Trade Secrets and Confidential Information

In managing workforces, particularly when addressing employee turnover, employers often find themselves facing issues regarding how best to safeguard their confidential business information and how to protect their relationships with clients and employees. In recent years, the legal landscape underlying these issues has been evolving, as lawmakers and judges grapple with the tension in these matters between protection and free competition.

In this Take 5, we examine recent developments, both in the courts and legislative bodies, concerning trade secrets and employee mobility:

  1. Antitrust Action Against No-Poaching Agreements: The Trump Administration Continues Obama Policy
  2. Drafting “Garden Leave” Clauses in Employment Agreements
  3. Will Insurance Cover a Company Sued in a Trade Secrets Lawsuit?
  4. Defend Trade Secrets Act Developments in 2017
  5. New and Proposed State Statutes and Federal Legislation Limiting Non-Compete Agreements

Read the full Take 5 online or download the PDF.

Consider the following scenario: your organization holds an annual meeting with all Research & Development employees for the purpose of having an open discussion between thought leaders and R&D regarding product-development capabilities. This year’s meeting is scheduled outside the United States and next year’s will be within the U.S. with all non-U.S. R&D employees traveling into the U.S. to attend. For each meeting, your employees may be subject to a search of their electronic devices, including any laptop that may contain your company’s trade secrets. Pursuant to a new directive issued in January 2018 by the U.S. Custom and Border Protection (“CBP”), the electronic devices of all individuals, including U.S. citizens and U.S. residents, may be subject to search upon entry into (or leaving) the U.S. by the CBP. CBP Directive No. 3340-049A (Jan. 4, 2018).

The directive allows for the warrantless border search of electronic devices without a showing of reasonable suspicion. It differentiates between a basic search and an advanced search. A basic search allows officers, with or without suspicion, to examine an electronic device, including an examination of the information that is resident and accessible on the device. Information that is solely stored remotely may not be accessed. An advanced search is one in which the officer connects external equipment, through a wired or wireless connection, to an electronic device in order to “review, copy, and/or analyze” the contents of the electronic device. Advanced searches are permitted where there is a “reasonable suspicion” of criminal activity or for national security concerns. While the directive states that “[m]any factors” may create a reasonable suspicion or a national security concern warranting an advanced search, it articulates examples particularly aimed at national security concerns but does not provide much color as to what may constitute reasonable suspicion of criminal activity.

By issuing the directive, the CBP appears to align its position with that of the majority of federal courts that held reasonable suspicion is not required for border searches of electronic devices. See, e.g., United States v. Ickes, 393 F.3d 501, 506-07 (4th Cir. 2005) (rejecting reasonable suspicion requirement for laptop computer searches at the border); United States v. Linarez-Delgado, 259 Fed. Appx. 506, 508 (3d Cir. 2007) (rejecting reasonable suspicion requirement for border search of electronic data). Thus, the CBP may have also sought to reject the statements by at least one other court suggesting a requirement for a showing of reasonable suspicion before search of an electronic device. See, e.g., United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013) (implying that officers need reasonable suspicion to conduct a border search of complex personal computing devices).

Can’t your employees just encrypt everything before international travel? Under the directive, travelers are required to present the electronic device (and the information contained within the device) in a condition that allows for the inspection of the device and its contents. Therefore, under the directive, officers may request an individual’s assistance in accessing the device if it is encrypted or password protected, and officers are authorized to detain a device pending a determination as to its admissibility in to the U.S.; they may also exclude a device if access to it is prevented by encryption or password protection.

The directive provides officers with instructions regarding the handling of certain sensitive materials, including business information, medical records, and information protected under the attorney-client privilege. Upon encountering business or commercial information resulting from a search, such as confidential business information, officers are required to “protect that information from unauthorized disclosure[.]” Such confidential business information may only be shared with agencies or entities that have mechanisms in place to protect the information.

