Protecting Trade Secrets And Customer Relationships In Life Sciences
By Marguerite Walsh, shareholder, Philadelphia office of Littler Mendelson, P.C.
“We are going to aggressively protect our intellectual property. Our single greatest asset is the innovation and the ingenuity and creativity of the American people. It is essential to our prosperity and it will only become more so in this century.”
— President Barack Obama, February 2013
The Obama administration recently announced a strategic initiative designed to mitigate the theft of United States trade secrets. The administration’s multipronged approach encompasses: (1) sustained diplomatic efforts with trading partners to discourage theft of trade secrets, (2) encouraging U.S. businesses to implement best practices to minimize risk, (3) enhancing domestic law enforcement operations, (4) improving domestic legislation, and (5) education and outreach to the public and key stakeholders.
Clearly, the administration’s focus on minimizing the risk of theft of trade secrets recognizes the reality that businesses have faced for decades, made even more challenging by a difficult economic climate, increasingly sophisticated technology, and greater numbers of disaffected employees. Nowhere are these factors more prevalent than in the highly competitive life sciences industry. According to a 2009 study, nearly 60% of employees who quit or were discharged acknowledged taking proprietary data from their employers.
At the same time, companies facing these pressures are more anxious than ever to do whatever they reasonably can to avoid the loss of key employees and valuable information. These issues, however, are complex in any industry, and the workloads already facing human resource, compliance, and legal departments in the highly-regulated life sciences industry are overwhelming. It is difficult enough, for instance, to address satisfactorily all the legal, regulatory, and other considerations involved in successfully bringing a new drug to market. Proactively undertaking a thorough review of the processes and programs in place to minimize the risk of losing confidential information often needs to take a back seat to solving the emergent and critical problems that arise every day. Too many companies, including those in the biotech, pharmaceutical, and related fields, find themselves in a state of indecision and paralysis — which is precisely the wrong approach. Instead of trying to tackle the entire problem in one fell swoop, companies would be well served by being mindful of the basics of protecting their proprietary information, key relationships, and personnel. This article provides some practical suggestions about how to do so.
Be Familiar With Applicable Agreements And The Legal Landscape
Many companies have no consistent approach to postemployment restrictions, particularly in situations involving mergers, acquisitions, and restructuring — all of which, of course, are common in the life sciences industry. Two key individuals performing virtually the same functions and having essentially the same potential to inflict competitive harm may be subject to two entirely different sets of restrictions, depending on the language of their agreements. Two agreements that are almost identical in post-employment restrictions may be vastly different in enforceability, depending on whether certain technical requirements (like consideration) have been met. Moreover, in some instances, even in sophisticated companies, it is difficult to find the relevant agreements due to ad hoc filing systems that have sprung up as the company has grown.
In addition to the practical difficulties faced by companies in the seemingly simple (but in truth very complicated) process of managing their agreements, it is also a challenge to keep up with the various legal developments that occur in this area, which of course are largely governed by state law. This is especially true in highly regulated industries such as biotech and pharmaceuticals, where the immediate focus often needs to be on the ever-evolving universe of legislation and regulations that directly impact the company’s ability to get the medication, device, or test out the door and available to the public. While for purposes of this article it is not possible to discuss in detail the various legal developments of the past few years, at least two trends are clear: (1) courts are becoming more attentive to the “technical” aspects of agreements containing postemployment restrictions, such as consideration, assignability, and the like, particularly as the traditional “time and geography” boundaries become more blurred, and (2) given the realities of a truly global workplace, courts are taking a more nuanced approach to the “time and geography” analysis. The takeaway is that companies should be more careful than ever about ensuring that the “technical” elements needed to render an agreement enforceable have been met — which, notably, have nothing whatsoever to do with the scope of the actual restrictions. Companies should also be careful about the traditional “kitchen-sink” approach of including every possible restriction in an agreement, to the broadest extent possible, in the hope that a court will find at least something enforceable in the mix; this is by no means guaranteed, if it ever was.
