Is Social Networking Disclosing Your Trade Secret Customer Lists?
It was inevitable. First came social networks, then came the lawsuits: In the e-discovery context, in impeachment situations (Ledbetter v Wal-Mart Stores Inc.(06-cv-01958-WYD-MJW) (D Colo April 21, 2009); Mackelprang v. Fidelity Nat’l Title Agency of Nevada, Inc. (D. Nev. 2007); and Beye v. Horizon Blue Cross Blue Shield (D. N.J. 2006)), in the tort context (Wolfe v. Fayetteville, Arkansas School, 600 F.Supp.2d 1011 (W.D. Arkansas 2009)), as to how much privacy settings matter, on passwords and access, and this list represents merely the proverbial tip of the issues iceberg.
One issue still bobbing below the surface, as it appears there are no fully tried cases on the matter as of this writing, is disclosure of trade secrets, such as a client/customer list, through use of social media and social networking.
The Uniform Trade Secrets Act (“UTSA”) has served as a model for the enacted Trade Secret Acts of 46 states and the District of Columbia. Massachusetts, New Jersey, New York, and Texas have not enacted a UTSA-model act – although the legislatures of Massachusetts, New York and New Jersey each introduced UTSA-based legislation in 2010. Under the UTSA a "trade secret" is defined as:
“information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” (emphasis added).
See also Trade Secrets: A State-by-State Survey, Third Ed., with 2010 Cumulative Supplement; 18 U.S.C. 1839 (defining trade secrets for purposes of the Economic Espionage Act of 1996, which makes theft or misappropriation of a trade secret to benefit a foreign power or related to a product that is placed in interstate or foreign commerce a federal crime).
Various states expressly include a “customer list” in their UTSA’s definition of “trade secret.” (See Network Telecomms v. Boor-Crepeau, 790 P.2d 901, 902 (Co. 2010) (noting a trade secret under Colorado’s UTSA, Colo.Rev.Stat. Ann. § 7-74-102(4), includes the listing of names, addresses, or telephone numbers, or other information relating to any business or profession which is secret and of value); Industrial Insulation Group, LLC v. Sproule, 613 F. Supp.2d 844 (SD Texas 2009) (referencing Pennsylvania’s USTA, 12 Pa. Cons. Stat. Ann. 5301 et seq., which includes customer lists)).
However, even if a state’s UTSA does not expressly include customer lists in a provided definition such “low tech trade secrets” are routinely held by courts to fall within trade secret protection, under either UTSA-based or pre-UTSA common law as detailed by the Restatement (Second) of Torts §757. Section 757, Cmt. B specifies that “a trade secret may consist of any formula, pattern, device or compilation of information which is used in one's business, and which gives him an opportunity to obtain an advantage over competitors who do not know or use it.” A customer list readily qualifies under this definition.
Regardless of whether the applicable source of a trade secret’s protection is state statutory or common law, key issues as to whether a party may successfully claim protection for a trade secret depend on a threshold fulfillment of requirements, among others, that the materials do in fact qualify as actual trade secrets because they hold independent economic value, since they’re not widely known outside the entity, and that the owning party has taken reasonable measures to safeguard the materials’ secrecy.
In the realm of customer lists courts commonly hold lists that are readily ascertainable are offered no trade secret protection. See, Dowell v. Biosense Webster, Inc., 179 Cal.App.4th 564, 571 (2009) (affirming lower court’s holding “that there was no evidence that Biosense's customer list is a trade secret because it appears that the customers for the products at issue ... are easily identified from any number of publicly available directories and resources"); Ken J. Pezrow Corp. v. Seifert, 197 AD2d 856, 857 (N.Y. App. Div. 4th Dept 1993)("where an employer's customer lists are readily ascertainable from sources outside its business, trade secret protection will not attach and their solicitation by the employee will not be enjoined.'") (citations omitted). In fact, New York courts have applied a “general rule” that an employee may solicit an employer's customers when the employment relationship has been terminated, in the absence of some other contractual agreement to the contrary. A & L Scientific Corp. v. Latmore et al., 696 N.Y.S.2d 495 (2d Dept 1999) (citing Catalogue Service of Westchester, Inc. v. Paul Wise et al., 405 N.Y.S.2d 723 (1st Dept 1978)).
