Arizona Case Examines When Customer Lists Can Be Trade Secrets

Whether customer lists are trade secrets is one of the thorniest issues in the trade-secret world. In Caliss v. Unified Financial Services, LLC, 2013 WL 1490465 (Ariz. Ct. App. April 11, 2013), the court did a good job listing the factors considered when making this determination under Arizona’s Uniform Trade Secret Act.

The plaintiff previously worked for the defendants, who provide financial planning and tax services. After a falling out, the plaintiff left the defendants to work at a mortgage company that had a mutual referral agreement with the defendants. Soon thereafter, the mortgage company sent a mass email to all of its 2,000+ clients letting them know that the plaintiff had joined the firm. Because of the mutual referral arrangement, some recipients of this email were also clients of the defendants.

The plaintiff originally filed suit to recover unpaid compensation, and the defendants counterclaimed for misappropriation of trade secrets. After a bench trial, the court found that the plaintiff had misappropriated the defendants’ “customer lists and personal information.”

The Court of Appeals reversed. After first acknowledging that customer lists can be trade secrets, it described the factors to be considered when making this determination:

  • Whether the list “represents a selective accumulation of detailed, valuable information about customers—such as their particular needs, preferences, or characteristics—that naturally would not occur to persons in the trade or business.”
  • Was the list compiled through expending “substantial efforts to identify and cultivate its customer base such that it would be difficult for a competitor to acquire or duplicate the same information”?
  • “Whether the information contained in the customer list derives independent economic value from its secrecy, and gives the holder of the list a demonstrable competitive advantage over others in the industry.”
  • The extent to which the list was disclosed externally and internally.

Here, all of the factors weighed against granting trade-secret protection to the defendants’ customer list. In particular, the defendants did not offer evidence that they had specialized information about their clients and could not show they made significant efforts to develop the list.

Also, the defendants couldn’t show that they kept the list secret. For example, the mortgage company where the plaintiff worked knew the identity of a number of the defendants’ clients. The court reached this conclusion even though the defendants required that their employees sign confidentiality agreements and used electronic means to protect data.

Companies that want to keep their customer lists secret should maintain as much information about their clients as they can. By compiling as detailed a list as possible—with information that is not publicly known—a company can increase the likelihood that a court would later protect the list as a trade secret.

The list also needs to be kept secret. Only share the list with those employees who need it to do their jobs. Whenever possible, all such employees should be required to sign a noncompete and nonsolicitation agreement. That way, the company isn’t relying on the murky law regarding customer lists; it only needs to enforce the noncompete.

Data Breach Report Shows Broad Threat to Trade Secrets and Proprietary Information

Verizon recently published its 2013 Data Breach Investigations Report. It contains a number of troubling findings about companies’ exposure to data breaches, which could threaten proprietary information and trade secrets.

While many think that these issues only affect large companies, the report found that 31% of breach victims were companies with fewer than 100 employees. So this threat affects all companies, regardless of size. Here are some key findings and takeaways:

76% of network intrusions exploited weak or stolen credentials.

Companies must ensure that their employees periodically change passwords, as well as require that passwords contain a minimum number and type of characters.

19% of all attacks analyzed this year were perpetrated by state-affiliated actors. . . .In most industries, you’re still much more likely to suffer an attack motivated by financial gain or revenge than espionage.

While news reports often focus on state-sponsored cybercrimes (China has been in the news a lot lately), it is those who stand to gain financially or who have a personal motive to do harm—often competitors and former employees—who present the greatest threat.

Over half of the insiders committing sabotage were former employees taking advantage of old accounts or backdoors that weren’t disabled.

It is absolutely critical to have a standard process in place when an employee departs, which must include disabling all access to the company’s system.

Over 70% of IP theft cases committed by internal people took place within 30 days of them announcing their resignation.

This shows the need to act immediately when an employee departs. It’s also critical to use IT solutions to determine whether former employees took any proprietary information while still working for the company.

Techniques targeted at users—like malware, phishing, and misuse of credentials—are major vulnerabilities. In particular, phishing techniques have become much more sophisticated, often targeting specific individuals (spear phishing) and using tactics that are harder for IT to control. For example, now that people are suspicious of email, phishers are using phone calls and social networking.

