From Personal Information to Trade Secrets: Welcome to the Accelerated Digital Age!
17-May | Written by Vanessa Henri , Marek Nitoslawski, and Eliane Ellbogen • Fasken • Montreal, PQ
The handling of personal information and its protection are increasingly at the forefront of legislative concerns in Canada. And with potential fines in the millions of dollars, not to mention high-profile data breaches regularly being reported in the media, it is understandable that businesses are concerned. However, all organizations should be mindful of the governance and protection of all valuable information assets including, for many of them, oft-forgotten trade secrets.
A trade secret is defined as business information which (1) is kept secret, (2) has commercial value to the organization, and (3) is subject to reasonable measures to protect its secrecy. The key here is that the failure to protect trade secrets can result in the loss of legal protection. A trade secret is valuable precisely because it is kept secret.
This is different from personal information, which is information that can be used to identify an individual, and which is protected by various forms of privacy legislation.
While these two types of information assets are distinct, they often overlap in practice. This is because when personal information is used as fuel for predictive algorithms and other emerging technologies, it may also be protectible as a trade secret, given the right circumstances. In fact, personal information is gaining in value for business organizations, not only for its informational value, but also because its methods of collection, storage and use, and the resulting data, may also be considered trade secrets that warrant protection. While the courts still have to reconcile both regimes, in particular in the context of the exercise of individual rights regarding their personal information, it remains that the digital transformation has affected how organizations should handle their trade secrets.
In such a context, businesses should equip themselves to better understand and integrate the legal distinctions between trade secrets and personal information directly into their governance, risk and compliance (“GRC”) initiatives, leading to a holistic information governance strategy that accounts for all types of information assets and their legal particularities.
Indeed, while trade secrets are informational assets in the same way as personal information, they call for vastly different legal and operational considerations, including in terms of the legal impacts of information security. So, how are trade secrets different, and why do these distinctions matter for businesses in the digital age?
1. Regulatory Framework
In the United States, most states have adopted a model code to allow for uniform civil action across the country, including in areas such as cyber-espionage. As well, in 2016, Congress passed the Defend Trade Secrets Act, which provides civil recourse in the US federal courts in the case of trade secret theft in certain circumstances.
In Canada, trade secret protection is a bit of a patchwork. At the federal level, a recent amendment to the Criminal Code has created an offence for violating or unlawfully communicating a trade secret. At the provincial level, there is no uniform statutory regime, and the protection of trade secrets remains governed largely by judicial precedent.
More importantly, there is very little information available in Canada on the prevalence of trade secret cyber-misappropriation, and there is a lack of clear guidance from authoritative sources on how to operationalize the legal requirements relative to trade secrets, other than through judge-made law which is often reactive and contextual.
For example, privacy legislation provides businesses with a consistent framework, recognized certification opportunities, and guidance from dedicated authorities and practice guides. As for trade secrets, legal and cybersecurity practitioners have few opportunities to learn how to put in practice the various legal requirements to protect trade secrets through GRC initiatives.
This should not be interpreted as an indication that no effort is required from businesses, but rather as a question of policy: the protection of trade secrets is strictly a commercial matter, whereas the protection of personal information derives not only from commercial interests, but more fundamentally from stringent statutory requirements and basic human rights.
2. Secrecy
While trade secrets are a form of intellectual property, there is no statute-based process for registering them or enforcing them in Canada. Trade secrets only obtain legal recognition and preserve their value when they are kept hidden from the public, unlike other forms of intellectual property, such as patents, which are issued by the Patent Office and result in public disclosure of the invention. To the extent that a trade secret remains confidential, its owner will enjoy its commercial benefits exclusively and indefinitely.
It can therefore truly be a strategic business decision to keep certain types of information “secret” rather than applying for patent protection. In determining whether sensitive commercial information may be better kept secret as opposed to obtaining patent protection, a business will want to consider its larger, long-term intellectual property strategy and consider its inventory of the commercial information it wishes to protect. Various considerations will come into play when, for example, parsing trade-secret-worthy information from patent-worthy information:
Is the information in question patentable?
In some cases, often in the software industry, it is difficult or impossible to secure a patent. Trade secret protection is then an attractive alternative;What is the lifespan of the information?
Patent protection is limited in time, which may not be practical in every circumstance, such as for the protection of recipes in the food industry. By comparison, trade secret protection is unlimited in time, for as long as the information is kept secret;Can the subject-matter be easily discerned or reverse-engineered once the resulting product is sold in the marketplace?
A widget can be easily taken apart and copied, and thus lends itself to patent protection. A recipe or chemical formulation is not so easily discerned or copied from the finished product, and thus may more properly lend itself to trade secret protection.
The flip side to trade secret protection is ensuring that the information is actually kept secret. This will typically require the implementation of protective measures, such as physical and virtual safety controls, as well as contractual safeguards which, depending on the size of the company, may prove onerous. In today’s digital world, this means cybersecurity. By comparison, personal information retains its legal protection, regardless of whether it is made public or not.
