Industry Custom May Be Basis for Establishing Secrecy Measures Under Trade Secrets Act

Trade secrets claims are highly dependent on the plaintiff's ability to prove one essential fact: that it used reasonable efforts to keep confidential its identified trade secrets.

Over the past 20 years or so, the concept of "security measures" has changed drastically in the workplace. Early trade secrets cases often discussed whether file cabinets were kept under lock and key, who had access to certain file rooms, and whether a building or office had a requirement that visitors acknowledge confidentiality restrictions for site access.

Now, the focus of trade secrets disputes has shifted. We now look at computer passwords and other digital security protection efforts, including whether personal devices are inventoried and scrubbed at the time of termination.

But let's not lose sight of Old Economy business practices just yet. A federal district court in Illinois ruled last week that a business may establish it used reasonable security measures to protect its company secrets by introducing testimony of knowledgeable people that there was an unwritten custom and practice within the industry to keep certain data technical data confidential, even if there was no binding agreement between the customer and vendor.

The case is von Holdt v. A-1 Tool Corp., No. 04 C 04123 (N.D. Ill.), and Judge Chang looked at declaration testimony concerning "industry custom" to conclude that the plaintiff could show it exercised reasonable security measures over molds used to produce plastic buckets and lids. The testimony became essential because the plaintiff could not establish that it had confidentiality agreements with its customers concerning the technical mold information the plaintiff claimed to be a trade secret.

There are a few important takeaways from Judge Chang's summary judgment opinion.

First, the concept of what's reasonable in terms of security measures is very fact-specific. What may be reasonable for a high-tech business dependent on the exchange of digital information may be irrelevant for an Old Economy business like a tool-and-die manufacturer. In the same vein, a large sophisticated company will be expected to implement broader protections than a small mom-and-pop store. For those large companies, the marginal cost of adding security measures is relatively low.

Second, business ethics are worth something. Most judges are fairly pragmatic. It is awfully difficult for a court to reason that the existence of a formal agreement is a precondition to showing that a party tried to protect its data. If the industry custom suggests that there is a gentleman's understanding that you don't disclose certain data to others, that should carry some weight.

And, in the real world outside the courtroom, vendors don't like presenting customers with formal agreements because that may imperil the entire relationship. There's no reason why industry practice can't trump the formalities of a contract in certain cases.

The case perhaps has limited significance, but it does emphasize the need for a plaintiff to consider every possible security measure when pursuing a trade secrets claim - even if those security measures aren't the type of Digital Age precautions we're used to seeing.