White PaperThe Center for Responsible Enterprise and Trade (CREATe.org) just released a new White Paper“Reasonable Steps” To Protect Trade Secrets: Leading Practices in an Evolving Legal Landscape. It’s a must read for companies grappling with how best to protect and manage their trade secrets.

We have discussed a previous CREATe report that discussed the devastating economic effect that trade secret theft and misuse can have on a company’s profits, market share, and reputation. But this new White Paper provides concrete, practical advice on how companies can protect their trade secrets and potentially prevent trade secret theft.

In the US, a company must take “reasonable steps” to protect the secrecy of their business information for it to qualify as a “trade secret.” CREATe succinctly summarizes the consequences if “reasonable steps” are not implemented:

Aside from the practical usefulness of implementing “reasonable steps” to prevent trade secret theft and misuse, taking such steps can also have crucial legal significance. Where the legal definition of trade secrets includes a “reasonable steps” or similar requirement, a court can find that a company’s information is not a trade secret if such steps are not taken. Failing to take adequate precautions to protect such information can preclude a company from getting any legal redress if the worst happens and unauthorized disclosure or use of the information takes place.

And that’s where this paper offers value. It recommends an eight-part strategy of leading practices to ensure that companies are taking “reasonable steps” to protect their trade secrets. We have highlighted some of the most salient recommendations for each category:

Policies, Procedures, and RecordsIt should go without saying that companies should have confidentiality policies to protect information. But CREATe recommends that companies should also institute procedures to ensure the policies are being disseminated and followed—and that there are records to demonstrate this compliance. This can include using confidentiality clauses in contracts with employees, contractors, vendors, etc.; using NDAs with customers or potential business partners; and creating inventory of trade secret activity.

Security and Confidentiality Management. Companies should limit trade secret access on a “need to know” basis and should design “reasonable” ways to restrict this access. IT personnel should be involved in the strategy to ensure that information is stored on a company’s computer networks with the appropriate database and shared-drive restrictions.

Risk Assessment. Before companies can assess their “reasonable steps,” they must first identify what their trade secrets are, where the trade secrets are located, and who has access to the trade secrets.  Essentially, CREATe recommends that companies should conduct a trade secret audit so that a “risk mitigation plan” can be implemented to hopefully prevent trade secret theft.

Third Party ManagementBefore disclosing trade secrets to a contractor, client, or customer, companies need to make their policies known—”upfront and regularly”—and require NDAs and confidentiality terms where possible.

Information Protection TeamCREATe recommends that companies should consider developing a committee with oversight responsibilities for the company’s trade secret protections.

Training and Capacity BuildingCompanies need to create a corporate culture that emphasizes the importance of trade secret protections. This should begin during on-boarding and continue throughout the employees’ tenures, with specialized training for IT personnel and other executives with access to the most valuable business information.

Monitoring and MeasurementCREATe recommends annual or even more regular reviews of the company’s trade secret protection program, which should include a rating system to assess the effectiveness of the program and to address potential weaknesses.

Corrective Actions and ImprovementsCompanies must have a rapid response when it learns about potential trade secret theft. This should include a response plan that not only addresses the immediate theft or disclosure but also identifies the root cause, so that strategies can be developed—and added to the trade secret protection program—to prevent similar breaches from reoccurring.