Companies should alert employees of the requirements under the new directive. Certain preventative steps should be considered to minimize the potential for disclosure of confidential information at the border, including: (1) minimizing the number of electronic devices with trade secret or confidential information; (2) minimizing the amount of confidential information on a device; (3) to the extent possible, using electronic devices that do not contain confidential information when international travel is required; and (4) considering whether confidential information on the device should be encrypted but with the knowledge that CBP may request that the device be unlocked. Companies should also be cognizant of other issues relating to encrypted devices, including U.S. export control requirements for traveling to certain countries and licenses that may be required for individuals traveling into certain countries with an encrypted device.

In the event of an inspection request by an officer, your employees should be prepared to alert the officer that the device contains confidential business information in order to protect against its disclosure. Employees should also carry company business cards to show officers requesting an inspection that they are an employee of your company.

Financial analytics firm Novantas, Inc. and two individual defendants closed out 2017 with a victory, securing the dismissal of claims by rival First Manhattan Consulting Group LLC (“First Manhattan Consulting Group”) [1], which accused them of competing unfairly by poaching First Manhattan Consulting Group’s employees in order to steal its trade secrets.  The result demonstrates the need for plaintiffs in such cases to be able to prove with specificity which trade secrets were taken or threatened by the defendants’ conduct.

The Complaint alleged that Novantas engaged in a “pattern and practice of poaching” First Manhattan Consulting Group’s employees, including defendants Peter Gilchrist and Andrew Frisbie in 2014, to gain access to First Manhattan Consulting Group’s confidential information.  These individuals, who were officers of First Manhattan Consulting Group, were subject to contractual confidentiality and employee non-solicitation obligations.  First Manhattan Consulting Group asserted causes of action for breach of contract against the individuals, for tortious interference with contract and unfair competition against Novantas, along with a misappropriation of trade secrets claim against all defendants.

The case went to trial in Supreme Court, New York County. Justice Barry Ostrager declined to submit the misappropriation claim to the jury, because the information presented by First Manhattan Consulting Group at trial did not appear to the Court to be a trade secret, and there was no testimony concerning trade secrets.  In its verdict, the jury unanimously found no liability on any of the other claims.  On December 19, 2017, the Court dismissed First Manhattan Consulting Group’s claims.

For practitioners, this outcome is a useful reminder that trade secret misappropriation claims require in-depth understanding of the client’s business, detailed allegations in pleadings of the legally required elements of a misappropriation claim and, at trial, a full presentation regarding the wrongdoing and what specific information was taken and how the plaintiff has been damaged.


[1] First Manhattan Consulting Group is unrelated to First Manhattan Co.

In First Western Capital Management Co. v. Malamed, Case Nos. 16-1434, 16-1465 & 16-1502 (10th Cir. Oct. 30, 2017), the Tenth Circuit Court of Appeals held that a district court erred in issuing a preliminary injunction to a party under federal and state trade secret law where the court presumed that the party would be irreparably harmed absent the injunction.

Ordinarily, in order to obtain a preliminary injunction, a moving party needs to establish, among other things, that it will suffer irreparable harm if the injunction is denied. This requires the party to show that there is a significant risk that it will experience harm that cannot be compensated by money damages.  In First Western Capital Management, however, the district court held that the plaintiff (First Western) was not required to establish irreparable harm because both the Defend Trade Secrets Act (“DTSA”) and the Colorado Uniform Trade Secrets Act (“CUTSA”) provide for injunctive relief to prevent misuse of trade secrets, and the evidence showed that the defendant was misusing or threatening to misuse trade secrets regarding First Western’s clients.  Thus, the district court held that irreparable harm “presumptively exists and need not be separately established.”  Had First Western not been excused from showing irreparable harm, the district court would have denied its request for injunctive relief because evidence was presented that showed that monetary damages could be reasonably quantified and would adequately make First Western whole.

