Jury Trial Lawyer l IP Litigation l Automated Trade Secret Asset Management l Economic Espionage l RICO l Innovator

Cybersecurity, trade secret asset management (TSAM) and the Defend Trade Secrets Act of 2016 are inextricably interwoven. Cybersecurity is the goal, trade secret asset management is the means, and the Defend Trade Secrets Act of 2016 is the legal framework for redress in the courts.

The Problem With Cybersecurity

Cybersecurity has been fighting a losing battle. When data storage devices were small, and sensitive digital data was limited, cybersecurity was much easier. A few people were given access to the digital data, and the little digital data was easier to track and protect. Physical data, in manuals and documents, blueprints and prototypes, were bulky, making it difficult to steal large amounts of data without detection.

The explosion of digital data, and the increasing density of storage devices, has changed the game forever. A flash drive the size of a Bic lighter now holds up to two terabytes of data. The company’s entire product documentation — formulas, methods, processes, and designs — can now walk out the door in an employee’s pocket. The prevalence of digital data in the corporation and its business processes means that the entire employee base now has access to the corporation’s digital data. Cybersecurity has been slow to adapt to these changes, doubling down on methods successful in the past, but doomed to failure now or in the future.

Cybersecurity protection against outsider theft has largely succeeded, if competently crafted business methods are strictly followed. The more intractable problem of insider theft is now the major concern, and traditional cybersecurity methods are unavailing. The ever-higher digital barriers placed around the corporation and its sensitive data are no defense against data theft by people allowed inside the digital walls in the normal course of business.

The Role of Trade Secret Asset Management

Trade secret asset management holds the promise of reducing the cybersecurity problem to a manageable size and restoring the balance. The key lies in creating separate protectable islands of data within the sea of corporate information. There are several steps to accomplishing this isolation.

The first step is inventory. The term “trade secret asset” implies an inventory. All other assets of the corporation — real estate, buildings, production machines, vehicles, computers, furniture — are all routinely inventoried now, and have been for decades. Are trade secret assets to be the one, unique class of assets that remain uninventoried in the secure corporation? No, and such inventory is critical to cybersecurity.

An analogy we often use is that of horse ranch — ten thousand acres, enclosed by sixteen miles of fence. Several hundred horses roam the ranch, but three are thoroughbreds, bred for racing, and extremely valuable. The current cybersecurity model raises the fence ever higher and has multiple security teams patrolling the sixteen miles of fence continuously. Better security could be achieved by identifying the three valuable horses, putting them in a smaller fenced pasture by the ranch house, and putting one fellow with a shotgun on the back porch.

So, too, with trade secret assets. If we know what our trade secrets are, and we know which ones are the most valuable, we can apply different standards of access and protection within the company to different trade secrets. We can isolate more valuable trade secrets into their own smaller “pastures” rather than have them roaming the corporation freely. This process forms islands of more protected data within the corporation, with access to these islands restricted on a “need to know” basis.

A word here about “need to know” is appropriate. The vice president of engineering does not need to know the engineering data of the company. He should not have access to all the data in the engineering database. His management role does not require it, and his authority should not extend to violating the cybersecurity needs of the company. In our own experience, senior executives, not janitors and secretaries, are the biggest insider threats to the company’s trade secret assets.

At the lower levels of the corporation, access to the company’s trade secret information should be deep, but narrow in scope, while at the higher levels of the corporation, access to the company’s trade secrets should be broad in scope but shallow. The vice president of engineering need not know the specific metallurgical content of the company’s super strong new alloy or its manufacturing process, and he should not have access to them.

Five Elements Of Trade Secret Asset Management

At an industry conference, one author of this article, suddenly arose from his chair and –without looking to be sure it was there– held up his chair to the audience to show them the inventory sticker on the bottom of the chair. The company had a database entry somewhere that showed that chair, its style and color, when it was bought, from whom, what it cost, its depreciated value, and its current location within the company. The same company had no inventory of even its most valuable trade secrets.

What’s wrong with this picture?

How does the company inventory all its physical assets, right down to inventory stickers on the bottom of folder chairs? With a computerized accounting system designed originally for monks in the 16th Century to keep track of wine bottles. A complete trade secret inventory, too, will need a computer application designed for the identification, classification, protection and valuation of trade secret assets. The authors of this article have spent over 20 years working on an accounting system for trade secret assets.

