P.A. Neena Gupta
Associée
Webinaires sur demande
FPC/FJC :
61
GORDON HARRIS: All right. Well, we're up over 80 participants already, so let's get started. And few people will probably join while I'm doing the introduction. Greetings to you all wherever you may be in the world, and welcome to the latest in our IP webinar series, The Lifecycle of a Smart Idea. My name is Gordon Harris, I'm a member of the Global IP leadership team at Gowling WLG, and I will be your moderator today. Loyal participants and followers of this webinar series know that this is not the first time we have focused on trade secrets. Indeed, the very first event, three years ago now dealt with trade secrets.
The difference this time is that we now assume that you know what the big issues are, and we want to pass on some really practical tips to help police this valuable corporate asset. We will talk to you about putting measures in place to meet the reasonable steps standard to trade secrets, from hiring and firing to managing private data and preparing for cyber threats. We brought together Gowling WLG professionals from across our practice areas and offices, trade secrets are not just an IP concern.
So please join me in welcoming our employment partners-- Jonathan Chamberlain from the UK, and Neena Gupta from Canada. Both have a wealth of experience advising global companies on among other things, creating robust trade secret protocols, documentation and training. I'm looking forward to your tips on and offboarding process and much more.
Welcome as well, our co-head of the Cybersecurity and Data Protection group, Wendy Wagner. She will show you how to balance privacy laws while protecting data and other sensitive information. And in case of a trade secret theft, how to mine evidence to help prove the theft. We're delighted to welcome Brent Arnold, our cyber security expert serving as well as a director and corporate secretary of the Internet Society, Canada chapter, and a steering committee chair for the Cybersecurity and data privacy section of the US-based Defense Research Institute. He is very well placed to give us some insights into the risks of cyberware, cyber attacks and ransomware.
And last but not least, we are also welcoming our IP litigation partner and strategist, Laurent Massam. We will hear from him, what companies wish they put in place before, and if they are called upon to enforce trade secrets breach. I'm looking forward to your advice later in the webinar today. Then we're going to start with you actually in a moment. So let's start by taking a look at developments and trends around the world in this area. What are we seeing happening in the last 12 months? Would you like to start and give us an overview?
LAURENT MASSAM: Certainly, I'd be happy to, and thank you very much Gordon, and welcome everybody to this webinar. We are certainly at a new frontier in the rise of the importance of trade secrets, trade secret protection and trade secret litigation. There are many reasons for this, some of which I know we will talk about today. But among them, are that we are continuing to see an increase in the valuable of the value of intangible assets in the form of information and knowledge.
We are seeing an increase in the digitization of all forms of information and knowledge, that makes access and control of that information so much more difficult to manage on a global scale. We're seeing an increase in the intersection and competition across sectors, where information and knowledge in one sector may also be extremely valuable in another sector. The same time we're seeing shifts away from the traditional forms of protection for innovations, in particular patent protection for certain subject matter deemed not to be patentable, AI inventions for example.
We're seeing an increase in the mobility of the workforce resulting in more opportunities for secrets to leak out with the coming and going of employees, whether in their head or on a flash drive. We are also seeing the emergence of new technologies that create new challenges to the protection of trade secrets, in particular ChatGPT, and the like. There is no doubt that there has been and there will continue to be an expansion of trade secret litigation across all sectors. And this trend can be seen from the chart that you have on screen.
This is a graph that was prepared by STAUD, a global-based advisory firm. And they conducted an interesting survey of the evolution of trade secret litigation over the last 30 years or so. And what this graph shows is that there has been an expanding subject matter of areas in which trade secret litigation is occurring. On the left, in the 1990s, we see that virtually all trade secret litigation turned around designs, source code, ingredients, list, molds and the like. In more recent times towards the right, we see that trade secret litigation has expanded into a much broader range of subject matter-- business relationships, design still, methods and processes, products, financial information or marketing information-- subject matter that touches on all sectors.
