Protecting Company Confidential Data in a Free Employee Mobility State: What Companies Doing Business in California Need to Know in Light of Recent Decisions and Evolving Workplace Technology

• Publication year: 2019
• Author: By Bradford K. Newman

PROTECTING COMPANY CONFIDENTIAL DATA IN A FREE EMPLOYEE MOBILITY STATE: WHAT COMPANIES DOING BUSINESS IN CALIFORNIA NEED TO KNOW IN LIGHT OF RECENT DECISIONS AND EVOLVING WORKPLACE TECHNOLOGY

By Bradford K. Newman¹

I. INTRODUCTION

California's long standing public policy of encouraging employee mobility is a hallmark of the state's start-up, tech-focused industry, and it is well understood that California Business & Professions Code section 16600 prohibits "every contract by which anyone is restrained from engaging in a lawful profession, trade, or business of any kind is to that extent void[.]" However, when it comes to protecting a company's intellectual property ("IP"), and particularly trade secrets, from potential "insider" (i.e. employee) threats, employee mobility that includes the movement of employees to and from competitors poses unique challenges. The legal limits of specific measures designed to protect IP can be unclear and confusing. And many companies are not aware of the latest developments concerning protective measures they have long taken for granted as permissible. This article addresses some of steps companies should be utilizing to protect their valuable trade secrets, and explains a very recent but important change in the law regarding the enforceability of employee non-solicitation agreements.

II. ACCOUNTING FOR CORE TRADE SECRETS—WHAT PRECISELY WARRANTS PROTECTION?

Trade secrets are valuable corporate assets in the form of "information, including a formula, pattern, compilation, program device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy."²

Such assets are often intangible, and before they can be protected, a company must internally identify precisely what constitutes its non-public, commercially valuable information. This can be a daunting task, especially when courts generally disfavor overbroad classifications of purported trade secrets.³ Once core trade secrets are identified, companies can use a number of means to protect them, including, for example: (1) drafting, distributing and enforcing company policies designed to protect confidential information; (2) requiring employees to sign confidentiality agreements; (3) restricting internal access to confidential information; (4) restricting the use of certain computer media like cloud storage and USB devices; (5) electronically or physically tracking access to and disclosure of confidential information; (6) using confidentiality agreements with customers and licensees; and (7) implementing a high risk departure program, explained below. Based on recent developments in California jurisprudence, confidential information agreements can be especially valuable, as they can be used to prohibit an employee's use of confidential information even if the information does not rise to the level of a trade secret. Protective measures are a legal necessity, as courts increasingly focus not only on the substance of the alleged trade secret, but on what steps the corporation takes to protect them.⁴

[Page 116]

III. UNDERSTANDING THE CAPABILITIES, AND GAPS, IN CORPORATE IT INFRASTRUCTURE: ESTABLISHING THE RULES AND A MONITORING PROGRAM FOR EXISTING EMPLOYEES

In light of the numerous and ever-evolving methods of data storage and transmittal, today's companies face significant hurdles in protecting their confidential information from potential exfiltration by current and departing employees. As one means of protecting IP, companies should engage in some form of forensic monitoring of their own systems. While companies should consult with local counsel regarding legal limits on certain forms of monitoring, this article sets out a few potential means of data theft of which employers should be aware.

At a minimum, companies should institute and distribute a computer usage and/or acceptable use policy that details the company's computer monitoring rules and various restrictions on an employee's activity. Monitoring for misuse of the corporate email system alone, through standard third party data loss prevention programs, is not sufficient. Companies must also determine what will be allowed as far as "off-server" storage and transmission of critical company data through cloud storage, attached USB drives, and mobile applications. Employees can easily transfer an almost unlimited amount of company data off the company systems through these means. Questions that must be answered include, for example, whether the company will ban (and electronically block) the usage of attached storage devices, restrict access to and use of third party hosted cloud storage providers, outlaw the use of mobile messaging applications like WhatsAPP, prohibit the transfer of data sets above a certain designated size, and store especially sensitive data on segregated servers to whom only specifically designated employees will be provided access credentials. Once these risks are accounted for, they must be implemented from an IT perspective and then monitoring and notification mechanisms put in place. Once this is accomplished, clear policies placing employees on notice of the rules should be disseminated and all employees should be educated and sign acknowledgement forms.

[Page 117]

It should be noted that there are several additional technical means for preventing data theft that are beyond the scope of this article, and which will not be right for every company. Careful strategic thought, from a legal, technical and human relations perspective, is required before crafting the optimal and individualized plan for each company. The common requirements are the ability to identify what data requires the most protection and a complete understanding of the technology available to the employee base. Without this understanding, a company will never be able to craft a best-of-breed data loss program.

IV. PROTECTING INTELLECTUAL PROPERTY THROUGH CONTRACT

It is well-understood that a critical part of protecting data from insider threats involves requiring employees to sign agreements acknowledging the IP to which they will be exposed, confirming the company's legitimate need to protect such information, and agreeing to hold it in confidence and to use it only for the company's benefit. What many companies that operate in California do not know is that special language is required when it comes to protecting information that does not rise to the level of a trade secret and which in many other jurisdictions is colloquially referred to as "proprietary information" and often and incorrectly confused with a statutory "trade secret." And in light of recent case law, there is considerable confusion about the use of employee and customer non-solicitation agreements. Since almost every company uses some sort of contract as part of the effort to protect its IP, and too often times relies on a template form drafted years ago by outside counsel or a now departed in-house attorney, a clear understanding of California law in this regard is mandatory since the risk is that the company's "Confidential Information Agreement" will be deemed void and/or violative of the law, which can expose the company to liability under California's Private Attorney General Act (PAGA), Business and Professions Code section 17200 et seq. (unfair business practices) and a host of other potential risks.

A. Protecting Information That Does Not Rise to the Level of a Trade Secret

In data theft cases, for different reasons, both plaintiffs and defendants regularly argue over whether the information at issue is protectable when not a trade secret. To avoid preemption of common law claims under California's Uniform Trade Secret Act, the plaintiff-corporation in a trade secret case may argue that some or all of what is at issue is merely "proprietary" rather than a statutorily protected trade secret. The defendant-employees and competitors may argue that the data is not a trade secret, and thus not protectable in any manner. This distinction between trade secret information and information that is non-public but does not rise to the level of a trade secret is a nuanced but important one that courts have grappled with over the years. In California specifically, a key Court of Appeal case and its progeny articulate the complexities of the issue that attorneys advising clients on data protection must thoroughly understand and account for when reviewing contracts designed to protect IP.

[Page 118]

In Silvaco Data Systems v. Intel Corp,⁵ the California Court of Appeal held that Silvaco's common-law claims (including claims for conversion, unlawful business practices, and conspiracy) were preempted because they overlapped with the plaintiff's trade secret misappropriation claim. In issuing its order, the Court found that there was no attempt "to identify any 'Silvaco property' other than the trade secrets supposedly used to create [the product]. The non-CUTSA claims therefore. . . . attempt to evade the strictures of CUTSA by restating a trade secrets claim as something else."⁶

In often cited dictum, the Court in Silvaco noted that "[i]nformation that does not fit [the statutory definition of a trade secret], and is not otherwise made property by some provision of positive law, belongs to no one, and cannot be converted or stolen. . . ."⁷ How that bears in practice is somewhat an open question. Some cite to Silvaco for the proposition that all common law claims premised on the misappropriation of information that does not rise to the level of trade secret protection are preempted, as only trade secrets are afforded protection under California law.⁸ However, others argue that, based on the Court's carve out for information "otherwise made...