Companies need to make sure that they educate their employees regarding the various techniques used to steal information. Consider bringing in an outside expert to speak to your employees.

66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years). . . . 69% of breaches were spotted by an external party.

Here, the report offers good advice, when it says “Companies should devote more time and effort to detection and remediation; preventing attacks becoming breaches, and breaches becoming financial and reputational disasters.” Again, companies need to use IT solutions to periodically audit for potential data breaches.

In the end, it is very important that companies of all sizes speak with the appropriate professionals to make sure they are taking all necessary steps to protect themselves from this growing threat.

Florida Case Addresses Enforcing a Noncompete Agreement that Protects Trade Secrets

In Florida, restrictive covenants like noncompete agreements are governed by Section 542.335, Florida Statutes. When determining whether a noncompete’s time period is reasonable, the statute applies different presumptions based on the interest being protected.

For example, a restrictive covenant against a former employee not predicated on trade secrets and not associated with a sale of the business is rebuttably presumed reasonable for a term of six months or less and unreasonable if for two years or more. In contrast, if the restrictive covenant is needed to protect trade secrets, it is rebuttably presumed reasonable if shorter than five years and unreasonable if more than 10 years.

In Zodiac Records Inc. v. Choice Environmental Serv., 2013 WL 1629134 (Fla. 4th DCA April 17, 2013), the plaintiff sought to enforce a noncompete against a company started by its former consultant. The noncompete barred the former consultant from soliciting the plaintiff’s customers or using the plaintiff’s trade secrets for 36 months after the consulting agreement expired in April 2009. The defendant left in June 2011 and admitted soliciting the plaintiff’s clients.

The plaintiff sought a temporary injunction barring the defendants from soliciting its customers or using its trade secrets until April 2012, 36 months after the consulting agreement terminated.

At the hearing, the parties addressed the issue of whether the plaintiff stole trade secrets. Apparently the defendants argued that if they did not actually use trade secrets, the noncompete—which was longer than two years—was presumptively unreasonable. The plaintiff’s counsel argued that he did not need to put on evidence of trade-secrets theft, since the agreement was designed to protect trade secrets and thus was presumptively reasonable.

The lower court did not hear evidence related to trade-secrets theft. It granted the injunction “but it based the injunction on the use of trade secret information, thus the thirty-six month period applied.”

The Fourth District Court of Appeal reversed, in part because the defendants did not have an opportunity to show that they did not misappropriate trade secrets. The court implied that a plaintiff does not get the benefit of the five-year reasonableness presumption unless it establishes that the defendant actually misappropriated trade secrets.

I think this is the wrong result. The statute only requires that the restrictive covenant be “predicated upon the protection of trade secrets.” Sec. 542.335(e), Fla. Stat. Thus, a plaintiff should only have to show that it needed the covenant to protect its trade secrets because, for example, the defendant had access to trade secrets. Requiring that the plaintiff show actual misappropriation renders meaningless the term “predicated upon.”

Regardless, given this decision and several others, attorneys attempting to enforce restrictive covenants in Florida need to carefully consider what evidence they intend to offer in support of an injunction motion, particularly when they need the benefit of the 5-year presumption.

Trade Secrets In the News

news

Each week, I’m going to be posting links to news articles dealing with trade secrets from the prior week. If you want to get links to the articles throughout the week, follow me on twitter at @BlogTradeSecret, where I frequently tweet out links to trade-secrets articles. And also check out John Marsh’s excellent Trade Secrets Litigator blog, which has a wrap up of the week’s noteworthy trade-secret posts on Fridays.

Trade Secrets In the Cloud: When Can Cloud Providers Access and Share Your Information?

This is the second in a series of posts addressing trade secrets in the age of cloud computing.

In an earlier post, I talked about how cloud providers’ terms of service affect trade-secret protections. In particular, to the extent companies store proprietary information with cloud providers who can access and share stored files, those companies may not be taking reasonable efforts to protect their information (as required by the Uniform Trade Secrets Act).

