By Julia Chong

Although it is common for most organisations to already have in place non-disclosure clauses or separate confidentiality agreements to protect their intellectual property (IP), given the rapidly evolving digital landscape and proliferation of new technologies embedded into current work processes, it is prudent for corporations to reassess their secrecy policies and corresponding risks on an ongoing basis.

Most executives are familiar with patent registration and IP protection, a trade secret, however, is more extensive and covers a broader spectrum of intangible assets that are of significant commercial value to a company. Think of KFC’s secret herbs-and-spices recipe (which was reportedly leaked on social media recently) or Google’s search algorithm. An equivalent in banking could be the banks credit policy or the digital approval keys to its smart contracts.

The established processes and protocols to protect the value of these intangible assets are known as trade secret risk management, an evolving practice that is gaining ground amongst risk professionals as companies increasingly bank on innovation to deliver customer value.

Trademarks, patents, customer lists, business strategies and ops, business processes, formulae, algorithms, software code – essentially any aspect or innovation which gives the corporation a competitive advantage against their competitor – should be defined and protected as a trade secret. In banking and finance, such trade secrets are spread throughout the back, middle, and front offices.

One of the leading authorities governing standards in this sphere is the World Intellectual Property Organization (WIPO), an international United Nations agency responsible for the development of a global IP architecture, which defines a trade secret as follows:

“Trade secrets are IP rights on confidential information which may be sold or licensed. In general, to qualify as a trade secret, the information must be:

  • commercially valuable because it is secret;
  • known only to a limited group of persons; and
  • subject to reasonable steps taken by the rightful holder of the information to keep it secret, including the use of confidentiality agreements for business partners and employees.

“The unauthorised acquisition, use or disclosure of such secret information in a manner contrary to honest commercial practices by others is regarded as an unfair practice and a violation of the trade secret protection.”

Legislation and enforcement frameworks in the US and UK are currently the most progressive, however other jurisdictions including the Asia-Pacific region are close on their heels as emergent risks have seen an increase in failure to protect trade secrets from hackers, corporate espionage, and other threat actors.

In the US, two main legislations govern this:

  • Economic Espionage Act, enacted into law in 1996, considers theft and misappropriation of a trade secret a federal crime with conviction resulting in fines of up to USD250,000 for an individual; USD5 million for a corporation; and/or imprisonment of up to 10 years. If such trade secret benefited any foreign government, penalties will increase and be dealt with in a manner commensurate to the crime.
  • Defend Trade Secrets Act, more recently passed by the Obama administration in 2016, gives US companies the opportunity of federal legal remedy in the misappropriation of “actual or potential” value arising from IP theft, which translates into enhanced shareholder value. It also provides a ‘safe harbour’ clause for whistleblowers, giving them immunity from civil or criminal liability “solely for the purpose of reporting or investigating a suspected violation of law.”

The UK’s Trade Secrets Directive of 2016 was implemented following the EU Directive 2016/943 passed by European Parliament. Different from its American counterpart, the Directive is limited to tackling the unlawful conduct or illicit means through which the trade secret is acquired. This means that if no misconduct was detected, although such information was misappropriated, the disclosure of the trade secret is out of scope under the Directive. An example would be the divulging of a secret which is in breach of a contract or another existing law.

In Malaysia, similar to other Southeast-Asian nations, there is no express legislation to protect trade secrets. For public-listed companies, the Capital Markets and Services Act 2007 provide assurances that privileged parties or “insiders” maintain the secrecy of non-public price-sensitive information in order to prohibit insider trading.

Instead, companies can rely on contracts and/or tort law (harms committed that require the at-fault party to compensate the victim(s), including for the loss of past or future income and punitive damages) to achieve similar results. Non-disclosure agreements are often included as a standard feature of employment contracts or signed separately as a precautionary measure.

