How to protect your business secrets*

In 2019 and 2020, about 75% of all German companies have been the target of data theft, industrial espionage or sabotage. These incidents resulted in damages of 100 Billion Euros per year.[1] While these numbers are staggering enough, they will likely be even higher this year. What exacerbates these findings is the fact that data breaches often go unnoticed because they do usually not entail the ?loss“ of data[2] as the term ?data theft“ implies, but the unauthorized copying of data that is more difficult to become aware of. This article provides an introduction to what kind of information is protected by law as a business secret, why it doesn′t suffice to enter into NDA′s with business partners and what can be done if confidential information has fallen into the wrong hands.

Who may compromise your business secrets?

Contrary to common belief, most data breaches that compromise business secrets are caused by employees, not external hackers.[3] Next in line are private hackers, competitors, suppliers, customers and external service providers as well as foreign intelligence services and organized crime gangs.[4]

What kind of information is legally protected as a busines secret?

In Europe, business secrets are protected by EU Directive 2016/943[5] and national implementation laws of the EU Member States such as the German Law on the Protection of Trade Secrets.[6] To enjoy protection as a ?trade secret“[7], the relevant information must meet three requirements:

• it must be secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
• it must have commercial value because it is secret.
• it must have been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.

The first requirement (a secret) is met if the information in question cannot be easily obtained by an internet search or other means. Unlike technical inventions that are published by the patent office, business secrets lose their legal protection if they become common knowledge or part of  the expert knowledge in the relevant field.

The second requirement (commercial value) doesn′t mean that the value of a business secret must meet a specific threshold to be considered significant. A business secret also has commercial value if the owner of the information suffers a significant disadvantage if unauthorized persons gain access to it.[8]  A common example of this category are customer lists that cannot be created from a telephone directory or similar research[9] which is notably the case, if such customer lists contain direct dial numbers that are not publicly available or additional CRM data. Electronic files containing construction data, 3D models of new products and prototypes that have not been disclosed on trade fairs or in journals can enjoy protection as business secrets too.

The third requirement (reasonable steps to keep it secret), however, is lesser known and what exactly constitutes ?reasonable steps“ to keep information secret, has been subject to controversial discussions in legal literature.[10] The following section provides some basic guidance on the measures that should be on your to do list if you want to maintain the legal protection of your confidential information as a business secret.

Which steps must be taken to maintain the secrecy of your business secrets?

The nature and scope of secrecy measures can vary significantly as they depend on the size of the company affected, the availability of suitable (technical) protection and its cost in relation to the commercial value of the business secret. It is therefore not necessary to always provide the best possible level of secrecy but only what is practical and commensurate in each individual case. Such secrecy measures can be broken down in

• organizational measures such as clean desk policies, visitor management as well as roles and responsibilities of employees and suppliers ensuring that access to confidential information is only granted on a need to know basis and only for as long as necessary to fulfill legal or contractual duties;
• technical measures that are of paramount importance in the current digital transformation of virtually all industry sectors. The introduction of an information security management system (?ISMS“)[11] and regular penetration tests are certainly advisable for any company with 250 or more employees. For smaller companies, simple measures like two factor password protection for servers, personal computers and especially mobile devices such as smartphones and tablet computers can already go a long way towards keeping your business information secret;
• legal measures, i.e. non-disclosure agreements (?NDAs“) with all employees, freelancers, suppliers, service providers and external data processors; it is important to note, however, that NDAs alone cannot be considered as sufficient to protect your business secrets as they are only binding to the contracting parties, so you need to take all other measures described above and below as well to secure legal protection of your confidential information;
• employee trainings in handling confidential information and the introduction of suitable business processes designed to keep confidential information secret e.g., a reporting system (whistle blowing tool) for data breaches and other security incidents.

These measures must strike a reasonable balance between what is technically feasible and economically sound. NDAs often do not get the attention necessary to be effective as they frequently consist of boiler plate language that does not consider the nature of the information and the specific technical and organizational measures that must be taken by the recipient to protect it against unauthorized access or disclosure.

Which acts regarding business secrets are prohibited by law?

The following acts are considered illegal:

• the unauthorized access to, appropriation of, or copying of any documents, objects, materials, substances or electronic files, lawfully under the control of the trade secret holder, containing the trade secret or from which the trade secret can be deduced;
• any other conduct which, under the circumstances, is considered contrary to honest commercial practices;
• the unauthorized use or disclosure of a trade secret by a person who acquired the trade secret unlawfully or is in breach of a confidentiality agreement or any other duty not to disclose the trade secret or to limit the use of the trade secret.

Whether any one of these acts has been committed by the suspect requires a thorough legal analysis. Please note that these illegal acts can be committed not only by external hackers but also by current CEO′s or employees of a company who already have authorized access to business secrets but exceed their authority by misusing their access for their own business purposes or for disclosing business secrets to a competitor or future employer. [12]

You have reason to believe that someone gained unauthorized access to your business secrets. What should you do now?

