What Are Your Decision-Makers Doing To Protect Trade Secrets?

Federal Trade Commission (FTC) v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (CA3, Aug. 24, 2015) is a double espresso for directors and officers of companies that own trade secrets, and especially large, publicly traded companies that own trade secrets.

In FTC v. Wyndham, the U.S. Court of Appeals for the Third Circuit held that the FTC is authorized to regulate cybersecurity, i.e., investigate and sue companies whose deficient or lack of cybersecurity constitutes an unfair act or practice, and that Wyndham had fair notice its specific cybersecurity practices could be subject to FTC regulation.

So, what does an FTC, cybersecurity-based action have to do with trade secrets and measures to protect them? For a perceptive trade secret owner, plenty.

A trade secret owner’s directors and officers should take away two main lessons from FTC v. Wyndham:

(1) the straightforward take-away: deficient or a lack of cybersecurity can expose a company to FTC scrutiny, investigation and penalties; and

(2) a less obvious, but still compelling take-away: FTC v. Wyndham might be a general roadmap and motivation for a shareholder derivative suit against company directors and officers, or a shareholder or other stakeholder (e.g., joint venture partner) suit against the company, if (a) company trade secrets are stolen or lost because of deficient or a lack of protective measures, including, perhaps, deficient or a lack of cybersecurity, and (b) the company, shareholders, stakeholders or some combination of those persons sustain harm, including loss of revenue and profits (from, e.g., lost product sales, lost licensing fees or both), loss of market share and loss of market capitalization.

Properly protecting customer assets, including credit and debit card information, should be a priority. Properly protecting company assets, including trade secrets, also should be a priority. In fact, failing to devote sufficient attention and resources to protect both types of assets can create a glaring imbalance that can increase a company’s exposure to certain losses and litigation. So, a proper course for a company? Four steps: (1) educate (motivate) the decision-makers, (2) appreciate that, when it comes to protecting assets in the cyber-age, maintaining the status quo is often not a rational option, (3) periodically take meaningful steps to appreciate what the assets are, what is being done to protect them and, if there are differences in protective measures across asset classes, why that is so and if it should be so, and (4) periodically add, supplement or update protective measures, as appropriate.