Recent headlines in the news also tell the same story of the rise of the importance and concerns companies have to protect their trade secrets. While all of these-- I find all of these headlines very interesting. I'm just going to focus on two headlines that certainly would not have existed just a few years ago, but that exemplify the threats that digitization and AI can pose to protecting trade secrets. Those two headlines are, whoops, Samsung workers accidentally leaked trade secrets via ChatGPT, and leaked Walmart memo warns employees not to share any information about Walmart's business with ChatGPT or other AI bots, that may willingly absorb your trade secrets and then disseminate them in response to questions posed by third parties.
The reality is that with the expansion of the importance of trade secrets and the importance of trade secret protection is that the reality is that companies are playing catch up in the field of trade secret protection, particularly with the rise of AI. A recent study from Deloitte, shows that about a third of companies do not actively capture their trade secrets. They lack standardized processes and guidelines to identify them and to protect them.
So if I could allow myself to steal a slogan from an old TV kids show here in Canada-- and that slogan is, knowing is half the battle-- I would say that is certainly true in the world of trade secrets and trade secret protection. And I hope that today's seminar will help us all know a little bit more about trade secrets and help us all protect that very valuable information. Back to you Gordon.
GORDON HARRIS: Thanks very much Laurent. And this is not a national phenomenon, is it either a Canadian or a US or a UK phenomenon. It's global. Brent, do you want to bring us in line with where some of the threats lie?
BRENT ARNOLD: Absolutely. And if GI Joe told us knowing is half the battle. Eliot Ness in The Untouchables told us that, losing is half the battle. And that's where we need to be careful here because this is functionally a cold war. And it's a cold war we've been involved in for a while. And I say that because we're not just talking about industrial espionage, competitor versus competitor, cyber criminals versus companies, although those two things are certainly a very real part of this ecosystem.
What we have to worry about now, and we've had to worry about for about a decade if not longer, is espionage, cyber espionage by nation states. And for instance on the candidate side in 2014, the Canadian National Research Council, which is a government body that partners with business for scientific research and holds a lot of intellectual property, most of it unpatented, was hacked by Chinese state-sponsored actors. And there was a phishing attack compromising multiple government departments. And the cleanup cost of this alone was hundreds of millions of dollars. And that doesn't account for the loss of intellectual property. And they were attacked again in 2022.
More recently, the Chinese government has an outfit called Volt Typhoon, which some of you will have seen in the news a couple of weeks ago. It's been attacking US and Canadian organizations for years, focusing on stealing intellectual property, which is then turned over to Chinese industry, which works very closely with the Chinese state with a view to providing industry with a competitive edge in developing products. Another state actor that's emerged more recently. APT 41 or APT 41, siphoned off an estimated trillions, that's with a T, in intellectual property theft from about 30 multinational companies, in the manufacturing energy and pharma sectors. And that was as of 2022. It hasn't stopped. We can guarantee you that much.
We've seen the exfiltration, so in other words, the copying and stealing of hundreds of gigabytes of IP and sensitive data, including with a focus on, in particular, blueprints and diagrams, formulas, manufacturing-related proprietary data for multiple intrusions spanning tech and manufacturing companies in North America and Europe and Asia. And the focus was on obtaining blueprints for cutting edge technologies that weren't patented yet so they can reverse engineer.
Just last October-- and this is where you may have seen some of the coverage on Volt Typhoon because the head of the FBI was talking about it-- the chiefs of the Five Eyes intelligence network-- and that includes the UK, Canada, US and others-- met for the first time to jointly address this particular issue of state-sponsored cyber espionage. And they focused in particular on how these state actors may be using-- and this is to Laurent's earlier point-- AI to leverage more powerful attacks, all of this in service on the Chinese side of China's made in China 2025 economic plan.
Now, what are we doing about this? We're seeing again that the Five Eyes level international cooperation, but it's a slow machine to get in motion, and we're not nearly ready for what's frankly already happening. Back to you Gordon.