When it comes to the practical day-to-day running of a company, robust contracts, audit trails, and documentation must form the arsenal of pre-emptive measures used to minimise the risk of future dispute. This is because once private information is misused or leaked, confidentiality is lost forever. Should there be a breach of confidentiality, time is of the essence and the next best option is for the company to quickly seek an injunction from the court of law and ring-fence the leak based on its contracts and documentation.

Trade secrets are classified into several types:

+ Technical information. This is knowledge concerning processes and procedures, maps and valuations, as well as policies and know-how. More recently, cases surrounding IP violations are increasingly dealing with issues surrounding software algorithms, hardware configurations, and experimental research data. This includes cutting-edge technologies that are entering the commercial sphere in banking such as cryptocurrencies (JPM Coin, a cryptocurrency developed by JP Morgan Chase, is utilised by its institutional and corporate clients for more secure cross-border transactions) or quantum-computing to unlock efficiencies in pricing and trading strategies (HSBC and Goldman Sachs are leading the pack on this score).

+ Commercial data. From details on pricing, structured deals, supplier lists, and clientele to strategic information such as platforms for advertising and promotions, expansion plans, and exclusive partnerships, it is necessary that such information be made on a need-to-know basis. In a US-based case, a team of investment bankers left their firm to work for a competing financial institution, taking with them confidential client lists and information, which included some of their former employer’s most sophisticated and important clients. After a thorough investigation and audit conducted by the bank, the case was brought to arbitration before the Financial Industry Regulatory Authority, which awarded full damages to the bank.

+ Combinatorial elements. In some instances, a trade secret comprises several or a chain of information or elements which in their separate parts rest in the public domain, such as annual report filings, formulae, or source codes. The design or method of how these individual elements are combined could provide a corporation with significant competitive advantage and in this way is seen as a trade secret. One example is when a company uses a general source code available on, let’s say, Github, a developer-based code-hosting platform, and then customises this code to suit the organisation’s specific needs. This can come in the form of rewriting, adding, deleting lines from the initial code for the software to now perform new tasks, such as to automate the pulling of data from an excel worksheet in order to populate it into the bank’s internal system. Should the modified source code, to which the company has invested substantial time and effort in its customisation, be compromised through accidental leaks, lax IT security, or even corporate espionage, this would constitute a breach of its trade secret.

Failure to correctly identify and manage its trade-secret risk can make or break an enterprise; financial losses, business disruption, loss of market share, loss of public trust, additional costs for investigation and new security measures, and reputational damage are all consequences of compromised IP. Closing the backdoor to this risk has to do with enforcing a culture of vigilance and collective responsibility. Financial firms must first begin by understanding that there is no foolproof solution (no matter what the consultants tell you). Any proposed strategy, including zero-trust strategies (see box story on page 72), is only as good as the people and culture that it is embedded in and corporates must customise such strategies according to their business, context, and current situation.

Zero-trust Security & More

Rooted in cybersecurity, this approach is typified as ‘never trust, always verify’ and is embedded in frameworks meant to protect proprietary knowledge in IT, such as multifactor authentication and behaviour monitoring as a tip-off to potential security threats. It advocates access approval of a trade secret to a limited number of people thus minimising the threat of breach and/or indiscretion by insiders/outsiders.

Other methods include confidentiality agreements, physical controls (biometric locks for filing cabinets, security cameras, etc.), and employee training.

Some highly innovative financial institutions that are based primarily on IP, such as bond pricing or algorithmic trading, often opt for insurance coverage to limit the downside in the event of a breach or failure to protect their intangible assets. Insurance policies oftentimes will cover certain tangible costs like service downtime, forensic investigations, and the cost to replace data, but never the full value of the intangible asset.

10 Steps to Building a Trade Secret Management Programme

The World Intellectual Property Organization (WIPO), one of 15 United Nations’ specialised agencies, is tasked with leading the development of a balanced and effective international IP system for its 193 member states. Established in 1967 through the WIPO Convention, its work has helped shape the architecture that protects IP, including trade secrets, globally with powers as a resolution dispute body.