Now, let’s take a closer look at some of the more popular cloud providers’ terms of service:

Dropbox: Dropbox can only share data without the user’s consent in very limited circumstances:

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to.

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. . . . Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

Amazon: As part of Amazon Cloud Drive’s terms of use, Amazon can access and use stored files:

We may use, access, and retain Your Files in order to provide the Service to you and enforce the terms of the Agreement, and you give us all permissions we need to do so.

Microsoft: In contrast, Microsoft’s service agreement grants Microsoft broader powers to use stored information:

When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services.

Apple: iCloud’s terms and conditions also give Apple relatively broad powers to access and share stored content:

You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users, a third party, or the public as required or permitted by law.

There are wide differences here. As I mentioned previously, I’m not aware of a court addressing this issue. But companies should feel more comfortable storing proprietary information with Dropbox or Amazon, which make clear they will only be sharing files in very limited circumstances. Also, companies should encrypt files containing proprietary information, which would further protect this information.

Microsoft and Apple have materially broader rights to access and share files. Storing documents with these providers could open the door for an argument that the user did not reasonably protect its proprietary information.

Georgia Case Shows When Not to File a Trade-Secrets Lawsuit

When an employee leaves to start her own business and takes clients with her, the former employer often reacts emotionally. There may be a sense of betrayal, which can be followed by a desire to lash out, frequently through filing suit against the former employee. Many times, there are real grounds for a lawsuit. But other times, a lawsuit is a waste of time and money. Drawdy CPA Services, P.C. v. North GA CPA Services, P.C., 2013 WL 1189274 (Ga. Ct. App. March 25, 2013) appears to be an example of a case that never should have been brought in the first place.

The plaintiff, an accounting firm, sued its former employee (Pritchett) and her accounting firm for breach of a nonsolicitation agreement and misappropriation of trade secrets. After Pritchett left the plaintiff, it determined through a log-in history report that she had accessed its client portal (through which clients and former clients could review their prior years’ tax returns). The plaintiff filed an emergency motion for injunctive relief, which sought to prevent the defendants from accessing the plaintiff’s client portals and soliciting the plaintiff’s clients.

Following Pritchett’s use of the portal to obtain tax returns, the plaintiff eliminated portal access for all former clients. Thus, the court denied the plaintiff’s request for an injunction barring Pritchett from using the client portal.

At the hearing, the plaintiff offered the affidavit of one of its clients stating that he had received a direct-mail flyer from Pritchett. In response, Pritchett called four of the plaintiff’s former clients, who all testified that they sought out Pritchett once she opened her own firm. One of these clients testified that his company printed and distributed a mailer for Pritchett to a list of 2,500 people compiled by a third-party company; by using this list, Pritchett apparently contacted the plaintiff’s client inadvertently.  Pritchett also offered 113 affidavits from her clients who were formerly the plaintiff’s clients, all of whom stated that she did not solicit them to leave the plaintiff.

Given this evidence, the court refused to enter an injunction.

When presented with evidence that a former employee violated her employment contract, it is critical to fully investigate what actually happened. While it’s impossible to know what steps the plaintiff and its attorneys took here, it certainly seems like communicating with the former employee could have revealed that there was no deliberate effort to violate the employment agreement, and that it would be very difficult to prove violations.

We all know that litigation is time-consuming and expensive. It should be used as a last resort, and only when it is impossible to resolve the dispute amicably. Even then, attorneys need to know when to tell their client that there simply isn’t enough evidence to support a claim.

On the flip side, this case is a great example of how to defend against a restrictive covenant and trade-secret misappropriation claim.

6th Circuit Addresses Reasonable Protection of Trade Secrets

In Kendall Holdings, Ltd. v. Eden Cryogenics, LLC, 2013 WL 1363728 (6th Cir. April 5, 2013), the 6th Circuit addressed Ohio’s Uniform Trade Secrets Act (UTSA) and considered whether the plaintiff took reasonable steps to protect its purported trade secrets.