GORDON HARRIS: Thanks very much indeed. Well Thanks Laurent and Brent. And I think that makes it pretty clear just what a huge global issue this is. Now it seems as though companies are possibly missing an opportunity here. Is it lack of awareness or lack of human resources? But as regarding some of those big ticket litigations, they have been avoided. Neena, Jonathan, you work a lot with companies to get them prepared on the employee side. It more or less all starts with the employees, doesn't it? So what are your thoughts? Jonathan I think you're going to kick off.
JONATHAN CHAMBERLAIN: Well, absolutely Gordon. Where I want to start, if I may, is just picking up with what Brent said about there being programs of targeted espionage along here. I mean, I think the very first point that we would like to make is checking your employees on the way in. OK? You don't know where they've come from. We need to do much more detailed work on seeing that the CVs checkout. And still, your single biggest point of risk is your employees. And that'll be a theme that Neena and I will be talking to you, and others will be talking to throughout this webinar.
Now, just setting aside the state-sponsored actors for the moment with anyone who's coming in, it's very important that you're not sharing confidential information with them until they're yours, until they're bound up by your contractual arrangements, until they are committed to you. It can be very tempting, particularly in the case of making technical hires to share with them things that you're going to be wanting them to look at, do not do that. Be very careful about using NDAs in this context.
I've seen one badly worded NDA read by a judge as meaning that the employee was-- or that the candidate was bound to disclose the confidential information that belonged to their previous employer. This was not helpful. It was wild. It was definitely not helpful. And it's very important that you instruct candidates not to bring anything with them from their previous employer. And I really cannot stress this enough. Nothing, not even the promotional pen, definitely not their training notes, OK? Anything like that, it was never theirs in the first place, if they got it in the course of their last employment. It's a particular issue with academics actually. And it will often keep examples of their work because they're used to a much more free flowing exchange of information culture.
In the commercial world, we are different. I don't want those jotting downs of equations that you wrote in your day book. Leave them behind. And the thing to stress to them is that they will get caught, because as we're going to hear, the forensic investigation techniques and technology that is available to people, means that this sort of behavior is very risky and you need to convey that to them.
NEENA GUPTA: So if I could add to that Jonathan, one of the things that I find is, a surprisingly sophisticated manufacturing companies have surprisingly unsophisticated training and education. And so I would say, training your employees about what is a trade secret-- if we could move to the next slide-- that is extremely important. The other thing that is important is trying to protect against some of those soft risks, against phishing. You heard Brent talk about the number of-- and Laurent talk about how ordinary employees think they're doing the right thing. This is innocent. And because they're not properly trained, they get caught.
As were lawyers, I'm going to talk about some boring lawyer stuff too today, which is each jurisdiction permits different things in terms of protecting trade secrets. It's a pain. In Canada for example, there are strict rules against non-competes, which may or may not exist in other jurisdictions. So you need to check the rules of the jurisdictions you will need to enforce your agreements in.
The other thing I find, and I hate to admit this, judges in at least the Canadian courts are not necessarily sophisticated about trade secrets. And so you may wish to consider arbitration clauses that really narrow the roster to individuals who understand trade secret law, otherwise you might get a former family law, or criminal law judge, or lawyer adjudicating your trade secret case. And it's a disaster. So there may be some other practical tips Jonathan that you might want to add?
JONATHAN CHAMBERLAIN: Yes. And this is going to be a theme that you're going to hear from both of us, and also from other colleagues who are speaking today. It's really important that your employees recognize trade secrets and know how to protect them. Neena is going to be expanding more on that in a moment. One of the things that you might want to do is invest in a trade secret database so that you are able to identify what these things are so much of trade secret litigation is about establishing that this is a trade secret. And although the fact that you treat it as such, isn't generally in most systems of law definitive of that, it surely helps. And I think that's pretty true of every jurisdiction throughout the world.
