Effective trade secret and know-how protection is at the core of every technology transaction. Corporate technologies, technical know-how on algorithms, processes and designs as well as knowledge of manufacturing and materials represent essential corporate assets of a tech company. Their protection should be the main concern of the seller, who provides the buyer with deep insight into the target company’s business operations as part of the due diligence process, without the certainty that the transaction will be successfully completed. At the same time, it is in the interests of the buyer that the essential assets of the target company are safe from unauthorized access and industrial espionage and are available to the buyer without restriction after the transaction. With the coming into force of the Trade Secrets Act in April 2019, the requirements for effective protection of secrets have increased significantly and this has been confirmed by some early court decisions. General Electric’s international billion-dollar damages claim against Siemens Energy earlier this year for unauthorised use of another’s trade secrets has brought the issue further into focus.
Requirements for effective protective measures under the Trade Secrets Act
Without adequate proactive measures, trade secrets are now no longer protected. In addition, the Act establishes far-reaching rules on liability. The central concept of the Act, a trade secret, is defined as (i) confidential information that has economic value, (ii) is protected by appropriate confidentiality measures and (iii) for which there is a legitimate interest in keeping it secret. The requirement of “appropriate proactive measures” is of key importance. A case-by-case assessment is required, taking into account, inter alia, the importance of the know-how to be protected, the value or development costs, the delimitation and identification within the company and the size of the company. As a general rule, the more important and valuable the know-how to be protected is, the more extensive are the required confidentiality measures. The requirements for a tech start-up will be lower than for a mature software company. The starting point of the law is that a trade secret does not exist if a company cannot demonstrate appropriate protective measures for its own know-how. In this case, there is no legal protection.
Appropriate know-how protection measures prior to the transaction
In the preliminary phase of a technology transaction, the target company, the seller and the advisers should take a close look at the know-how protection measures available in the company. The know-how available in the target company should first be categorized according to importance and risk and divided into key technologies, important know-how and sensitive information. On the basis of this classification, appropriate protection concepts must be implemented. In addition, the protection concept must also be flexible and future-proof, i.e. it must also be reviewed regularly.
As a rule, a triad of organisational, technical and legal measures can be considered as protective measures.
- Organisational measures: Restricting the flow of information within the target company and setting up differentiated authorisation systems (so-called need-to-know-principle); identifying avenues of attack, reviewing IT security and documenting the protective measures taken; appointing a secrecy protection officer in the case of larger companies; training the transaction team on how to handle company know-how in the due diligence phase.
- Technical measures: Restriction of access to essential know-how by means of access control systems, encryption technologies, authentication requirements, logging systems and firewalls; establishment of access regulations for due diligence, verification of essential know-how, if necessary, only on the company’s own systems under supervision or, in the case of provision on external systems, only by trustworthy third parties.
- Legal measures: Conclusion of special non-disclosure agreements (NDAs) with employees who are holders of confidential information and with relevant cooperation partners of the target company; conclusion of corresponding NDAs and, if applicable, clean team agreements with the potential buyer and its advisers in the run-up to the transaction.
Impact on due diligence and transaction documentation
Trade secrets are only protected as long as and to the extent that the information has not been made publicly available or a person who lawfully obtains knowledge of the information is not restricted in obtaining the trade secret. Appropriate safeguards must therefore be agreed between the seller and the buyer prior to the due diligence. In principle, an NDA offers protection against the potential buyer using knowledge gained from the disclosed information. However, it may be doubtful that a conventional confidentiality agreement, which is usually generic, can also be seen as an appropriate confidentiality measure. Instead, a specific reference should be made to the essential know-how to be protected in the context of the transaction. If a specific reference to the company technology is not practicable, dynamic references to the subject matter of the protection or to a certain category of appropriately marked information can be used. At the same time, in addition to maintaining confidentiality for further legal protection, the type of use of the information and the modalities of access to it should also be clearly defined. Since so-called reverse engineering has now also been legalised under the Trade Secrets Act, standard NDAs should also be adapted to this and corresponding reverse investigations should be excluded in the agreement.
At the same time, in the case of particularly sensitive or easily copied information, it is advisable to require the buyer to set up a clean team and conclude a clean team agreement. This ensures that only a limited group of people has access to the information to be protected. In addition, it can also be agreed that certain aspects are only to be reviewed at an on-site meeting under the supervision of the target company. This is useful, for example, in the case of a code review of self-developed software and excludes the possibility that copies, possibly unintentionally, remain with a prospective buyer. In addition, the disclosure of information should be graduated according to the categorization of trade secrets. Information on the most essential know-how should only be disclosed at the end of the due diligence process.
From the buyer’s point of view, the protective measures of the target company must be reviewed in the course of the due diligence and the catalogue of warranties in the SPA must be adapted to the protection of trade secrets and already identified risks must be reflected in the form of indemnifications. If the target company does not comply with the requirements for the protection of trade secrets contrary to the assurances in the SPA, there is already no protected know-how according to the definition of the Trade Secrets Act; injunctive relief or claims for damages in case of use of the company technology by third parties would thus be excluded. In this case, the buyer would at least have a claim for damages based on the breach of warranty.
Further liability issues in know-how protection
The Act gives rise to further liability risks, in particular vis-à-vis third parties. The protection concepts in place in the target company should therefore also be examined in the due diligence process to determine the extent to which a breach of third party trade secrets and any use of third party know-how is prevented. This is particularly obvious if the target company has concluded research and development agreements or co-operations with other companies. Careless handling of know-how of contractual partners by the target company is sufficient to trigger claims for injunctive relief and damages.