If you had a security breach or if you have reason to believe that somebody misappropriated your company′s confidential data, you should start to investigate what happened as soon as possible. In doing so, you should first clarify if personal data of customers, suppliers, employees and other individuals or only non-personal data has been compromised. This is advisable because a security breach that affects personal data triggers certain reporting and information obligations towards supervisory authorities and the data subjects under the EU General Data Protection Regulation (GDPR). Failure to comply with these obligations can expose your company to considerable administrative fines and damage claims.[13]

If your IT systems or networks have been breached and your IT department cannot identify the security leak(s), you should not hesitate to hire ISO 27001 certified IT forensic experts to perform an internal security audit. They will find the source of the data leak and recommend suitable measures to close it. To limit the damage inflicted by the unauthorized access, you should try to identify the culprit(s) so that you can take legal action against them and prevent them from disclosing your business secrets to third parties and/or using them to improve their own products.

What legal steps can you take against the infringer?

Before you initiate any legal measures against the suspected infringer, you should always collect sufficient evidence to back up your suspicion as you will need to prove beyond reasonable doubt who is indeed responsible for the infringement of your business secret(s).

Once you have done this, you can enforce cease-and-desist claims against the infringer. In Germany, these claims are usually raised in a warning letter by which the infringer is granted a deadline to sign a cease-and-desist declaration under penalty in which he promises to refrain from any (further) disclosure or use of the business secret(s). If the infringer doesn′t comply with this request, you can apply for a preliminary injunction by the competent court to enforce your cease-and-desist claims.

Upon your request, the court will also order the infringer who knew or ought to have known that he was engaging in unlawful acquisition, use or disclosure of your business secret, to pay your company damages appropriate to the actual prejudice suffered as a result of the unlawful acquisition, use or disclosure of the business secret. Such damages must be enforced by a subsequent action on the main case.

Besides or alternatively, you can apply for the prohibition of the production, offering, placing on the market or use of infringing goods, or the importation, export or storage of infringing goods for those purposes, the recall of the infringing goods from the market and the destruction of all or part of any document, object, material, substance or electronic file containing or embodying the business secret or, where appropriate, the delivery up to you of all or part of those documents, objects, materials, substances or electronic files. “Infringing goods” in this sense are all goods, the design, characteristics, functioning, production process or marketing of which significantly benefits from trade secrets unlawfully acquired, used or disclosed.

If you are unsure if your NDAs provide sufficient protection for your business secrets or if you have reason to believe that your business secrets have been compromised, you can contact me anytime. And if you found this article useful, please feel free to comment on it and share it with your contacts.

* In order to improve readability, I do not use any gender-differentiating formulations in my publications. The relevant terms generally apply to all genders to achieve equality. The shortened language form has only editorial reasons and does not include a rating. Views expressed in my publications are entirley my own and do not imply any adoption by competent courts unless indicated otherwise.

**This article may be shared with contacts of LinkedIn members provided that the copyright notice and the name of the author are not removed or replaced.

[1] Bitkom (ed.), Spionage, Sabotage und Datendiebstahl – Wirtschaftsschutz in der vernetzten Welt, Studienbericht 2020.

[2] Even called ?ransomware“, i.e., software that encrypts all data on a server or personal computer to blackmail the owner to pay for the de-cryption doesn′t remove any data but makes it inaccessible. More on this at https://www.cisa.gov/ransomware

[3] https://www.handelszeitung.ch/management/mitarbeiter-sind-das-groesste-it-risiko-fuer-firmen-259883. The Egress Insider Data Breach Survey 2019 reported that 79% of respondents believed that employees had put sensitive company data at risk accidentally in the last 12 months, see https://bit.ly/3aiRoQp.The Deloitte Cyber Security Report 2019 arrived at similar conclusions as 75% of respondents considered employees as a high security risk or very high security risk, see https://bit.ly/3qVi8wt.  

[4] In this order, see the current Bitkom study mentioned in footnote 1, page 28.

[5] Directive (EU) 2016/943 of the European Parliament and the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure, O.J. no. L 157 of June 15, 2016, p. 1 et seq.

[6] Gesetz zur Umsetzung der Richtlinie (EU) 2016/943 zum Schutz von Gesch?ftsgeheimnissen vor rechtswidrigem Erwerb sowie rechtswidriger Nutzung und Offenlegung of April 18, 2019, BGBl 2019, part I, no. 13, p. 466.

[7] The terms ?trade secret“ and ?business secret“ have the same meaning and are therefore used interchangeably in this Article with a personal preference of the term “business secretes” as it′s all about your business after all.

[8] K?hler/Bornkamm/Feddersen/Alexander GeschGehG § 2 marg. note no. 45.

[9] Cf. BGH, GRUR 2006, 1044 – Kundendatenprogramm; OLG Düsseldorf, judgement of December 7,2010, file no. 20 U 18/10, published as BeckRS 2011, 7387.

[10] Cf. Maa?en, GRUR 2019, 352; Partsch/Rump, NJW 2020, 118; Kalbfus, GRUR-Prax 2017, 391.

[11] For more information on ISMS and how to implement them see https://bit.ly/2NJm9Fx.

[12]Ohly in: Harte-Bavendamm/Ohly/Kalbfus, GeschGehG, § 4 marg. note no. 15 and 16.

[13] These data breaches will still be dealt with in another article as this one focuses on business secrets in general, not personal data in particular.