Perform An Audit Of Your Confidential Information And Trade Secrets
Companies faced with potential misappropriation of sensitive information by departing employees often address the situation in an unfocused (and therefore risky) manner because they cannot articulate concisely what is, and is not, considered proprietary. There is a tendency to categorize nearly every bit of information as proprietary when, in fact, that is not the case. This hurts credibility when the time comes to articulate to a factfinder (who, of course, knows nothing firsthand about the company) what actually is at stake, or its critical importance.
Companies are well-served by conducting regular audits to identify and update the information that is considered protectable. As noted above, however, this undertaking is often impossible to accomplish due to limited resources and other, more immediate needs. This body of information may include not only technical/R&D information, but also production/process, cost/pricing, quality control, financial, and customer/client information. Those employees having the most relevant knowledge of the information in question should be consulted so that they can provide the best business explanation in real time (i.e. before the information heads out the door) as to why protection is warranted. Then, companies should institute (if they have not already) procedures whereby they can reasonably quickly identify and gather those categories of information within their various business units that are proprietary. At a minimum, companies should focus on the types of information and/or business lines where the risk is greatest. Certainly, misappropriation of proprietary information about a potential new drug or device could be devastating, so it is difficult to quarrel with a decision to start there.
Further, while technological advances create greater challenges than ever before to a company’s information security efforts, courts are still quite interested in the “tried-and-true” steps in place to restrict access. Any litigator who regularly handles these cases would much rather head into court on behalf of a victimized company with a strong list of preventive measures taken, no matter how mundane they may seem. These may include: stamping and labeling (including electronically) documents that are considered confidential, the use of security cameras, using sign-in logs at company facilities, preventing visitors from wandering unescorted through company premises, shredding or otherwise destroying copies of proprietary information, maintaining physical barriers to access when appropriate, using and updating proper password protection, using appropriate monitoring software, including a policy in the handbook concerning access to confidential information, including in job descriptions relevant provisions for employees who have access to proprietary information, and using nondisclosure agreements. Life sciences companies tend to be among the leaders in these sorts of protocols, but it is advisable to re-examine and update them regularly.
Finally, do not underestimate the value of the exit interview and the practice of sending reminder letters to departing employees as to their postemployment restrictions after they leave.
Understand The Challenges Of The “Bring Your Own Device” Movement
Thanks to the blurred (and in some cases eradicated) lines between work and nonwork activities, companies face new challenges relating to the use of personal devices for both work and nonwork purposes (i.e. bring your own device, or BYOD). Protecting confidential information becomes even more difficult in this context. Simply firing an employee who is found to have stored confidential company information on such a device is not necessarily the answer. In fact, a recent study by the Poneman Institute shows that companies are often unaware whether and what kind of data might be leaving their networks via nonsecure mobile devices.
While the BYOD movement could form the basis of a much lengthier treatise, ultimately the question is one of balance. Many companies already sanction dual-usage devices, so the question becomes one of finding the best mix of practices to address the realities of the work situation and the need to maintain confidentiality. Considerations to keep in mind are: possible company ownership of the device, greater emphasis on confidentiality agreements and related training, attention to the ramification of the use of cloud-based storage, strong enforcement of policies relating to reporting requirements for lost or stolen devices, and the use of MDM (mobile device management) software that allows companies to remotely manage and configure many aspects of dual-use devices.
Establish And Maintain A Culture Of Protection
The most effective step a company can take to guard against the theft of its trade secrets and proprietary information has little or nothing to do with the law. Rather, it all starts with company culture. Employees know when they are simply being talked at, with no commitment behind the words. Conversely, when they work hard as a team to help create a breakthrough drug that could save millions of lives, they need to understand that their efforts are worthy of protection. When they get the message that the company will back them up when that work is threatened, their trust level grows. Moreover, a company needs to practice what it preaches on both sides of the equation — not only in protecting its own legitimate interests but in being mindful of its competitors’ legitimate interests when hiring from those competitors.