Its e-learning content on intellectual property, IP Panorama™, is jointly published by WIPO, the Korean Intellectual Property Office (KIPO), and the Korea Invention Promotion Association (KIPA). Covering 12 modules, its chapter on trade secrets includes a 10-step guide on how to build a trade secret management programme, summarised below.

Put in place a system for identifying trade secrets

Identifying and categorising trade secrets is a prerequisite for starting a trade secret protection programme. The steps taken to protect your trade secrets should be dictated by the nature of the secrets themselves. Make a written list of the information to be protected and organise it into the different types of information, depending on its value to the business and the type of protection measures that would be needed to protect it.

Develop an information security policy that includes a trade secret protection policy

The information security policy encompasses systems and procedures designed to protect the information assets from disclosure to any person or entity not authorised to have access to that information. It is important to have a written policy in place as it provides clarity on all aspects that need to be addressed including:

  • explanations on the why’s and how’s;
  • prescriptive measures on how to reveal or share such information in-house or with outsiders; and
  • articulation of the commitment to protect trade secrets, which will play a key role in the event of litigation; and physical, administrative or technical controls.

Educate all employees on issues related to information security

Safeguards include:

  • hiring an employee for competence, knowledge, skills and not because of their access to trade secrets of a former employer;
  • all employees should acknowledge that they have understood the policy and that they agree to abide by it;
  • periodically, reiterating the policy;
  • avoiding the hiring of a person bound by a non-compete agreement, but if unavoidable then do so only after taking advice from an independent and competent lawyer;
  • indemnifying a new employee who is bound by a non-compete agreement to a previous employer should also be avoided;
  • reminding employees not to disclose trade secrets and to follow the security procedures by way of notices, memos, emails, newsletters, etc.; and
  • hiring away more than one employee from a competitor raises suspicion of wrongdoing and so should be avoided.

Importance of making employees aware of obligations

Educate and train employees to recognise and properly protect trade secrets in order to prevent inadvertent disclosure due to ignorance. Make departing employees aware of their obligations towards their former employer through exit interviews that should include focus on issues related to confidentiality, trade secrets, etc.

Include reasonable restrictions in writing, in all contracts

Examples of this are non-analysis clauses (where the other party agrees not to analyse or have analysed any material or sample supplied under the agreement), or no-raid clause (where the departing employee is forbidden from soliciting all current employees as well as any employee who resigned within a time frame from the employee’s departure date).

Restrict access to paper records

Limit access to only those employees who are duly approved, or cleared, to see them on a need-to-know basis. This may be done more easily by proper labelling of records or using specially coloured folders and keeping such marked records physically isolated or segregated in a secure area or in locked filing cabinets. There must be proper access control through appropriate authorisation and tracking systems for employees provided with access to classified information.

Mark documents

Labels should provide brief but clear directions to the user on how to handle the information, such as ‘make no copies’, ‘distribution limited to’, or ‘covered by non-analysis agreement’.

Office management and keeping confidentiality

Standard practices should include restricting the use of mobile phones when discussing sensitive topics, handling paperwork such as faxes and photocopies with extra care, shredding to dispose of sensitive paper records, caution with internal literature (newsletters, magazines, etc. that may contain names of employees in sensitive job functions), and caution be exercised by employees during conversations.

Maintain computer secrecy

Multifactor authentication and automated audit trails enable system security personnel to trace any additions or changes back to whoever initiated them, and to indicate where and when the change was carried out. Access control methods can be either rules-based (access control based on policies that can be algorithmically expressed) or identity-based (access to individuals or a defined group of entities).

Guarding secrets that are shared in partnerships

While employees can be the single biggest threat to secrecy, it is also important to guard secrets in joint ventures, with consultants and even with customers. For many software companies, the most dangerous exposure is the sale of a system because the software is then susceptible to reverse engineering. In software and many other high-tech industries, licensing of your company’s product is a secure way to guard against loss.

Source: WIPO, KIPO, KIPA; IP Panorama, Module 04 Trade Secrets.

Julia Chong is a content analyst and writer at Akasaa, a boutique content development and consulting firm.