Adding Social Networking To The Mix
Since the disclosure of an otherwise trade secret – even accidentally or “through inadvertence” – destroys the secrecy element and therefore removes what trade secret protection exists, Kewanee Oil Co. v. Bicron Corp., 416 U.S. 470, 476 (1974), at what point can using social networking to link-in, friend or make other connections with customers cross over into making a customer list, or a portion of a list, no longer protectable as a trade secret? With seemingly everyone, including us here at the Info Law Group, connecting to business associates as well as potential and actual clients, the question is not academic.
Indeed, witness a case filed earlier in the year, which is indicative of the issue. TEKsystems, Inc., a Hanover, Md-based recruiter of technical professionals, filed a federal action on March 16, 2010, TEKsystems, Inc. v. Hammerinick et al. (0:10-cv-00819-PJS-SRN), Complaint here, accusing former employees of wrongfully contacting former co-workers and clients in violation of the non-compete and non-solicitation agreements they entered into and for misappropriation of trade secrets. Docket available here. On the facts given above the case seems merely a run-of-the-mill action against former employees violating commonly used non-compete and non-solicitation prohibitions. But the topical kicker is that contacts by one of the former employees allegedly occurred through LinkedIn and that Teksystems claimed that the customers, described in the Complaint, as “key individuals responsible for recruitment [at outside entities] of professional placement staffing needs” were “valuable, confidential, and proprietary to TEKsystems, and [] not generally known in the public domain” with “significant economic value to TEKsystems” – in short a trade secret under Maryland’s Uniform Trade Secret Act, Md. Code Ann., Com. Law §11-1201(e).
The applicable non-compete clause prohibited the former employee for a period of 18 months after leaving from working for “any business that is engaging in or preparing to engage in any aspect of TEKsystems’ Business in which EMPLOYEE performed work during the two (2) year period preceding his/her termination of employment, within a radius of fifty (50) miles of the office in which EMPLOYEE worked at the time EMPLOYEE’s employment terminated.” The applicable non-solicitation clause provided that during the 18 month period after termination the employee would not “[a]pproach, contact, solicit or induce any individual, corporation or other entity which is a client or customer of TEKsystems, about which EMPLOYEE obtained knowledge by reason of EMPLOYEE’s employment ….”
While clearly onerous from the employee’s perspective, the Court never reached the merits or opined on validity of the provisions given the case's disposition by stipulated Confidential Settlement Agreement. However, social networking in the form of LinkedIn entered the Complaint at Paragraph 37 where TEKsystems, in providing examples of one of the employee’s conduct, recounts the employee “has communicated with at least 20 of TEKsystems’ Contract Employees using such electronic networking systems as ‘Linkedin.’” In Paragraph 40, the Complaint alleged the employee “[p]rior to leaving TEKsystems, [] sent emails to a number of candidates advising them that she was leaving TEKsystems and joining Horizontal Integration.”
As an aside, the stipulation recognizes the new cloud storage landscape we’re operating in by defining “Computers,” in a laundry list of systems and storage the defendants would be required to search for documents to return to TEKsystems and then destroy, as “all servers, hard drives, ‘cloud’ storage systems, jump drives, zip drives, CBIZ or other electronic storage devices.” It also defines “Documents” as “the broadest meaning ascribed to it under the Federal Rules of Civil Procedure, and shall include documents in paper form, electronic form, on ‘cloud’ systems or otherwise maintained in any way by Defendants.”
Although the TEKsystems case concluded last week on Oct 18, 2010, per previously stipulated Permanent Injunction and Dismissal or Action, here, the case itself raises interesting broader questions:
- At what point does use of a social network, particularly in an industry where direct outside client contact is first and foremost, divulge a trade secret client/customer list by crossing the line between those contacts made during and as a direct result of one’s employment for a specific company (and as a result considered a “trade secret”) and those contacts made “off-hours” by virtue of a person’s being part of a given industry and, perhaps, say “Linking In” to contacts of contacts? LinkedIn’s entire business model is built around a “six degrees of separation” concept, but how many degrees away does an employee need to get before those “contacts of contacts” are no longer part and parcel of the employer’s existing or potential client/customer list?
