What do these things have in common?
On August 20, 2024, following the FTC’s April 23 rule essentially banning noncompete agreements, U.S. District Judge Ada Brown in Texas, who in a July 3 ruling had delayed its implementation, tossed the ban. In her decision, she stated that the FTC’s rule is “unreasonably overbroad without a reasonable explanation.” (The ban, which was slated to take effect on September 4, had been in the crosshairs with her July ruling followed in short a few weeks later with a ruling out of the Eastern District of Pennsylvania denying the plaintiff’s motion to enjoin and stay the FTC’s ban.)
Reasons to take measures to protect trade secrets regardless of the fate of the noncompete ban
It remains to be seen whether the FTC will file an appeal. Regardless, there are more reasons than not to take measures to protect trade secrets. Notably, 70% of IP theft occurs within 90 days before an employee’s resignation announcement, and an astounding 72% of departing employees admit to having taken company data when they leave, according to InfoSecurity Magazine.
Frame employee IP theft in light of a 17.3% average turnover rate among U.S. business between 2022 and 2023—and the 264,200 layoffs in the IP-rich tech industry in 2023 and 132,932 year to date. These numbers amount to potentially quite large risks to companies.
Further, the cybersecurity rules that the SEC adopted a year ago require public companies to disclose material cybersecurity incidents—which may very well entail confidential and trade secret information. In determining whether a cybersecurity is material, a May 2024 SEC statement urged companies to assess all relevant factors: “As the Commission noted in the Adopting Release, that assessment should not be limited to the impact on ‘financial condition and results of operation,’ and ‘companies should consider qualitative factors alongside quantitative factors.’ For example, companies should consider whether the incident will ‘harm . . . [its] reputation, customer or vendor relationships, or competitiveness.’”
With trade secrets the new currency of innovation–with or without the FTC ban–the above reasons are compelling enough to take steps to protect trade secrets.
10 ways to protect your IP and trade secrets
1. Leverage NDAs and confidentiality agreements
As part of its ruling, the FTC found that instead of using noncompetes to lock in workers, “trade secret laws and non-disclosure agreements (NDAs) both provide employers with well-established means to protect proprietary and other sensitive information. Researchers estimate that over 95% of workers with a noncompete already have an NDA.” NDAs are a critical tool in helping protect sensitive information.
Those agreements typically include defined terms that expire after a few years. Companies can include a carveout for trade secrets that do not expire until the trade secret becomes public, along with mandatory destruction clauses requiring exiting employees to return or destroy confidential information.
“In any NDA, the term for trade secrets [should be] indefinite until it becomes publicly known. That’s the gold standard,” says Ben Herbert, Partner and Co-leader, IP Practice, Miller Barondess LLP.
Finally, while residual clauses used to be more common, it’s difficult to restrict the use of accrued industry knowledge gained through experience. If exploring residual clauses, examine the case law on the topic and ensure it is coextensive with other agreements specifically protecting trade secrets.
As this rule raises awareness about confidentiality and trade secrets, that awareness should extend beyond the employer/employee relationship to agreements and NDAs between companies, a company and a vendor, and the like.
2. Approach mergers and acquisitions with discipline
Company acquisitions always come with risk, especially involving an employer from another country where noncompete laws may be different or may not exist at all. While it’s best to require new employment agreements during acquisitions to mitigate risk, if the new employees acquired in the merger or the acquisition are not required to sign a new employment agreement, companies must be disciplined in ensuring that policies are consistent across locations.
“In some situations, new employees coming over in a merger or acquisition slip through the cracks and do not sign a new employment agreement. This is particularly risky if it’s a cross-border acquisition; that’s a place where you need to be very disciplined. You need to make sure that whatever policies you have on the ground for employees at the ‘mothership’ are actually being followed at other sites around the world—assuming, of course, that those policies comply with local laws,” advises Diane Gabl Kratz, Director, IP Strategy & Operations, Dolby Laboratories.
3. Provide multifaceted employee onboarding and training
With or without the noncompete agreements so many employers have relied on for protection, they augment trade secret protection and confidentiality protection with robust onboarding and training on what those mean for employees. To do so, they need to first define which information is confidential, what are considered the company’s trade secrets and IP, and what level of access each employee should have to that information.
“The term under federal law for trade secrets is defined very broadly and can capture quite a bit. Virtually all types of tangible and intangible assets from an organization are covered,” states Matthew Joyce, Vice President, Sales, IP Services & Solutions at UnitedLex.
Trade secret protection begins at onboarding when employees should be given company policies about device usage, ownership access privileges, as well as establishing a clear protocol for employee departures that includes returning devices and disconnecting access to company information.
As part of onboarding, employee handbooks should contain detailed definitions of trade secrets and receive signed acknowledgements from the employee.
4. Establish an exit process
Ideally, all employees should sign employment agreements, and during exit interviews companies can get a signed acknowledgement that the employee leaving understands their ongoing obligations related to sharing confidential information. The best-case scenario includes individualized letters for employees that list the types of confidential information they had access to, and secure written acknowledgement that they understand the consequences for sharing that information.
