Protection of trade secrets
CMS PROTECT | Ready for the new legislation
New legislation on protection of trade secrets – what your company needs to do
On 26 April 2019, the Trade Secrets Protection Act (Gesetz zum Schutz von Geschäftsgeheimnissen) entered into force. It transposes the EU know-how protection directive into German law and substantially changes the legal framework for protecting secrets.
The new law means that keeping information confidential is no longer sufficient to ensure legal protection for trade secrets. Companies must now actively take “reasonable steps to keep information secret” – and be able to prove this. Otherwise, in a worst-case scenario there is no legal recourse against data thieves and corporate spies in the event that your trade secrets are stolen. With CMS PROTECT, you can make sure your company is properly prepared for the new requirements. In the following, we explain what you particularly need to be aware of when protecting trade secrets under the new legal regime. We also present CMS PROTECT in more detail.
Old legal situation: quasi-automatic protection of trade secrets
Know-how, strategies, ideas, innovations and customer lists are all crucial company assets that constitute sensitive information. Although this information cannot always be protected as industrial property rights (trademarks, designs, patents, etc.), it nevertheless needs to be safeguarded against unauthorised access by third parties. There is otherwise a risk that these crucial corporate assets could be stolen with impunity by third parties.
Up to now, companies have been able to rely on quasi-automatic protection of this type of confidential information as business secrets. Although statutes only provided incomplete protection of trade secrets (Sections 17 - 19 of the Unfair Competition Act (UWG)), case law to date has defined as a trade or business secret any fact relating to a business operation that
- is not obvious, but
- known only to a limited group of persons, and
- which the business owner aims to keep secret.
This meant that it was sufficient to mark an item of information as confidential, for example, to show that it was intended to be confidential and as such a trade secret. Case law actually went one step further, allowing trade secret protection to apply if the desire for secrecy was evident “from the nature of the fact to be kept secret”. This was generally the case with regard to confidential information relating to complex matters, for example. As a result, legal protection of trade secrets was mostly in place without action of any kind being taken by the owner of the secret.
New legal situation: “trade secret” redefined – companies must take action
The Trade Secrets Protection Act now adopts and expands the new definition of trade secrets enshrined in the know-how protection directive. The provisions of Sections 17 ff. UWG no longer apply.
As the law now stands, a trade secret under the new Trade Secrets Protection Act is information
a) that is not generally known or readily accessible, either in its entirety or in the precise arrangement and composition of its components, to persons in the circles that normally deal with this type of information and is therefore of economic value;
b) that is subject to appropriate confidentiality measures by its lawful holder under the circumstances; and
C) where there is a legitimate interest in the secrecy of the information.
Crucially, companies must now actively take “reasonable steps to keep information secret” to ensure that certain confidential information can qualify as a trade secret. If they fail to do so, they lose legal protection of the information in question and cannot assert claims against data thieves and corporate spies.
When are steps to keep business information secret “reasonable”?
Neither the Trade Secrets Protection Act nor the associated explanatory notes say what constitutes “reasonable steps to keep information secret”. Whether a trade secret is subject to “reasonable” protection therefore depends on the specific business information to be protected. The more important, complex and confidential the information is, the stricter the requirements for reasonable protection. When a company’s “crown jewels” are involved, the organisation must take much tougher and more extensive steps to maintain confidentiality than is the case for routine confidential information, for example.
This means that design drawings, ideas or business models, for instance, must be assessed individually to determine whether they require stringent confidentiality measures, such as internal access restrictions, detailed non-disclosure agreements with partners and strict IT security. In the case of less critical confidential business information, such as simple customer lists, less stringent measures may be sufficient and reasonable.
Three-level system for protecting secrets – peace of mind with CMS PROTECT
The Trade Secrets Protection Act requires companies to take reasonable steps on three levels to protect trade secrets:
- Legal (e.g. reviewing non-disclosure agreements and related clauses in existing contracts; ensuring contractual protection of deliverables and IP, for example; assessing the enforceability of employment law measures)
- Organisational (e.g. a hierarchy of access restrictions based on confidentiality levels; drawing up internal organisational instructions and guidelines for action)
- Technical (e.g. ensuring that the very latest IT security is in place; physical access controls; safeguards against products being reverse-engineered).
Finding the right balance of “reasonable steps to keep information secret” will pose a major challenge for companies in practice. As long as there is no established case law on the “reasonableness” of confidentiality measures, companies are advised to do too much rather than too little in order to be legally, organisationally and technically capable of protecting their trade secrets.
We developed CMS PROTECT specifically to get your company ready for the new secrecy protection requirements. Read here how you can use CMS PROTECT to protect your company against corporate spies and data thieves.