- Given that social networks generally have “public” and “private” settings capabilities, could connecting to customers and clients act to inadvertently toss the employer's otherwise validly confidential and trade secret customer list into the public domain, destroying trade secret protection in the process by virtue of the fact that those outside the employee’s company conceivably can then “readily ascertain by proper means” the employer’s list of customer/clients using the employee’s socially networked contacts? Consider that according to the Restatement (Second) of Torts §757, factors courts will consider “in determining whether given information is one's trade secret" include:
• the extent to which the information is known outside of the business;
• the extent to which it is known by employees and others involved in the business;
• the extent of measures taken to guard the secrecy of the information;
• the value of the information to the employee/employer and competitors;
• the amount of effort or money expended in developing the information;
• the ease or difficulty with which the information could be properly acquired or duplicated by others.
So what can and should you do to address the social networking disclosure issue before a court potentially does it for you?
Recommendations
First, let’s recall that the Complaint in TEKsystems contained four counts, which are fairly typical in an action of this type: 1) breach of contract; 2) breach of confidentiality agreement (“NDA”); 3) tortious interference with contractual relations, and 4) misappropriation of trade secrets. NDA’s frequently utilize broad definitions of “confidential information” and TEKsystem’s NDA definition included “information not generally known by TEKsystems’ competitors or the general public concerning TEKsystems and that TEKsystems take reasonable measures to keep secret, including but not limited to ... customers’ names, addresses, telephone numbers, contact persons ... and the names, addresses, telephones numbers, skill sets, availability and wage rates of ... personnel.”
Had the NDA lacked such a definition or express inclusion of customer names and TEKsystems were forced to rely merely on a claim of misappropriation of trade secrets as a result, the issue of whether customer/client lists entered the public domain via social networking would have garnered notable prominence as the employee might have argued, depending on the factual specifics: “What trade secrets? The information was publicly available via my LinkedIn profile.”
The lesson? Ensure that your employee NDA’s include client information (identities, names, addresses, etc.) within the definition of “confidential information.” But merely defining information as confidential is not be enough unless steps are taken to in fact treat the data as confidential – since as with trade secrets “confidential information” obviously ceases to become such when it enters the public domain. See generally, 1-800 Postcards, Inc. v. Ad Die Cutting & Finishing Inc., 2010 NY Slip Op 51368 (NY Cty Sup Ct July 9, 2010) (denying plaintiff’s claim of misappropriation of trade secrets where there is no employee “contract expressly restricting the former employees from competing with the prior employer.”)
Second, add a social media section to non-compete clauses and NDAs that clearly addresses use of social media and its effects on any materials considered trade secrets and confidential information. Specifically you should consider, beyond the usual items that e-mail and internet access may be monitored, etc., language providing that :
• Employees should use employer supplied computers, networks and equipment (i.e., smartphones, etc.) for business purposes only, while acknowledging the reality of working from home using home computers and systems with additional language that provides even usage of such home systems must comply with the NDA and non-compete clauses;
• Employees must disclose use of social networking sites; that such social networking may be monitored by the employer, and that consent is granted by the employee for the employer to access employee social networking sites for compliance with the employee’s contractual obligations. You may, under certain circumstance, wish to have the ability to direct an employee (or former employee) to remove any linkage to your company site or mention of the company or employment with the company; and
• Employees may be directed to select privacy settings to prevent "public" users from browsing or seeing their contacts.
Finally, the landscape of social networking is changing rapidly. It's extremely important to carefully periodically review the various use, privacy, copyright and other policies social networking sites require acceptance of to ensure that your employees aren't binding you to provisions you were unaware of, that may not be practical to comply with given your specific industry or usage, or that may result in disclosure of confidential or trade secret information by default.
As always, to discuss any of the above or your specific needs and issues, feel free to contact me or any other attorney at the Info Law Group.
NDAs: Worth the Effort?
Confidentiality or nondisclosure agreements ("NDAs") are widely used but often poorly reasoned or inadequately implemented. When are they worth the effort? How can they be made more effective in protecting a company's secrets or the secrets of others for which it is responsible?
My seatmate on a recent cross-country flight was an entrepreneur who has established an innovative and successful online financial services business. “I never use NDAs,” he insisted. “Too much trouble, and too hard to enforce, anyway.”
That’s not an uncommon view of confidentiality or nondisclosure agreements (NDAs), at least outside the context of employment and independent contractor agreements, where they are routine and well accepted. It’s easy to understand why an employer would want to ensure that employees are cautioned to keep trade secrets secret, for example. With an employee confidentiality agreement, the employer can more credibly threaten termination and a possible lawsuit that does not have to rely on implied duties under general tort or contract law, or the more remote prospect of criminal sanctions for theft, fraud, or commercial espionage.