And that then [INAUDIBLE] even if you're not getting a full scale database, then look at how you're labeling things, OK? And sticking private and confidential, this is a trade secret on every document, is really not going to help you. Quite the reverse. But a policy of focused labeling is because again it's going to show that you've thought about this that you considered this, that you placed value in this thing.
And again, a trade secret database might be too much, but a good document management system is pretty close I would say to essential. You need to have an audit trail of who has seen what. And you particularly need to have layers of information protection that people need to be authorized to get behind.
All that said, all that said, Securitech, the technology, you get fingerprint detectives, retinal scanners, whatever that will only get you so far culture. Culture, what your employees believe about trade secrets, what they do when the technology isn't watching them, that will always trump the protocol, which means that there are other things you really need to be doing, aren't they Neena?
NEENA GUPTA: Absolutely. So for example, to take to that culture always beats your protocols, is it cannot be a one and done. You need to have frequent refreshers, there need to be conversations. If there are problems, they need to be discussed in meetings so that there is an emphasis on trade secrets and protecting it. You mentioned Securitech. There are, of course, many technologies available to monitor unusual activity on your IT systems, but we don't have time to get into it. Many jurisdictions-- Europe and Quebec and Canada-- are also concerned about privacy.
And so you have to sort of-- if you're going to implement something, you have to be aware of the jurisdictional nuances about using Securitech in your workplace. So I've had cases where that has started the litigation, but that Securitech may not have been permissible in for example, Quebec without a full panoply of protection. So it's nice to buy the shiny new toys, but there are some caveats Jonathan as you know.
JONATHAN CHAMBERLAIN: Yeah. Absolutely right. Absolutely right. And when employees are going, you've had all your processes and procedures in place but now the relationship is coming to an end, people are going to leave you. It happens. And a whole new different way of protecting this got to kick in. Let's start with an exit interview. Hi, where are you going? And what are you going to be doing there? Perfectly legitimate questions to ask. If they don't want to answer it, that is their own business. You can't waterboard them to get the answers, but you can draw inferences.
And that may then affect other points I've got on this slide. And the protocols on monitoring, going back and looking at that audit trail that I talked about earlier, what have they been downloading? What have they been accessing? Is that appropriate? And in any event, get them to give everything back, get them to give written confirmation that they've given it all back. And in appropriate cases, consider informing the new employer of any post termination restraints that they may have in their contract.
But one final thing, a point that Neena and I both want to make, let's see if we can sing it in unison. And although I'm a litigator, and I think that litigation frankly is the best toy since slot car racing, and if you will pay me to play with it, I could not be happier. This is our point. Kill the slide.
NEENA GUPTA: Litigate only when necessary. From a business perspective, you and I both know it's much better to prevent trade secret thefts than it is to fight about it afterwards. So hopefully, Gordon, that was what you were hope-- find helpful from the employment lawyer's perspective.
GORDON HARRIS: Yeah, and I think even though like many of us here, I do litigation for a living. I would always-- I think in almost any circumstances say litigate only if necessary, but particularly in this one. So thanks both of you very much. Another thing I know as a litigator is that evidence is all important. That might be a challenge depending on which jurisdiction you're in. Now Wendy, as a data privacy practitioner, you're often giving advice on how to make sure companies can monitor the workplace to prevent theft, misuse or accidental loss of trade secrets. How do the separate but related regimes of data privacy and trade secrets interact?
WENDY WAGNER: Yeah, thanks Gordon and hi, everyone. Yeah, there's a number of ways that they do. And Neena and Jonathan already touched on this a bit within their employment law presentation. And so one way is this ability to monitor employee behavior, to ensure that you can effectively protect your trade secrets. We've already heard that the nature of trade secrets is that they have to be kept secret for protection not to be forfeited. And sometimes just binding employees to confidentiality is not adequate. And other precautions and preventative measures, and after the fact measures need to be taken.