The Tenth Circuit explained that courts may presume irreparable harm only when a party is seeking an injunction under a statute that mandates injunctive relief as a remedy for a violation of the statute.  When Congress or a state legislature passes such a statute, it effectively has withdrawn the court’s discretion to determine whether such relief is appropriate.  By contrast, when a statute merely authorizes injunctive relief, courts may not presume irreparable harm, as doing so is contrary to equitable principles.  Because DTSA and CUTSA only authorize, but do not require, injunctive relief, and because the evidence presented to the district court showed that monetary damages could be quantified in order to compensate First Western, the Tenth Circuit reversed the district court’s grant of the injunction to First Western.  Legal practitioners thus should carefully review the applicable statute to determine whether it mandates or merely permits injunctive relief; where such relief is not required, they should make a fulsome showing that their client will suffer irreparable harm without an injunction.

Plaintiff Art & Cook, Inc., a cookware and kitchenware company, brought suit in New York federal court against a former salesperson, Abraham Haber, when a search of his work computer revealed that he had emailed to his personal email account two categories of documents alleged by Art & Cook to be trade secrets: (i) its customer contact lists and (ii) its designs and branding/marketing strategies. Although the court already had issued a temporary restraining order, in Art & Cook, Inc. v. Haber, No. 17-cv-1634, 2017 U.S. Dist. LEXIS 164366 (E.D.N.Y. Oct 3, 2017), the court denied Art & Cook’s motion for a preliminary injunction brought exclusively under the Defend Trade Secrets Act (“DTSA”) because the company failed to demonstrate a likelihood of success on the merits of a DTSA cause of action.

First addressing the customer lists at issue, the court noted that the Second Circuit has long held that, under certain circumstances, a customer list may be deemed a trade secret – particularly where the customer list contains individual customer preferences or represents the list owner’s work to create a market for a new service or good. Where the list contains little more than publicly available information, even if it takes considerable effort to compile, it is not accorded protection under DTSA. The customer lists at issue in this case fell into the latter category, as they contained nothing more than a compilation of publicly available information including emails and phone numbers. The court said that that the fact that it took the company “tens if not hundreds of hours” of research to compile those lists was insufficient under DTSA.

Turning next to the company’s designs and branding/marketing strategies, the court noted that such material was exactly the kind of business information that DTSA was designed to protect because they derive independent economic value from not being generally known. However, the company failed to show that it took “reasonable measures” to keep the information secret. For example, the company’s president testified that he spoke to Haber many times about confidentiality, but the company did not require him to sign a non-disclosure agreement. In fact, the company asked him to sign a non-disclosure agreement three years into his employment and, when he refused to sign, nevertheless gave him access to what it contended was confidential information. The court found that the company’s other steps to secure its information, such as utilizing a password-protected server and folders, were inadequate given such circumstances.

Given the lack of a likelihood of success on the merits as to the DTSA claim, the court denied Art & Cook’s motion for a preliminary injunction and advised that the claim was susceptible to a motion to dismiss. The court’s decision provides companies with insight into what kinds of information are trade secrets under DTSA and how they should protect their trade secrets.

It is highly likely that the National Association of Insurance Commissioners (“NAIC”) will adopt a model data cyber security law premised largely on the New York State Department of Financial Services (“NYSDFS”) cyber security regulations.  Recently, we discussed the NYSDFS’ proposed extension of its cyber security regulations to credit reporting agencies in the wake of the Equifax breach.  New York Governor Andrew Cuomo has announced, “The Equifax breach was a wakeup call and with this action New York is raising the bar for consumer protections that we hope will be replicated across the nation.”  Upon adoption by the NAIC, the NYSDFS regulations requiring that NYS financial organizations have in place a written and implemented cyber security program will gain further traction toward setting a nationwide standard for cyber security and breach notification.  Indeed, although there are differences, the NAIC drafters emphasized that any Licensee in compliance with the NYSDFS “Cybersecurity Requirements for Financial Services Companies” will also be in compliance with the model law.