Based on years of experience with both trade secret audits and trade secret litigation matters, we have identified five elements required for the design and implementation of an automated trade secret asset management application:

1. Taxonomy. The trade secrets must be classified into some easily understood taxonomy. Trade secrets existing as a large blob of undifferentiated knowledge is unacceptable The classification system must be easy to understand so employees need not be trained to use it. We recommend a Subject/Format/Product (SFP) taxonomy. This is a formalization of the way employees talk about corporate information already. “Has anybody seen the Engineering Specifications for the Model 5750?” Engineering is the Subject, Specifications is the Format, and the Model 5750 is the Product.

   1. Scoring. The trade secrets must be scored by some method that reflects legal standards and is easy to use. All trade secrets are not created the same. Some are better than others. The legal standard for trade secrets is the six factors from the First Restatement of Torts, to be considered by the courts in determining trade secret status. We recommend a 1-to-5 scoring mechanism in which each of the six factors is scored from 1 (low) to 5 (high). Employees are already familiar with 1-to-5 scoring, from grades in school to film review ratings.

   2. Metadata. The automated trade secret asset management system should only store metadata about the trade secrets, NOT the trade secrets themselves. Were the system to store the trade secret information, it would become a security risk. Further, putting the trade secret information into the system exposes more people to the trade secret information and reduces the score for one of the six factors — to what extent the trade secret is known inside the company. A method of asset management should not reduce the value or security of the assets themselves. Just as the company’s accounting system for physical assets contains no furniture or vehicles, the trade secret asset management system should contain no trade secrets.

   3. History. The automated trade secret asset management system must retain all the metadata about trade secrets and be able to reproduce the metadata in effect at any time in the past. The period of interest in a trade secret misappropriation lawsuit may be two or three years earlier (or even longer). One cannot litigate a case based on today’s metadata, one must litigate based on the trade secret metadata and access extant during the period of interest. Further, the historical treatment of the trade secret — proving that reasonable security measures have been taken throughout the life cycle of the trade secret — will be a critical issue at trial. The trade secret asset management system must retain all the original and historic versions of any trade secret metadata and be able to reproduce the metadata as it existed at any prior time.

   4. Proof. The automated trade secret asset management system must contain methods for proving that historical metadata is contemporaneous to the period of interest and is not am artificial construct prepared for trial. We recommend the use of modern hashcode and blockchaining technology to provide a court-accepted method of establishing the existence of metadata at all past times.

Establishing And Enforcing Data Islands

With a trade secret inventory in hand, the isolation of trade secret assets into data islands becomes a trivial task. Using the values of the six factors to sort trade secrets, we can determine which trade secret assets need to be most protected, to be isolated on a data island. Using the values of subject and product, we can sort those trade secrets to determine which data island each gets assigned to. If an engineering employee is assigned to this product, then he gets need-to-know access to this data island, the engineering data for that product. No more, no less.

We can also further divide the data islands into specific projects within the product space to provide even greater security. If an employee is working on a specific part of the product, that is the only portion for which he has in-depth access.

Traditional methods of cybersecurity now apply. We are back to the situation that applied years ago, in which a few employees have access to a limited amount of data. No employee can copy the entire documentation for one of the company’s products onto a USB flash drive and walk it out of the company. Nobody in the company has such wide access, across all the different data islands involved.

Among those traditional methods of cybersecurity are means of keeping data on the data island to which it belongs. Digital rights management (DRM), embedded hash codes, check-in/check-out procedures, and other such methods serve to keep the data where it is and generate an access record for litigation.

The Defend Trade Secrets Act Of 2016

The Defend Trade Secrets Act of 2016 provides the legal framework within which to pursue trade secret litigation if it becomes necessary. One of its key provisions is the ability to obtain, upon ex-parte application, an order providing for the seizure of property “necessary to prevent the propagation or dissemination of the trade secret that is the subject of the action.” The plaintiff can rush to the courthouse and stop the dissemination of their trade secret data before it is made public and lost forever.

There’s a catch with the ex parte seizure provision of the DTSA, however. The phrase “the trade secret that is the subject of the action” requires you to specify that trade secret in the application for the seizure order. Without an inventory, without data islands, without access records, how is one to do that? How is one to know which trade secret is at risk, and identify it to the court’s satisfaction?

With a trade secret asset management system, meeting the requirements of the DTSA is easy. Sort the trade secrets to which the defendant had access, print out the block chained sub-inventory and hail a cab to the Courthouse to obtain an ex parte seizure order. In contrast, without a trade secret asset management system — without being prepared to use the DTSA’s ex parte seizure provisions — the trade secret asset owner is left to scramble to identify the alleged trade secrets on the fly while the misappropriator transfers the trade secrets to another country or destroys the trade secret assets through publication or otherwise. As we all know, “a trade secret once lost is lost forever.”