But in business or technical discussions with potential investors, customers, suppliers, licensors, franchisees, or joint venture partners, it is often very difficult to determine how much needs to be disclosed and exactly who “owns” which information and ideas. Were the parties just brainstorming? Did they independently develop a similar approach to a problem? Litigation over NDAs can be costly, public, and ultimately unsatisfactory to the party claiming a breach, especially if it is hard to prove the intended scope of the agreement and the actual source of information.
So, when is it worth using NDAs, and how can they be made more effective?
Protecting Secrets
First, it must be emphasized that NDAs properly concern only information that is valuable or protected and that is not already publicly available. Patents are public, so it normally makes no sense to sign an NDA covering the substance of a patent claim (although an NDA could cover implementation issues, for example, or the substance of a planned patent filing or extension).
The information should have commercial value as a party’s trade secrets, either non-obvious technical information (such as the formula for COCA-COLA beverages) or confidential commercial information (such as the party’s business plans, internal organization, and nonpublic operations and financial records).
Alternatively, an NDA may concern information in a party’s possession that, if disclosed to others, could expose the party to criminal or civil liability. This might include potential liability for unauthorized disclosure of protected personal information, privileged communications (such as lawyer-client or doctor-patient communications), national secrets, or the trade secrets of a business partner. Often, information could be classed as the company’s proprietary and confidential data and also protected information of a third party – a customer list including credit card details would be an example. In such cases, there are multiple reasons to take contractual and operational measures to protect the information.
Anglo-American common law traditionally recognized civil liability based on “breach of confidentiality,” “misappropriation,” or “unfair competition” when one party made improper use of another party’s commercial secrets. Many of the underlying principles are now statutory, as is the case with fair trade practices under the US Federal Trade Commission Act and parallel state laws.
More specifically, nearly all US states and the District of Columbia have enacted a model law called the Uniform Trade Secrets Act (UTSA). This restates common law principles of misappropriation of trade secrets and provides an extensive range of potential remedies, partially preempting remedies based on tort law or equitable restitution. These statutory remedies include the following:
· injunctions against misappropriation or disclosure
· injunctions compelling protective actions such as the return or deletion of documents and data
· compensatory damages for injury to the plaintiff
· damages for unjust enrichment by the defendant
· payment of reasonable royalty fees (if compensatory damages cannot be proven)
· exemplary (punitive) damages for “willful and malicious” conduct
· attorney’s fees in cases of willful and malicious misappropriation or bad-faith litigation tactics.
Liability is based on proof that the defendant has “misappropriated” trade secrets by acquiring them through “improper means.” Breach of an NDA is one example of improper means. USTA also recognizes other improper means that do not depend on breaching an NDA, such as theft, bribery, misrepresentation, inducement to breach a confidentiality agreement, and electronic espionage.
In order to protect trade secrets under UTSA or common law, a party must demonstrate that it exercised “reasonable efforts” to maintain secrecy. This typically includes using (and enforcing) NDAs with employees, agents, business partners, and others with access to the information, as well as taking such protective measures as locking up or encrypting sensitive documents, controlling access to computer files, and training employees to protect company secrets.
Thus, the NDA is an important means of preserving trade secrets claims and remedies, as well as reducing liability exposure for disclosing the secrets of third parties such as customers, employees, business partners, or governments.
Making NDAs More Effective
A company with trade secrets or protected information always has to balance the advantages of collaboration (such as efficiencies in outsourcing, shared research and development, new sources of investment, expanded markets, a potential sale of the company or its ideas) against the risks that the collaborating party will carelessly disclose the company’s secrets, misappropriate them, or claim that the company has in fact misappropriated the collaborating party’s ideas.
Where possible, it is best to share secrets only with parties that have sufficient motivation and capability to protect your secrets. Give them reasons to believe that they will share in the success if the ideas or data are protected and ultimately commercialized, perhaps in the form of a royalty-free or discounted license, an exclusive sublicense in a particular sector or geography, a lucrative supply contract, a joint venture, or an equity stake. An expressly nonbinding letter of intent may be enough to help them visualize the “carrot” of potential profits. If a company hires a technical consultancy as an independent contractor, the contractor is getting paid and should be subject to a “work for hire clause” as well as NDA provisions. If the company wants to collaborate with an academic, it can raise the idea of a possible consulting contract if the idea appears to merit more development and offer to collaborate in preparing an article for publication in a scholarly journal when some of the concepts can be made public. The point is, there are very often ways to align the interests of the parties in maintaining confidentiality for mutual gain and joint risk management.