In a nutshell, trade secrets form part of the strategic decisions that an organization must make in the wider context of its intellectual property management. The protection of trade secrets, unlike personal information, is not required by a regulatory framework. Consequently, trade secrets should call for a specific GRC approach that may not entirely coincide with the one in place for personal information.
3. Threat-Modelling
Threats to trade secrets are many and are not necessarily the same as for personal information. Personal information is often targeted by criminal groups as part of ransomware attacks for monetary gain, whereas trade secrets are more often subject to cyber-misappropriation through advanced persistent threats (“APTs”),[1] insider threats (e.g. rogue or disgruntled employees), or through remote access tools (“RATs”) which allow attackers to access networks remotely and extract information, even cross-border. As we have recently seen in the news, trade secret theft can also occur in the context of unfriendly foreign state-sponsored campaigns.
Being aware of such threats is critical when it comes to protecting trade secrets, because legal tools are often inefficient when used reactively. Indeed, attributing liability in cyberspace is notoriously difficult, and it may not be possible to prove cyber-misappropriation, or even confirm the identity and location of the attacker to retrieve the trade secrets in question. In other words, our traditional legal tools composed of injunctive actions and redress may be of little assistance in the digital context, and organizations would be well advised to pre-emptively address such threats through the implementation of appropriate GRC initiatives.
Ultimately, this requires an understanding of the types of trade secrets an organization possesses, who has access to them and how they are used or stored, the aim being to adequately protect the organization in the face of actual vulnerabilities and threats specifically related to its trade secrets.
4. Enhanced Information Security Controls
Once this scoping analysis has been done, organizations should consider appropriate information security controls given the risks they’ve identified, the size of the business, the state of the art, the cost of implementation, and the economic as well as legal value of the trade secrets which the organization seeks to protect. In its risk assessment, an organization should also consider legal risks, such as shareholder derivative lawsuits resulting from loss of share value and breach of fiduciary duties from directors, officers, or high-ranking employees.
In comparison to personal information, trade secrets may call for enhanced information security controls, such as privileged access management, which focus on different aspects of an organization’s GRC approach. In this respect, there are useful standards and guidelines for addressing enhanced security requirements, such as those published by the National Institute of Standards and Technology (“NIST”).[2]
It is important to remember that the more decentralized and segmented the systems and protocols, the more resilient the trade secret protection plan will be. In essence, trade secrets should be distributed across physical and digital locations (centralizing confidential information makes it more susceptible to misappropriation and misuse), and anyone accessing such information should have to get through several security measures, which should generate clear logs for analysis . Enhanced security requirements revolve around: (a) Penetration-Resistant Architecture; (b) Damage-Limiting Operations; and (c) Cyber Resiliency Survivability, which are further explained in the NIST special publication 800-172.
The specific nature of the threats and the legal context pertaining to the protection of trade secrets result in a need to leverage both legal and cybersecurity instruments. It is no longer enough to sign non-disclosure agreements now that trade secrets have entered the digital world.
5. Incident Response
A personal information breach calls for different considerations than a trade secret breach, and organizations should be mindful to consider these distinctions in their incident response planning. While privacy requirements may call for extensive guidelines on notification to data subjects and to the relevant authorities in the event of a breach, trade secret protection calls for enhanced measures to detect and attribute the misappropriation of a trade secret, not to mention the ability to retrieve the compromised information following a breach.
Indeed, while it is possible to obtain interlocutory redress or a search and seizure order in the face of the theft of a trade secret, obtaining such relief usually requires being able to demonstrate with some certainty how and by whom the unauthorized access was made, as well as establishing the misuse or disclosure of the trade secret. Strategies including honeypots and preventive controls such as privileged access management are critical to the success of trade secret incident response strategies. When crisis strikes, your lawyers will, with such tools at hand, have ready access to the required evidence in a timely manner. Unfortunately, experience has shown that there are few organizations with an integrated approach between the legal and operational staff to respond to these types of events in a rapid and efficient manner.
The current work-from-home context does not make things any easier, as organizations may have to consider performing forensic analysis at a distance and retrieving information from personal devices that may not be easily accessible. Businesses would be well advised to ensure that employees with access to trade secrets are working from company-owned hardware which is located in Canada, failing which such devices may be beyond the reach of any remedial order or may not be accessible to the organization.
The era of printing trade secrets locked in an underground vault is well behind us. As organizations move into the digital age, rethinking trade secret governance and protection must be at the forefront of the concerns of any organization that owns sensitive and valuable information, just as privacy concerns have been for some time now.
[1] See NIST SP-800 172 (Draft), which defines APT as: “an adversary or adversarial group that processes sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future.”
[2] NIST Special publication 800-172.