Getting your IP in order: protecting confidential information

Out-Law Guide | 16 Dec 2020 | 9:59 am | 4 min. read

As part of an intellectual property audit, businesses must identify the information which is confidential to the business and take steps to ensure it is properly protected from loss and misuse.

This is part of a series of guides from Pinsent Masons. See our other guides on how to understand and protect IP and stay in control of IP.

Confidential information is not an intellectual property (IP) right as such. However, like IP rights, it can be a business critical asset. This is particularly true of 'trade secrets', which is information that is an essential part of the manufacture of a product or provision of a service.

Trade secrets directly impact on business output, revenue generation and market position. Examples include blends, volumes or concentrations of chemicals used in a production process, customer lists or recipes and ingredients for food items – the recipe for Coca Cola being the example most often cited. Information of this nature can only be protected by keeping it secret. There is no specific registered or unregistered protection available.

Trade secrets can be contrasted with the more day-to-day confidential information generated by the business, such as financial statements. A business must ensure that both trade secrets and confidential information are properly protected from loss and misuse. However, because they are business critical, particular attention should be given to protecting trade secrets.

If trade secrets fall into the hands of a third party, that third party is put in a position to compete with the business. Although a business can initiate legal proceedings to try and stop that, these can be costly and are, necessarily, after the event. The confidentiality of information once lost is, effectively, lost for good and with it the competitive advantage that the information gives. It is always better to ensure that trade secrets are properly protected from falling into the wrong hands in the first place than to take steps to stop it being misused following loss. In the context of trade secrets and confidential information, prevention is certainly better than a cure.

In addition, remedies for trade secrets misuse under the EU Trade Secrets Directive are only available where it can be shown that "reasonable steps" have been taken to keep that information secret. Despite Brexit, the Directive will still be relevant in the UK after 1 January 2021, as it has been incorporated into UK law by legislation.

Practical steps for businesses 

There are best practice steps businesses can take to protect their trade secrets and confidential information.  

Employee and contractor access to the information should be limited, both physically and virtually. Hard copy documents should be stored securely, with access rights for only a small number of named individuals. Soft copies should be stored in a locked-down part of a document management system, or otherwise password protected. Particularly sensitive information should be encrypted.

Where the information is needed as part of the 'factory floor' production process, each employee should only be told that part of the information which relates specifically to the job they do. Broken up in this way amongst a number of people, the information is very unlikely to be revealed to a third party in any meaningful way.

Both hard and soft copy documents should be marked as confidential. Some organisations have introduced 'traffic light' confidentiality tiers, marking documents as red, amber or green according their sensitivity. 

Employee training is important to maintaining effective confidentiality systems. At the least, annual training should be provided to ensure that employees appreciate the importance of confidentiality to the business and, as a result, their job security, and that they understand the specific procedures that are place and the consequences of failing to comply with them.

A comprehensive confidentiality policy should be introduced and all employees given free access to it, typically via an intranet. That policy should specifically deal with the position when employees leave the business. An employee should be reminded of these leaver protocols, in writing, on resignation to minimise the risk of employee theft of trade secrets, and this should be appropriately reinforced during any exit interview.  

The business should enforce, and be seen to enforce, its rights in the confidential information. While a business will always want to maintain its good public reputation, businesses that take appropriate enforcement action in respect of confidential information misuse by employees or third parties do often find that the need to take this action becomes less over time as it develops a reputation for taking swift enforcement action. Interim injunctions are available in respect if threatened or actual misuse of confidential information so businesses should not delay in taking legal advice once loss of some information becomes apparent. 

The role of NDAs

During discussions with third parties, for example around pitching new idea or discussing new projects, care should be taken to disclose only that part of the confidential information that is strictly necessary for the discussion. The discussions should be subject to a non-disclosure agreement – otherwise known as an NDA – which restrains, usually, all parties to the discussion from disclosing any confidential information that has become known to them.

NDAs should never be regarded as 'standard documents' and simply used off the shelf in respect of every confidential discussion. They need to be carefully tailored for the discussion concerned, in particular by reference to the specific information being disclosed and the permitted use of the information. Ideally, a broad definition of what constitutes confidential information should be used, going beyond merely high level trade secrets or information marked as confidential, to ensure the NDA gives the best possible scope of protection. 

If you can, limit the people the recipient of the information can disclose it to and name them if you can. Avoid a term which allows the recipient to disclose the information to a 'representative', as this could potentially cover a very broad range of individuals. 

Also, avoid a fixed or short term for the NDA. Ideally, the restrictions in the NDA should be expressed to be binding for as long as the information in question remains confidential. Also remember to include a provision requiring the information to be returned to the disclosing party, or securely destroyed, once the discussions have concluded.

It can be easy to sign an NDA and then relegate it to an office drawer. NDAs are living documents. They should be monitored and adapted if necessary as the discussions progress.

NDAs are recommended, but are not the complete answer. A party subject to an NDA may still misuse the information or otherwise cause it to fall into the public domain. The disclosing party will have a contractual remedy in such circumstances, but the confidentiality of the information will never be recaptured. That might require the disclosing business to re-evaluate and change aspects of its business model to stay competitive, which would very likely be time-consuming and costly.

The issue of how to protect trade secrets and confidential information was discussed by IP law experts at Pinsent Masons, the law firm behind Out-Law, in a recent webinar: 'Solutions for Getting Your IP House in Order' is available to download.