As for the “stick” of potential liability for breach of the NDA, consider above all the description of the confidential material to be covered. You don’t want to leave loopholes, but a vague or broadly drafted NDA is less likely to be enforced by a court. It may even be challenged as an attempted restraint of competition, rather than a focused effort to protect trade secrets.
Some NDAs between potential business partners or research collaborators are written to cover only documents or data expressly marked as “Confidential,” while others concern both oral and written information about a defined subject matter. In the former case, it is important to maintain the discipline of marking documents, emails, meeting minutes, and memoranda of lab visits, field tests, or other instances of information exchange as “Confidential, subject to NDA dated ____.” A lapse may be viewed as a waiver. It is also useful to place a copyright notice on documents furnished in the course of the collaboration, to help establish authorship and make additional remedies available under copyright law. Or consider using a wiki or FTP site, similarly marked, to keep documents and messages subject to the NDA in one place. All of these techniques serve to remind the parties of what they are doing under the NDA and aid in establishing proof if there is a dispute.
Where there is concern about maintaining the confidentiality of discussions as well as documents, it may be convenient to describe the subject matter as nonpublic information exchanged relating to a pending patent application or provisional patent application. Otherwise, where the description cannot be effected in a sentence or two, consider attaching a schedule to the NDA describing the subject matter in more detail. The schedule can be updated by mutual consent, without having to redraft the entire NDA.
If the company has a trade name or brand name in mind, add a clause to the NDA in which other parties agree not to use that name for a trademark or domain name without the company’s consent.
Meanwhile, the company should assiduously maintain an inventor's log if it contemplates an eventual patent application. If it comes to litigation over misappropriation of trade secrets, it can be very powerful to document and compare the sequence of invention with the sequence of disclosures.
A useful clause to include in the NDA is one requiring prompt notice if at any time a party intends to rely on the NDA clause excluding coverage for information or ideas related to the subject matter but developed independently or obtained from another source. This gives the company some advance notice of potential problems and makes it harder for the other party to assert plausibly that it already had the information or idea at a much earlier date.
It may also make sense to insist on a non-circumvent clause if the party will be introducing companies or individuals to each other or to potential suppliers, licensees, or consultants. This makes it harder for them to bypass the introducing party in future dealings with those companies or individuals.
And in some cases it makes sense to pursue R&D collaboratively in the context of a government program or an industry standards body, developing standards to which others contribute and which others will use. These projects typically involve their own NDAs and agreements concerning intellectual property ownership and licensing. That approach may ultimately give your company a larger market for goods and services that it can sell based on a standard – USB and Bluetooth are recent examples. Collaboration then takes the form of a contract with a government agency or national laboratory, or chartering a work group or technical committee within an existing standards body, or possibly establishing a new nonprofit industry association to develop specifications. As other companies become invested in the standard, they may also be willing to share the legal costs of protecting it against infringers or infringement claims.
Finally, a company sharing secrets should look to technical as well as legal protections. Establish that the counterparty is security conscious, and insist that it classify and safeguard your secrets as it does its own. It may also be appropriate to use electronic date and time stamps, tag lines, embedded code, digital certificates, watermarks, or metadata to mark material as “Confidential” and also help prove the source and timing of documents exchanged in a collaboration. Using secure email channels, secure FTP and wiki sites, and document encryption are other means of protecting sensitive data – and also proving later, if need be, that the company did indeed exercise reasonable efforts to maintain confidentiality.
* * *
So, in answer to my airline seatmate: Some NDAs are pointless because there are not well-defined secrets to protect, or the parties have not done their homework concerning their mutual interests, or they are not sufficiently disciplined to implement the NDA effectively. But foregoing the NDA may mean foregoing legal remedies as well as an opportunity to educate the parties on what should be protected, and how.
UPDATE: Since first posting this blog entry, I have been referred to an insightful article by Professor Eric Goldman discussing the challenges of managing information under an NDA, at