As employers, companies should establish a well-communicated and adhered to process for how they treat departing employees. Exit interviews can be helpful in ensuring positive outcomes as they provide an opportunity for employers to communicate expectations with regard to maintaining integrity of any known trade secrets during employment, acknowledgement of understanding from departing employees as well as time to process information or raise any concerns and/or address questions.
5. Establish clear device policies
As part of onboarding and training, employees should be provided with detailed guidance how company-issued devices or BYOD and applications should be used, including accessing and storing company data on mobile devices, and collaboration tools used for communications. Having clear policies about which communication and collaboration tools are allowed, especially on company-issued devices, and enforcing them throughout an employee’s tenure helps reduce the threat of malicious actors using these tools to mishandle confidential information, IP, and trade secrets.
6. Conduct a data mapping exercise to locate trade secret and sensitive information
Knowing the exact locations of your trade secret and sensitive information through data mapping allows you to take steps to protect that data. Data mapping is the process of creating an inventory of a company’s data, showing what types and formats of IP and trade secret data the organization generates, uses, and stores, where that data is stored. It should also detail who is responsible for that data, and when it should be archived or deleted based on data retention obligations or retained due to legal hold.
7. Restrict and monitor access through physical and technological controls
Give employees access only to the systems and information necessary to do their job. Monitor the location of confidential information to identify unusual or unauthorized access. Many employees have access to more information than they need to do their jobs, including access to entire file shares where they can access information before they depart.
“If you can narrow the universe of folks that have access to trade secrets, that’s better,” says Herbert.
8. Establish preservation protocols for departing employees
Create a system where recovered devices from departing employees are quickly imaged and stored for analysis for a set amount of time before the device is repurposed to another employee. This ensures that a company can protect data from inadvertently being lost or destroyed when the device is transferred to another employee. Moreover, preservation ensures that any potential evidence uncovered during an investigation or anticipated litigation is not inadvertently destroyed, deleted, lost, or altered in any way.
9. Complete a forensic triage of departing employee devices
Proactive internal investigations of departing employees can help identify if they have destroyed, exfiltrated, or transferred proprietary information prior to departing the company; one of the surest approaches is through executing a forensic analysis of a departing employee (FADE).
“If there is a massive layoff, for example, and you have hundreds of employees who’ve lost their jobs, then you have hundreds of laptops that need to be investigated,” says Gabl Kratz. “These laptops could be sitting not for weeks, but many, many months. By the time you identify some sort of problem, it’s going to be a lot harder to properly address it. It’s likely too late to easily gather what you need and mitigate damage.”
Through a FADE investigation, companies can discover the efforts of individuals trying to cover their tracks, ensuring there was no unauthorized access or removal of IP, confidential information, or trade secrets by departed employees.
Warren Kruse, Vice President, Data Forensics & Preservation at UnitedLex, says, “We do a lot of triage when someone is suspected of leaving and going to a direct competitor and maybe using the trade secrets or the confidential information or the IP. For example, conduct analysis to see if there’s any indication that they sent the ‘crown jewels’ to their personal cloud account, their home email address, their new employer or copied it onto a thumb drive.”
“Unfortunately, what happens sometimes is it takes so long before employers realize that potentially bad actors are using their IP. If they don’t have a good exit process, the data might be gone before we even get the call. If you have a good exit process and do a triage sooner rather than later if will reduce IP and trade secrets being used by your competitors.”
Don’t forget the mobile when an employee leaves, it is common to take screen captures of IP and trade secrets, or use the mobile device to remove company data. There have been tremendous advances in analyzing mobile devices. For many years following the proliferation of smart devices, companies could be locked out of them following collection as a departing employee failed to provide the password. Some companies had evidence rooms full of mobile devices they owned but couldn’t access. Recently, thanks to new software, forensic teams can now unlock cell phones they have the legal authority to access and conduct analysis to provide deeper data collection abilities.
10. Revisit trade secret strategies
Finally, the FTC notes that employers have other ways to protect proprietary company information, including through trade secret protection and enforcement. In the wake of the potential ban on noncompetes, employers should assess their current trade secret protection strategies and develop enhanced safeguards to protect those trade secrets from improper disclosure by departing employees.
Bottom line
Regardless of the fate of the FTC noncompete ban, employee turnover rates, IP theft trends, and cybersecurity threats and reporting obligations should encourage all employers to assess the efficacy of their trade secret protection efforts and take steps to augment them.
This posting is the latest update to a webinar UnitedLex hosted on May 30, 2024, titled, Employee Departures: Digital Forensics, Noncompete Bans, & IP Protection, featuring Diane Gabl Kratz, Director, IP Strategy & Operations, Dolby Laboratories; Ben Herbert, Partner and Co-leader, IP Practice, Miller Barondess LLP, and Warren Kruse, Vice President, Data Forensics & Preservation, UnitedLex. Matthew Joyce, Vice president, Sales, IP Services & Solutions, UnitedLex, moderated the webinar.
Let’s talk about how UnitedLex can support your trade secret protection strategies with FADE and IP services.