What are “reasonable measures for protecting trade secrets”?

#trade Secrets, #trade Secrets directive (EU) 2016/943, #Art. 2 (1), #reasonable measures for protecting trade secrets.

The holder of a trade secret can only claim protection under the German Trade Secrets Act if he applied "reasonable measures” for protecting the trade secret, cf. also Art. 2 (1) of the Trade Secrets Directive. Thus, anyone wishing to invoke trade secret protection must be able to demonstrate and prove that the relevant information is protected by objective and reasonable confidentiality measures.

Even three years after the German Trade Secrets Act came into force, it is still unclear what this exactly means in practice, as the Higher Regional Court of Schleswig recently highlighted in an important decision on this aspect (Higher Regional Court of Schleswig, decision of April 28, 2022 - 6 U 39/21). In any case, a blanket statement as to which measures are considered reasonable cannot be made. Instead it depends on the individual case and its circumstances. If one analyzes the relevant case law of the recent years on this aspect, the following picture appears: On the one hand, not every piece of information requires maximum protection; the law does not demand "perfect protection". The requirements for the practical effectiveness of the measures must also not be overstretched. In principle, the holder of a trade secret may e.g. trust that his employees and business partners will behave in a law-abiding manner and comply with the confidentiality obligations imposed on them. On the other hand, the courts have in many cases ruled that the confidentiality measures taken by holders were inadequate. With harsh consequences: As this may lead to the irretrievable loss of the trade secret! As a rule: The more important the trade secret is and the higher the risks are, the greater the efforts must be to protect the trade secret. However, the confidentiality measures must always remain practicable for the respective company; the secret must actually remain useable. It is therefore not always necessary for the holder to lock away the "crown jewels"  in a safe - e.g. if the information to be protected is a list with customer data that must be accessible to certain employees on a daily basis.

In practice, it is apparent that many companies have not yet developed any concept for protecting their trade secrets or that the existing concepts do not meet the high standards of the case law. But even once a protection concept has been implemented, this is not the end of the story. It needs to be continuously reviewed and, if necessary, adapted. Holders tend to ignore that they bear the burden of proof that they have implemented such a concept and “lived” it in day-to-day operations. This requires very careful documentation of the measures taken. To illustrate this: In case of a dispute, it might not be sufficient to outline that regular employee training sessions were held. The holder must also be able to present and substantiate the relating details.

So what needs to be done if the company has not yet implemented a protection concept or if it has not been checked for a long time?

The starting point is always a comprehensive inventory: Which information exists in the company and what should or must be protected in order to stay ahead of competition. It is then recommendable to categorize the information based on its importance for the company's business operations; as explained at the beginning, the crown jewels of a company require – depending on the individual case and practicability – different / higher protection than information with a lower need for protection. It is therefore essential to ask what kind of information is involved, what economic value it has (e.g. with regard to its development costs), for which tasks / business operations it is needed, and what importance it or its confidentiality has for the company. Other aspects comprise the size of the company and its economic situation. Finally, depending on the level of protection needed, the company needs to take more or less far-reaching technical (e.g., secure passwords, encryption of communications, clear marking of information requiring confidentiality), organizational (e.g. introduction of a strict "need-to-know" principle, access restrictions, installation of alarm systems, firewalls, prohibition on the use of private storage media; implementation of a compliance system) and contractual measures (e.g. confidentiality agreements with employees and contractual partners; general guidelines and instructions) to protect the relevant information. Once again, however, the devil is in the details, as the case law on "catch-all clauses" in employment contracts underlines.

In practice, the high standards that the courts have recently defined for the "reasonability" of confidentiality measures pose major problems for many companies and often jeopardize successful judicial enforcement of a holder asserting misappropriation. This is particularly annoying if contractual measures that were taken in advance turn out to be ineffective (such as excessive and thus invalid confidentiality clauses in employment contracts) with the result that the company can base its claims neither on contract - nor on statutory law. However, the Higher Regional Court of Schleswig clarifies in its above-mentioned decision that there is also no "automatism" in such a way that invalid confidentiality clauses always lead to “unreasonable” confidential measures (which would mean that that relevant information is not protected at all). Rather, in such cases, the other measures taken by the company to protect its trade secrets become even more important (cf. also Local Labor Court Aachen, decision of 13.01.2022 - 8 Ca 1229/20, we reported).

Obviously, the German Trade Secrets Act / the Trade Secrets Directive have significantly increased the pressure on companies to protect their trade secrets through a bundle of measures – which have to be carefully documented. Otherwise, there is a high risk that the company's proprietary know-how gets irretrievable lost.