The NAIC Working Committee expressed a preference for a uniform nationwide standard: “This new model, the Insurance Data Security Model Law, will establish standards for data security and investigation and notification of a breach of data security that will apply to insurance companies, producers and other persons licensed or required to be licensed under state law. This model, specific to the insurance industry, is intended to supersede state and federal laws of general applicability that address data security and data breach notification. Regulated entities need clarity on what they are expected to do to protect sensitive data and what is expected if there is a data breach.  This can be accomplished by establishing a national standard and uniform application across the nation.”  Other than small licensees, the only exemption is for Licensees certifying that they have in place an information security program that meets the requirements of the Health Insurance Portability and Accountability Act.  According to the Committee, following adoption, it is likely that state legislatures throughout the nation will move to adopt the model law.

The model law is intended to protect against both data loss negatively impacting individual insureds, policy holders and other consumers, as well as loss that would cause a material adverse impact to the business, operations or security of the Licensee (e.g., trade secrets).  Each Licensee is required to develop, implement and maintain a comprehensive written information security program based on a risk assessment and containing administrative, technical and physical safeguards for the protection of non-public information and the Licensee’s information system.  The formalized risk assessment must identify both internal threats from employees and other trusted insiders, as well as external hacking threats.  Significantly, the model law recognizes the increasing trend toward cloud based services by requiring that the program address the security of non-public information held by the Licensee’s third-party service providers.  The model law permits a scalable approach that may include best practices of access controls, encryption, multi-factor authentication, monitoring, penetration testing, employee training and audit trails.

In the event of unauthorized access to, disruption or misuse of the Licensee’s electronic information system or non-public information stored on such system, notice must be provided to the Licensee’s home State within 72 hours.  Other impacted States must be notified where the non-public information involves at least 250 consumers and there is a reasonable likelihood of material harm.  The notice must specifically and transparently describe, among other items, the event date, the description of the information breached, how the event was discovered, the period during which the information system was compromised, and remediation efforts.  Applicable data breach notification laws requiring notice to the affected individuals must also be complied with.

In a very thorough analysis following a 3 day Preliminary Injunction hearing Judge Jed Rakoff declined to issue injunctive relief to a former employer seeking to enjoin four former employees and their new employer from competing or from soliciting clients or employees. The decision is far ranging in the employee movement context touching upon inadvertent retention of confidential information, the propriety of new employers providing broad indemnifications and large signing bonuses to the recruits,  and the scope of allowable “preparatory conduct” in a one year non-compete period, among other issues presented in the context of a group of employees in the eDiscovery services space collectively on the move.

Four senior sales executives of plaintiff Document Technologies Inc (“DTI”) collectively decided to leave DTI and signed new employment agreements with LDiscovery. LDiscovery provided the four with agreements that indemnified them from claims of improper conduct by DTI as well as significant signing bonuses to make up for lost compensation during the one year non-compete period they agreed to abide by. The Court found nothing wrong with these agreements and also that accepting employment and engaging in preparatory meetings and analysis of the marketplace were permissible preparatory acts and do not violate the non-competition prohibitions in their agreements with DTI. The Court also found that there was no breach of the employee non-solicit where the four employees coordinated their job search since they had each individually resolved to leave DTI in advance of coming together. Collectively reaching the conclusion to seek alternative employment was found not to be a breach of the employee non-solicit provisions each had in their agreement with DTI. The Court was skeptical that where the employees were all “at will” versus subject to a term contract, that the three prong test of enforceability under BDO Seidman could be met. The fact that they marketed themselves as a “package” deal was not unfair competition supporting a finding of breach. Similarly, LDiscovery could not be held liable for tortious interference by recruiting the team, providing them with signing bonuses and by indemnifying them.

This decision provides a good framework for legal analysis when determining the propriety of a team move and whether certain conduct of the employees and their new employer warrant injunctive relief.

In this age of social media, a frequently asked question is whether social media activity can violate a non-compete or non-solicit.   Although the case law is evolving, courts which have addressed the issue have focused on the content of the communication, rather than the medium used to convey it.  In so doing, they have distinguished between mere passive social media activity (e.g., posting an update about a new job) as opposed to more targeted, active actions (e.g., not merely posting about a new job, but also actively recruiting former co-workers or clients).

