Protecting confidential information — three rules: Lock it up; label it; ‘safe sex’

If you ever have to sue someone for misappropriating your confidential information, your lawyers will almost certainly want to put on evidence about the efforts you made to keep the information confidential. (The law may well require that your lawyers put on such evidence — as in, if they don’t, you lose your case.) I’ve often used three rules of thumb as a shorthand for the things you ought to do to protect your confidential information.

1. Lock it up

Clearly, you need to implement sensible security measures for your physical premises and your computer network(s).

These measures don’t have to rise to the level of Fort Knox. But they do have to be perceived, in hindsight, as having been reasonable under the circumstances.

See, e.g., Herz v. Luzenac Group, Nos. 06-1324, 06-1358, slip op. at 15-16 (10th Cir. Aug. 11, 2009) (reversing and remanding summary judgment in relevant part): According to the appellate court, the lower court improperly “focused on the steps that Luzenac did not take, rather than evaluate whether the steps that Luzenac did take were reasonable. * * * [T]here always are more security precautions that can be taken. Just because there is something else that Luzenac could have done does not mean that their efforts were unreasonable under the circumstances.” (Emphasis in original.) [ADDED 2009-10-05]

Depending on your situation, it may well be that all you need to show the judge or jury is that you took simple, obvious precautions — for example:

• Locks on doors, windows, and file cabinets;
• Single-use visitor sign-in sheets at the reception desk, to show that you didn’t let just anyone onto your premises — the disadvantage of conventional multi-line sign-in sheets is that everyone can see who came to see whom;
• Need-to-know access restrictions;
• Passwords, virus scanners, and firewalls for your computers and networks;
• Don’t leave confidential stuff lying around.

Caution: Don’t build a world-class security system, but then do the equivalent of leaving the doors jammed open — opposing counsel purely love to billboard that sort of thing in the courtroom.

2. Label it

Use appropriate confidentiality labels, but don’t overdo it — it can be embarrassing (or worse) for opposing counsel to show the jury the take-out menus that someone mindlessly stamped ‘confidential.’

Labeling confidential information may be more than just a good idea: Your company might have signed nondisclosure agreements containing a marking requirement, under which unlabeled information is not deemed confidential at all. (Sample clauses)

Not labeling confidential information as such could cause a judge to conclude that your information wasn’t confidential. That’s what happened to Storage Technology in a lawsuit against Cisco.

3. ‘Safe sex’

Be careful about —

• whom you give confidential information to;
• establishing contractual confidentiality obligations whenever you disclose confidential information;
• whom you accept confidential information from — you don’t want to be contaminated by a competitor’s confidential information, possibly prompting them to try to make trouble for you.

Whether you’re giving or receiving confidential information, use ‘protection’ in the form of a suitable confidentiality agreement to put fences around the parties’ rights and obligations.

The U.S. Supreme Court has held that “[i]f an individual discloses his trade secret to others who are under no obligation to protect the confidentiality of the information, or otherwise publicly discloses the secret, his property right is extinguished.” Ruckelshaus v. Monsanto Co., 467 U. S. 986, 1002 (1984) (vacating and remanding district-court judgment). Monsanto had voluntarily disclosed to the EPA certain trade-secret data about its pesticides, in exchange for the economic advantages of registration, which allowed Monsanto to sell the pesticides. The Court held that the disclosure requirement did not constitute a ‘taking’ of Monsanto’s property interest in the data, except during a limited time period when Monsanto had a reasonable, investment-backed expectation that the EPA would keep the data confidential.

The Monsanto case was cited in Nova Chemicals, Inc. v. Seksui Plastics Co., No. 08-4090, slip op. at 17 (3d Cir. Aug. 28, 2009 (affirming district-court judgment that Nova did not violate license agreement). The court noted that, under the terms of a license agreement, after 1995 the licensee was not required to maintain the secrecy of any information it had acquired from the licensor. Thus, the court said, the information lost its trade-secret status, at least between the parties, in 1995.