The plaintiff and defendants were in the cryogenics industry. (“Cryogenics” sounds a lot cooler than it probably is; it involves “using engineered products to store and manipulate gasses and liquified gasses kept at extremely low temperatures.” Pun intended.)

Anyway, the three defendants were two of the plaintiff’s former employees and the company they formed and worked for, which competes with the plaintiff in the cryogenics industry. While working for the plaintiff, one of the defendants, Jim Mitchell, maintained a backup set of proprietary electronic and hard-copy shop drawings at his home, with the plaintiff’s permission. When Mitchell stopped working for the plaintiff, it did not ask him to return these drawings. Later, he worked for the defendant cryogenics company and used these shop drawings to develop its product line. The plaintiff sued under the UTSA.

The trial court granted summary judgment in favor of the defendants, concluding that the statute of limitations had run and that the drawings were not trade secrets.

I’m just going to discuss the latter portion of the opinion, in which he 6th Circuit addressed the issue of whether the plaintiff took reasonable efforts to protect the shop drawings, as required under the UTSA. The court noted that the plaintiff took the following precautions:

  • stamped the shop drawings with a legend barring disclosure or transmission to unauthorized parties;
  • entered into an employment contract with Mitchell that contained a confidentiality provision (though Mitchell denied signing the contract); and
  • maintained policies “that attest to the company’s desire to protect confidentiality and safeguard proprietary information.”

The 6th Circuit concluded that these efforts “could conceivably support a judgment in favor of” the plaintiff, and thus reversed. In other words, these protections were sufficient to create a genuine question of material fact regarding whether the plaintiff took reasonable efforts to protect the shop drawings.

This case doesn’t break any new ground. But I do see a key takeaway. Companies should be very wary about permitting employees to store proprietary information at home. When this is absolutely necessary, be sure to have the employees sign an agreement requiring that this information be kept confidential. To the extent possible, keep an inventory of all information stored at the employee’s home. And when the employee leaves the company, make sure he or she returns this information and signs an acknowledgement that he or she no longer has any of the company’s proprietary information.

Here, even though the plaintiff got past summary judgment, I’d bet that it will have a tough time proving its case to a jury, since it allowed Mitchell to store this information and did nothing when he left.

How to Use Exit Interviews to Protect Proprietary Information

In an earlier post, I listed ten ways businesses can protect their trade secrets. Now, let’s look at one of these in a bit more depth: exit interviews.

An exit interview—i.e., a meeting with an employee who is leaving the company—can be an incredibly effective tool for employers for a wide variety of reasons, and all employers should conduct them whenever possible. For our purposes, let’s focus on how these interviews can be used to protect proprietary information.

When conducting an exit interview with an employee who signed a noncompete or a confidentiality agreement, the exit interview should include a frank reminder of the employee’s obligations. Have the employee sign an acknowledgement of his or her obligations. When the employer is particularly concerned about the employee’s future plans, consider giving the employee a letter from an attorney.

For an employee who has not signed a noncompete or or a confidentiality agreement, the exit interview offers an opportunity to safeguard proprietary information the employee had access to. Make sure that the employee is aware of his or her legal obligations not to disclose any trade secrets. And have the employee sign an acknowledgement that he or she was provided with proprietary information under circumstances that require the information to be kept confidential.

Whenever possible, the interview should explore where the employee will be working next.  If he or she will be working for a competitor or starting a competing business, the company knows that it needs to be on alert. An attorney should be consulted to discuss legal options.

Hopefully, the employer has been keeping an inventory of all company computers, phones, etc. issued to the employee. Have the employee bring these, along with any company documents in their possession, to the exit interview. The employee should also be asked whether he or she has any hard-copy or electronic company documents on a personal computer, mobile device, or other storage media.  The acknowledgement discussed above should contain language confirming that the employee has returned all such documents and destroyed any electronic copies.

Finally, be sure to get a phone number and address where the employee can be reached. If it later becomes necessary to communicate with or file a lawsuit against the former employee, this information is critical.

If anyone has additional suggestions for using exit interviews to protect proprietary information, feel free to discuss in the comments.