A “LinkedIn” case recently decided by the Illinois Appellate Court, Bankers Life v. American Senior Benefits, involved conduct which fell between these two extremes: an individual, Gregory P. Gelineau, who was contractually barred from soliciting former co-workers, sent three former co-workers  generic requests to become “connections” via LinkedIn.  The requests did not go further than that, but they were not purely passive in that they sent to specific individuals.  Gelineau’s former employer, Bankers Life, filed suit, accusing him of breaching his non-solicitation obligation.

After surveying decisions from around the country involving various forms of social media activity, the Court explained that the different results reached in these decisions “can be reconciled when looking at the content and the substance of the communications.” Here, the Court noted that the LinkedIn requests sent by Gelineau did not discuss Bankers Life or Gelineau’s new employer, did not suggest that the recipient view Gelineau’s new job description, and did not encourage the recipient to leave Bankers Life and join Gelineau’s new employer.  Rather, they were bare requests to become “connections” on LinkedIn.

The Court held that such bare requests were not the sort of direct, active efforts to recruit which would have been a breach of Gelineau’s contractual non-solicitation clause.

While the facts of Bankers Life fall in between the two extremes of social media activity addressed by other courts, the case ultimately turned on an evaluation of the content of the activity, as opposed to the medium.  This approach is consistent with that taken by courts whenever they are tasked with determining whether particular conduct constitutes an unlawful “solicitation.”

A recent decision from the Northern District of California, Magic Leap, Inc. v. Bradski et. al., shows that employers must meet a high standard when filing a California Code of Civil Procedure Section 2019.210 disclosure statement under the California Uniform Trade Secrets Act (“CUTSA”). See California Civil Code § 3426 et seq. The disclosure statement, which does not have a counterpart in the federal Defend Trade Secrets Act, requires a plaintiff to “identify the trade secret with reasonable particularity” before it can conduct discovery of the defendants’ evidence. See California Code of Civil Procedure § 2019.210. The sufficiency of these disclosure statements is often hotly contested in litigations under CUTSA.

While there is no bright-line rule governing how much specificity should be in a Section 2019.210 disclosure statement, courts have explained that the trade secret must be described with sufficient particularity to separate it from matters of general knowledge in the trade or of special knowledge of those persons who are skilled in the trade, and to permit the defendant and the court to ascertain the boundaries within which the secret lies. See Altavion, Inc. v. Konica Minolta Systems Laboratory, Inc. (2014) 226 Cal.App.4th 26, 43-44. The Northern District’s Magic Leap decision reinforces the importance of emphasizing a trade secret’s novelty in a Section 2019.210 disclosure statement under the CUTSA.

As described in its pleading, Magic Leap is a start-up that is developing a “head-mounted virtual retinal display, which superimposes 3D computer-generated imagery over real world objects.” It brought suit against two former high-level employees and their venture, alleging misappropriation of its trade secrets, among other claims. When Magic Leap submitted its latest Section 2019.210 disclosure, defendants Adrian Kaehler and Robotics Actual, Inc. moved to strike, contending that Magic Leap provided only vague, conceptual descriptions of its technology, and merely described well-known, well-studied, and obvious issues in highly technical fields. Magic Leap argued that, among other things, the defendants confused Section 2019.210’s disclosure requirement with litigating the ultimate merits of the case. It also argued that the defendants confused trade secrets with patents, which must be novel and inventive.

On June 9, 2017, a California federal magistrate judge granted the defendants’ motion to strike, ruling that Magic Leap’s disclosures “in totality fail to disclose the asserted trade secrets with ‘reasonable particularity.’” The judge allowed Magic Leap to amend its disclosures in order to identify its asserted trade secrets with greater specificity.

Although at this time the magistrate judge’s reasoning in Magic Leap is not public record, the ruling is another example of a court requiring a more exacting level of particularity from plaintiffs bringing a CUTSA claim. The ruling also emphasizes that, even if extensive measures are taken to protect information, the novelty of the underlying trade secret may affect a court’s analysis of the viability of a CUTSA claim. Tips for employers to prevent and protect against trade secret misappropriation in California were recently discussed in EBG’s Take 5 Newsletter.