Trade secrets form an important part of any business’s intellectual property. A broad swath of information, from technical aspects of a product or service to pricing structures, market analyses, business strategies and customer lists can qualify for protection. Any information that is not generally known to competitors and has commercial value by virtue of its being unknown can be considered a trade secret.
While trade secret law varies from state to state, every state requires that trade secret holders take “reasonable measures” to ensure the confidentiality of such information. Absent such measures, no protection will be afforded.
With many businesses looking to move to permanent remote work environments as a result of the COVID pandemic, ensuring that reasonable measures are taken to protect trade secrets is imperative as businesses increasingly rely on the internet and communications technology to conduct their day-to-day operations.
As highlighted by a recent Delaware case, companies that fail to utilize all the security features available to protect information exchanged over the internet put their ability to protect their trade secrets at risk.
The Delaware court in Smash Franchise Partners, LLC v. Kanda Holdings, Inc. (Del. Ch. Aug. 13, 2020) determined that trade secret protection would not be afforded to information that was discussed on web-based videoconferencing platform Zoom because the plaintiff did not utilize security features available on that platform.
Smash Franchise Partners operated a mobile trash compaction business in which it brought truck-mounted rollers that could be used to compact garbage in a dumpster, allowing the dumpster to accept more garbage before needing to be emptied.
As a part of its business model, Smash sold franchises to entrepreneurs to run compacting operations in various protected territories. After signing an NDA, potential franchisees were invited to participate in weekly “Founders Calls” via Zoom, where Smash’s founder provided information about the company, including customer lists and business plans deemed confidential and trade secret by Smash.
Defendant Todd Perri was a potential franchisee who decided to open a competing business rather than obtain a Smash franchise. Before making that decision, he had executed Smash’s NDA and been given the Zoom access code for the next Founder’s Call.
Having decided to forgo the Smash opportunity, Perri nevertheless continued attending Founder’s Call meetings using the same access code, and ultimately participated in about 10 hours of Smash meetings while in the process of forming his own competing portable trash compacting company.
A month after Perri publicly launched his new business, Smash filed suit against him and his company, bringing claims for breach of the NDA and for misappropriation of trade secrets (among others), and seeking a preliminary injunction.
The court refused to enter an injunction, finding that Smash’s failure to use the security features available on the platform disqualified it from claiming trade secret protection in the information discussed during the Zoom calls.
The court noted that Smash freely gave the Zoom access information to parties who expressed sufficient interest in obtaining a franchise and never changed the Zoom meeting code, meaning anyone who had been granted access at any point could access the meetings indefinitely without regard to their current interest in joining the Smash team.
Smash further did not require a password beyond the access code, and did not utilize the “waiting room” feature of Zoom that excludes participants from the meeting until allowed in by the moderator.
Smash also did not follow its own procedures, which required the moderator to take attendance at each meeting and remove those who did not belong, and therefore could not determine whether anyone was participating in one of the meetings who should not have been present.
Smash serves as a cautionary tale for businesses that do not implement the security measures available to them for remote work.
Those failures to safeguard the information that was shared at the meetings constituted a failure to take the reasonable steps required under trade secret law. Thus, while the court noted that Perri had “engaged in disingenuous and underhanded conduct by participating” in the Zoom Founder Calls, the court denied Smash’s request for an injunction.
Smash serves as a cautionary tale for businesses that do not implement the security measures available to them for remote work. The “reasonable steps” element of Delaware’s trade secret law does not significantly differ from the federal Defend Trade Secrets Act that went into effect in 2016. Any business operating remotely would be wise to learn the lessons taught in the Smash case.
In addition to utilizing the security features provided by Zoom, Teams or other videoconferencing systems, businesses should ensure they take advantage of other readily-available security features for remote work, such as restricting the exchange of sensitive information to secure, encrypted networks such as VPNs and possibly the use of two-factor authentication methods.
Collaborative platforms should be updated regularly to ensure that all new security features are in place, and employees should be restricted to using only platforms that have been vetted and approved by the company.
Trade secret information should only be disclosed to those with a legitimate need for access, with access logs to positively identify which people have accessed confidential information.
Finally, care should be taken to ensure that people who should no longer be able to view confidential information, such as ex-employees or former business collaborators, are blocked from subsequent access.
Thomas McNulty is counsel at Boston intellectual property law firm Lando & Anastasi and the author of the D. Mass. IP Litigation Blog. He can be contacted at [email protected].