Missouri Court Rules that Client Information Is Not a Trade Secret

The issue of whether information about a company’s clients can qualify as a trade secret is a tricky one, since much of this information can be obtained from the clients themselves. In Central Trust and Investment Co. v. Kennedy, 2013 WL 268687 (Mo. Ct. App. Feb. 19, 2013), the Missouri Court of Appeals concluded that the customer information at issue is not a trade secret and strongly suggested that this information could never be a trade secret.

Here, the plaintiff, a financial-services firm, sued a former employee who left the company following its sale. The defendant employee started his own financial-services firm and immediately targeted his former firm’s clients. He was successful; 85 of his firm’s 90 clients were previously the plaintiff’s clients.

Although the defendant employee signed a noncompete, by its terms it became void upon the company’s sale. (As an aside, this is a bad idea.) Thus, the plaintiff brought claims under Missouri’s Uniform Trade Secrets Act (UTSA), alleging that its customer information was a trade secret.

The court concluded that this information was not a trade secret. Under the UTSA, the plaintiff must take reasonable efforts to protect the alleged trade secret. The court here gave a list of reasons why the plaintiff’s efforts were not reasonable, including:

  • The employment contract did not specify that client information needed to remain confidential;
  • The plaintiff shared its client information with affiliates and all of its employees, many of whom did not sign confidentiality agreements;
  • Other former employees actively solicited the plaintiff’s clients but the plaintiff did not pursue legal action against them; and
  • There was no evidence in the record that this information “had any recognizable extrinsic or intrinsic value.”

The court then strongly suggested that customer information can never be a trade secret when it said that “a non-compete agreement is the proper means of preventing an employee who leaves employment from disseminating information relating to customer or client lists once the employee leaves employment.” Because there was no longer an enforceable noncompete here, “this Court fails to see how [the plaintiff] could, as a matter of law, regulate [the defendant’s] use of” the client information.

I disagree. Companies often spend tremendous amounts of time and money developing databases or other repositories of information about their clients; this information would be incredibly damaging in a competitor’s hands. Assuming this information is reasonably protected, it should qualify as a trade secret. Courts in other states have found client information to be a trade secret when the company seeking enforcement meets all requirements of the Uniform Trade Secrets Act. That is the proper result.

Regardless, this case highlights some of the common ways companies fall short when trying to protect their proprietary information. Perhaps the most important takeaway from this case is that companies must make sure that employees with access to customer information that would be damaging in a competitor’s hands sign noncompete agreements.

This case also shows that companies must implement protections for all proprietary information, including client lists. And a company should diligently pursue its legal remedies against any trade-secret violations, or else a court may later find that it waived the right to do so.

Trade Secrets and Due Diligence

pac man2

We all know that when companies are looking to purchase/merge with/make a significant investment in another company, they have their attorneys conduct due diligence regarding the transaction and the acquisition target. Generally, this due diligence includes identifying key employees, determining whether these employees have executed noncompete agreements, and reviewing the agreements.

But acquiring companies too often fail to go beyond a noncompete review to look at how effectively the acquisition target is protecting its proprietary information. Thus, acquiring companies are unwittingly subjecting themselves to significant risk. Intentional or inadvertant disclosure of this information could destroy the target’s business post-acquisition.

To minimize this risk, due diligence should always include a comprehensive look at how the target protects its proprietary information. This should start with conversations with management and key employees to identify the company’s critical proprietary information. Once identified, all measures in place to protect this information should be reviewed.

To determine whether adequate protections exist, a number of questions need to be answered. For example, are there any employees who have access to proprietary information who have not signed a noncompete, or at least a nondisclosure agreement? Are employees periodically educated about their obligations regarding proprietary information? Is the company proactively using IT solutions to safeguard proprietary information? Is a trade-secrets policy in place?

By conducting this review as part of the due-diligence process, the acquiring company can identify protection gaps and make sure these can be addressed as part of or after the acquisition.

Every company seeking to acquire or invest in another company should speak with an attorney who specializes in trade-secrets law to assist with the due-diligence process. This involves a relatively minor cost, especially compared to the risk minimized.

%d bloggers like this: