By Sam Tyfield.
In November 2013, the EU Commission published a draft Directive on “the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure”. All else being equal, we may expect the Directive to be put into national laws within the next four years. Notwithstanding the extended timetable, there are a number of issues highlighted in the aims of the Directive which reflect points I have made in the past about best practice in (a) protecting one’s own IP rights and (b) protecting others’ IP rights (or at least limiting the possibility that one is found to be in possession of another’s IP). Three examples are:
1. Establishing employee on-boarding procedures to reduce the risk that others’ IP rights make their way onto a system;
2. Reducing an employee’s ability to (a) access IP rights to which he/she should not have access, (b) remove or copy IP rights without authorisation and (c) make use of that IP rights in a way which is in breach of his/her contractual or tortious obligations; and
3. Enhancing the likelihood of identifying a breach by an infringer using monitoring tools, passwords, security audits, ‘magic numbers’ in code etc.
Therefore, although the details remain to be thrashed out, the changing landscape does mean that I would advise attention to the matters sooner rather than later.
Importantly, the remedies (and limitations to those remedies) and the best practices which should be taking shape will have benefits for both alleged infringers and those seeking to allege infringement:
· From the point of view of the alleged infringer, any action against it would be made more difficult by the barriers the alleged infringer put up to being put in possession of another’s ‘trade secrets’; and
· From the point of view of the person alleging infringement, any action (and the identification of breach) would be made easier by the barriers that person put up to infringement of their ‘trade secrets’.
The notion behind the Directive is to harmonise the protection of know-how and trade secrets across the EU. Currently, each member state has its own rules as to what is a ‘trade secret’ and how it is to be protected. In the UK, the current position is as follows:
· To qualify as a trade secret, the information must have the “necessary quality of confidence about it” (which, in some circumstances may be difficult to prove – merely labelling something ‘confidential’ will not by itself be sufficient);
· In a recent case, the Supreme Court in the UK held that an ex-employee who assisted others who misused confidential information but who (a) had no personal access to that information and (b) had no reason to infer misuse, had no implied term of employment to prevent giving such assistance and was not guilty personally of any unlawful activity;
· In the employment context, some information may not be counted as ‘confidential’ if it is available publicly or relates to ‘common business practices’; and
· An employee should not be deprived of being able to use what is ‘in his head’ as ‘acquired skill and knowledge’ (which is part of the reason post-termination non-compete covenants exist).
The Directive seeks to define a ‘trade secret’ as information which:
· Is a “secret” – it is not generally known among, or readily accessible by persons within the circles that normally deal with this type of information;
· Has a commercial value because it is secret; and
· Has been subject to reasonable steps (under the circumstances) by the person lawfully in control of it, to keep it a secret.
In its current form, the Directive provides:
· Acquisition of a trade secret will be unlawful if “intentional” or “by gross negligence”;
· Acquisition will include accessing or copying documents or materials lawfully under the control of the trade secret holder containing the secrets (or sufficient information about them from which they may be deduced);
· Accessing or copying can be undertaken by theft, bribery, deception, breach or inducement to breach confidentiality agreements or other duties of secrecy or by any conduct “contrary to honest commercial practices”;
· Use or disclosure of trade secrets will be unlawful if:
o the disclosing person knew or should have known that the trade secret was obtained from another person using or disclosing the trade secret unlawfully;
o they were acquired unlawfully; or
o if use is in breach of a confidentiality agreement or any other duty (contractual or otherwise);
· The maximum limitation period for bringing trade secrets actions must be less than 2 years but greater than 1 year;
· Remedies will be available provided they are:
o proportionate;
o avoid the creation of barriers to legitimate trade; and
o provide safeguards against their abuse; and
· Damages and injunctions shall be appropriate remedies, and damages shall take into account:
o negative economic consequences, including lost profits, which the injured party has suffered; and
o “unfair” profits made by the infringer.
In relation to trade secrets, particularly in the electronic trading environment, I believe that this Directive will have a number of effects:
1. Specifically in relation to the current position in the UK, it removes a certain amount of ambiguity about what is and is not a “trade secret” in employee/employer relationships;
2. In relation to the EU generally, the Directive should remove the differences between Member States in treatment of ‘trade secrets’ and their protection/enforcement;
3. It will be advisable to check employee handbooks and contracts of employment to ensure that any new nomenclature is reflected appropriately and that the protection of IP rights is proportionate and in accordance with the aims of the Directive;
4. Bring-your-own-device, records storage, remote access and on-boarding and exit policies and procedures should be examined to limit the possibility of an employer being “grossly negligent” in permitting a new employee to bring another’s trade secrets with him/her.