutz-16-04-2015-final.pdf (2015) and http://www.euromoneythoughtleadership.com/our-content/the-board-ultimatum-protect-and-preserve/ (2017).
