United States: Pooley's Corner: Losing Secrets To Foreign Companies: How To Reduce The Risk

Last Updated: April 13 2017
Article by Trade Secrets Watch

Article by James Pooley

During a recent seminar I was asked, "What can companies do to stop the loss of trade secrets to places like China?" The questioner seemed stressed and a bit angry, perhaps reflecting a certain frustration that there may not really be an answer. Although there is no way to entirely eliminate information security risks when doing business overseas, we certainly can reduce them.

The modern commercial environment is inescapably digital and global. Long supply chains and open innovation strategies require sharing valuable information with actors in countries where legal protection systems are not robust. Companies increasingly employ foreign nationals, both in the United States and in installations abroad, and just like any other employees with knowledge of your secrets, they tend to move about.

The legal backdrop for all of this can seem confusing. If you look at the WTO standards for trade secret protection laid out in the 1995 TRIPS Agreement, they look pretty solid. (They also look familiar since they were adapted from the Uniform Trade Secrets Act.) But the problem lies in enforcement. Bringing a trade secret claim requires access to proof, and civil law countries don't provide discovery. So you need to perform your own investigation and then deal with the local authorities. We'll look at some things you can do to improve your chances in litigation; but let's start by considering how to manage relationships to avoid problems in the first place.

Set a security strategy

First, you need to set a strategy for handling your most valuable data. Inform yourself about the places where you think you might have to expose that data. What cultural differences might influence the way that people there will respect your rights? Are there local laws and policies on employee rights that could affect the trustworthiness of the people who will have access? Some cultural practices, such as the acceptability of "trading favors" or the ability of friendships to trump business obligations, could alter your risk calculus. Note that we are dealing here with the classical "insider threat" through which most critical information is lost. Whether the loss occurs through some electronic connection is not the point; the weak link is the personal actor.

So, in addition to the local cultural and business environment, your strategy has to consider the various relationships that will be implicated: collaborators, outsourcing partners, vendors, distributors and even customers can be vectors of information loss. If you intend to operate through a local subsidiary or establish your own local research facilities, then these too will become "endpoints" in your connected network. Finally, consider how these relationships will play out with other actors in other countries where you have operations.

As in any risk analysis, you have to be sufficiently informed about your environment so that you can make intelligent decisions about your appetite for risk. In this context, that means having a thorough understanding of what information assets you own, how quickly their value degrades, and what the likely threats of loss are. Understanding all of this will help inform the decisions you make about particular deal structures, or about how you package your secrets and where you send them.

Beware of local sharing requirements

Some governments may require that, as a condition of entering their markets, you have to license your relevant know-how or other intellectual property to a local partner. In its most benign form, these requirements are intended to provide a kind of "training" to local industries to help them move up the value chain and become more productive. In a darker sense, they can also simply be a way of forcing technology transfer to favor domestic companies. Either way, you need to consider the risk of loss as a cost of entering, or staying in, that market.

Some foreign laws regulate contracts, including nondisclosure agreements, to impose time limits on confidentiality. This can provoke surprises when dealing with local licensees, so if the information is particularly valuable, look carefully at these restrictions and at competition laws that regulate issues like territory or use restrictions on dealing with your data.

Of course, some local partners can be very valuable in helping a business succeed by applying their special knowledge or connections. And some markets, such as China or India, are so huge that the risk of some information loss is deemed acceptable. The point is not to avoid doing business in these places because they are risky, but to consider carefully the nature of the risks so that you can make smart decisions.

Pick your partners carefully

Legal issues are only a part of the picture when considering foreign operations. Because trade secret protection fundamentally relies on trust, your first line of defense is the integrity of the people you will be dealing with, so employ a "know your partner" rule. Thoroughly investigate before establishing the relationship, and carefully monitor and manage it throughout. This applies to the usual external relations with collaboration or outsourcing partners, vendors, distributors and customers. It applies with special force to your local managers, who will have ongoing access at some level to inside information and should be subject to extensive background checks (as well as solid contracts and ongoing training and close supervision).

For each of your potential corporate partners, ask: How well can I trust this company? What will it do to protect the secrets that I will disclose to it? Here, beware of the common but threadbare promise to protect your secrets with "the same level of care as is applied to its own." Instead, get specific about exactly what they do to manage confidentiality. What sort of contract (confidentiality and noncompete) program do they have in place with their own employees? What is their training program for trade secret protection? Do they do background checks on their employees? What procedures are in place for physical and electronic security? How sophisticated and well-enforced is their own information security policy? Will they subcontract any of the work they are doing for you, and if so, how do they protect against problems with the subcontractor or with that company's subcontractor? What has been the history of the company's other commercial relationships? Does it have ties to the government?

Pay close attention to your contracts

In the United States, contracts are important, but the law often will imply a confidential relationship, such as with employees or a long-standing supplier. The same is not true in most of the rest of the world, where secrets are often legally protected only by contract law. And the difference is even greater when it comes to remedies and enforcement in case of a breach. When dealing with foreign actors with access to your information, what's in the contract is the most important factor.