And we've heard that employees do need to be informed what is a trade secret, and that it can't be communicated by unsecure means or to unauthorized recipients. And then there's also this issue that we've heard about that security measures that are in place, need to be implemented and they need to be enforced. But that does raise some privacy concerns. It requires a certain degree of monitoring of employee activities. And that implicates employee privacy rights. And so I wanted to speak about a few of the practical implications of that.
We did hear from Neena that this is going to have some jurisdictional differences which makes things a little complicated if you're a global employer. But in general, there has to be really clear organizational policies that will establish and preserve the right of the employer to monitor emails and other electronic communications and systems. And to the extent possible within that jurisdiction or lawful within the jurisdiction, employees just need to be told that they don't have an absolute reasonable expectation of privacy when it comes to workplace systems and the systems on which trade secrets reside. And the workplace policies and general company policies like an IT usage policy, they need to be structured to reflect that.
Many organizations will be required by law or will choose to have employee privacy as well. And those are often times needed from a legal perspective to notify an employee of how their personal information will be collected and used and disclosed within the workplace. And in fact, there's becoming a plethora of very specific laws about employee monitoring and legal requirements to have specific policies that tell employees about the monitoring that's being used, particularly when it's electronic in nature.
GORDON HARRIS: Right. Well, we've heard a lot about the relationship with employees and how it has to be structured now to address trade secret protection. But what about clients and customers? What are the considerations for them? Are they the same?
WENDY WAGNER: Yeah, they're not the same, but there are some parallels, and there's some really important things to think about in this context. I think one of the things that are-- one of the connections that isn't always explicitly drawn is that personal information of customers and clients for some businesses and the types of data and insights that are derived from that personal information is oftentimes in itself a very valuable trade secret asset.
And that can raise some sort of similar implications when it comes to compliance with data privacy laws, because we all know it's becoming much more well known that individuals have certain rights when it comes to the use of their personal information. So organizations really have to give some upfront thought to whether they have a lawful basis to obtain and use their customer or client data in a way that allows them to derive those data and insights, which as I say, can become part of a corpus of valuable trade secret assets.
So you have to think about, do you have appropriate consent or another lawful basis to use your customer data in that way? Are there contractual issues that you need to think about? Do you have authorization under data privacy laws to de-identify or anonymize that personal data, and retain and use it for business purposes and as your trade secret asset? And again, like going back to what Neena said, there's a certain level of complexity there because a lot of those concepts are very jurisdictional-specific. So there's a bit of a compliance lift.
GORDON HARRIS: Right. Well let's go more down that list. So we know now there are notice consent policy requirements for customers as well as employees. Are there any other data subject rights that need to be considered?
WENDY WAGNER: Yeah. I mean, there's an interesting intersect between data subject access rights and the protection of trade secrets. Again, this is something that's just becoming so much more ubiquitous in terms of individuals accessing their data privacy rights. One of which is the right to make a data subject access request to an organization. And that has to be balanced. Responding to those types of data subject access requests in a proper and lawful way does have to be balanced against the protection of confidential corporate information and trade secrets as part of that.
And in most cases it should be possible to safeguard those rights, even in the face of a data subject access request. If you take one of the most well-known global privacy laws, the GDPR, the recitals of the GDPR, for example, say that data subject access rights should not adversely affect trade secrets or intellectual property. Canada's federal privacy law, PIPEDA, has a similar exception right within its data subject access right provisions, that you don't have to provide confidential commercial information when you're responding to a data subject access request.
So thinking again sort of the practical implications of this, as we heard, the organization as a whole needs to be able-- and people within it need to be able to identify what is confidential information and trade secret information within the organization. And they have to-- the people who are tasked with responding to data subject access requests need to know when the response to a request like that may reveal one.
And that necessitates some amount of cooperation in the organization between those who are tasked with protecting some of these rights and those who are tasked with responding to these requests, and it's often different. Different facets of the organization, so everyone needs to be sort of properly trained on this and thinking about it, and basically working together.
GORDON HARRIS: Great. Thanks very much. Well, you mentioned some of the potential conflicts between trade secrets and personal data. What about areas of convergence?