Be very detailed about what information is to be protected and how. This includes who is to get access and for what purposes. Also, be specific about exactly what protection measures you expect for the facilities where your information will be kept, the IT systems that may be used with it and procedures to be followed for return of materials at the end of a project. Where possible, require downstream agreements with all individuals and companies that may be given access (including noncompete provisions where allowed by local law), coupled with recordkeeping that will make monitoring compliance straightforward and easy. In fact, you may want to specify the content of these downstream confidentiality agreements to be sure that they name your company as the beneficiary of the secrecy obligation; in some countries, you may not be able to assert a claim if you are not named in the contract that binds that specific person or organization.

Expect to have to do more to manage and verify compliance when you are dealing with foreign relationships. Be sure that your partner is obliged to tell you when someone leaves the project team, and to take specific steps to follow up and ensure that confidentiality is respected by the departing employee. Require advance approval for any subcontracting. If you can get it, include an indemnity clause that puts the risk of loss on your partner in case there is a problem that happens through the people or companies they work with. Provide for regular audits and any other monitoring procedures that might be helpful.

Where possible, include specific and substantial penalties for any breach of confidentiality. Foreign courts may sometimes recognize these contract clauses and award much more than would have been available as normal damages. To ensure the most robust remedies, try to get the other side to agree to U.S. jurisdiction in case of any dispute. (This may be most effective with companies that have existing relationships or assets in the United States that they want to protect.) Consider including an arbitration clause, which some foreign jurisdictions may be more likely to enforce than a general concession to U.S. jurisdiction. Arbitration has the advantage of privacy, and often can produce more effective remedies than you can get directly from a court.

Pay even closer attention to management

While contracts are important, the most detailed agreements are not a substitute for close, even obsessive, management. Don't take anything for granted, and follow up on every issue. Even though it will take up more time, you will be better informed, and your intense attention will serve a message that you are serious about protecting your rights. Encrypt and document all communications. Mark every document prominently as confidential, and create special procedures for handling particularly sensitive records.

Make information security a positive objective for your partner. Create incentives that are connected to good security outcomes. Encourage quick and full disclosures of any problem, including reports on what departing team members are doing. And provide (don't just require) continuous secrecy training to every person who has access to your data.

Maintain good local intelligence and connections

Before making any substantial investment in a foreign location, retain legal counsel who is familiar with the practical realities of the jurisdiction and has helpful connections with local law enforcement. It's not just about the content of the laws, but about how to get enforcement when there's a problem. Are there special restrictions on employee confidentiality or invention assignment agreements? Do employees have to be paid special compensation for their inventions? Are injunctions available? How much proof do you need to win? What damages can you expect to recover? What are the risks of pursuing a claim in litigation?

Divide and allocate access to secret information

One time-tested strategy for managing risks to your trade secret is never to let one person know all that's necessary to make it valuable. Brought to scale for large organizations, this divide-and-allocate approach can include:

  • Sending only lower-value data into high-risk countries
  • Separating steps in a production process to occur in different places
  • Premixing ingredients or preparing critical parts in a secure location
  • Separating teams (and managers) according to various parts of a process
  • Rotating managers

For example, automotive manufacturers going into developing countries have resisted doing their research and design work there. And when Sony increased its manufacturing in China, it clarified that some very important parts, such as the PlayStation game controller chip, would always be made in Japan, for security reasons. These strategies may not be sustainable in the long term, so be realistic about how long it will take for your current secrets to be compromised so you can be working on making them more or less obsolete through your next generation technology.

Exercise care in traveling to foreign countries

Whether or not you establish facilities in foreign markets or enter into relationships that require sending your technology there, you or your colleagues will be "carriers" of your company's secrets whenever you travel. Here, apply equal doses of common sense and paranoia to avoid mistakes. Consider replacing your electronic gear–laptop and phone–for travel with stripped-down versions that contain only the applications and (encrypted) files you will need for this trip. Have them examined and "scrubbed" on your return so that you can know whether there has been any attempted compromise and whether it is safe to transfer your updated files. While in the foreign country, assume that all internet traffic is watched and recorded. Always use encryption, and where possible use a Virtual Private Network (VPN) to connect to the internet. Avoid all public wireless networks. When in meetings, assume that conversations are being recorded.

Prepare for litigation

Trade secret litigation is hard, expensive and disruptive. Doing it in a foreign jurisdiction can be all of those things but worse, so first try to find a nonlitigation solution to the problem. If that can't work, consider whether it might be possible to sue only in the United States. If that is not an option, then consider this:

  • Retain foreign counsel with a proven track record of success in these cases.
  • Review your agreements and consider contract-based remedies.
  • Before filing, do all that you can to investigate and gather hard evidence.
  • Consider parallel actions in other jurisdictions (particularly the United States) to secure additional evidence or provide additional forms of relief.
  • If a full-scale injunction is unlikely or impossible, go for an early win with more limited relief, such as an order to preserve evidence.
  • Demand compliance procedures, such as appointment of a monitor.
  • Understanding that injunctions may be hard to get, focus on developing your damages claim.
  • Carefully consider the pros and cons of a criminal complaint, and if you decide to go ahead, help the prosecutor plan for the most comprehensive seizure process by providing details of what should be found.

Did You Miss an Issue?

February – How to Recruit and Hire While Avoiding Data Contamination

January – When Employees Leave With Your Secrets

November – What Efforts Are "Reasonable" to Protect Your Trade Secrets?

October – The Most Cost-Effective Way You Can Protect Your Trade Secrets

September – New Risks in Warning Letters to Departing Employees

July – Be Careful What You Ask For

Twitter: @TS_Watch

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.