WENDY WAGNER: Yeah. Well, one obvious area of convergence is security. We all are well too familiar with the increase in data breach incidents and how that impacts personal information. And we know that organizations have a high obligation and also just an obvious interest in securing and protecting personal information that's held within the organization. It's valuable but also there's an imperative to do that under privacy laws and under contracts and other agreements. Similarly, organizations have an interest in identifying their trade secrets as a corporate asset and singling those out for priority security measures because of their value to the business, and because of the impact of a loss of secrecy, which basically takes away the protection.
So organizationally, the measures that are used to protect personal information can also be leveraged to protect other sensitive data and vice versa as well. So we heard a bit from either Laurent or Jonathan. I forget which one that access controls, are very important when it comes to protecting trade secrets. We don't allow everyone in the organization to access that type of data. That's very similar when it comes to personal information, and in fact legally mandated. The same security frameworks can be applied in this context. So you can't protect every bit of data within an organization, when we're dealing with massive amounts of data today and ever-growing amounts of data.
So you really do need to think about it's the concentric circles and what are the most valuable assets? And what measures will you apply to them? And then going out from there, you may have lesser protections for other forms of data. And some of those security frameworks like the NIST Cybersecurity Framework, or ISO 27001, these are really commonly referenced frameworks that work in different ways but with a lot of commonality to have frameworks for the protection of data. And again, that can be personal information, that can be trade secrets. Whatever is sensitive and valuable within the organization.
So thinking again of some practical implications of this convergence. When you're looking at structuring company security plans, these need to identify the most valuable assets of the corporation from an informational perspective. When you're thinking of incident response plans, oftentimes people-- organizations are thinking of those in terms of personal information and what you would do in the event of a personal information data breach. But those incident response plans should also deal with any type of data breach that can result in a loss to the organization. So it's just something to build into those plans and processes so that everyone's not caught off guard.
GORDON HARRIS: Thanks very much Wendy. That's really, really comprehensive and useful summary. So Brent, you come across a lot of cyber attacks and other threats in your daily business. Tell us about the risks and what a company can do to prepare.
BRENT ARNOLD: Happy to do that. And I want to pick up on a thread of what Wendy was talking about when we talk about this convergence with trade secrets and with the personal information your organization is responsible for. We see this convergence profoundly in the cybersecurity part of this because the same kinds of threats you have to defend yourself from with respect to attacks on your personal information, pertaining when you're talking about defending your trade secrets-- let me give you a couple practical examples.
We talked a bit about the concern about state-sponsored espionage. And in those situations, they're looking for the trade secrets, they're looking for the intellectual property. Most of the attacks that companies are going to face, imperil that intellectual property even when it's not the target. I have a couple of examples here. Cyber warfare. Your company is based in Canada, Canada is supporting Ukraine in the conflict with Russia. So state-affiliated cyber attackers, cyber criminals, are attacking your business, copying your data, posting it to the dark web basically just to punish you.
Regular cyber criminals. Launching things like ransomware attacks. And in ransomware attacks the goal is to get paid, but what they'll do is they'll get into your environment, copy whatever they can, and that's their leverage. It might be personally identifiable information, it might be your intellectual property. There's a good chance it's both if they manage to get enough of this stuff. And they don't care what they can do with it. What matters is what's it worth to you.
And if you're not prepared to pay, they'll post it on the dark web where anybody with a Tor browser can find it, including your competitors. So in these situations, the real tragedy is you might lose the value of those trade secrets even though no one else is profiting from it, because in the course of refusing to pay, this information has become public. So we're defending against the same kinds of attacks with the same kinds of measures to protect all of these things.
And a lot of this is basic technical stuff like patching-- people in cyber and in IT, totally always talk about Patch Tuesday. Tuesday's the day that they've launched the updates to your operating system to plug all the holes they've discovered in the week before. Those are the kinds of things that get exploited. So make sure that your patches are up to date. Make sure you've got antivirus. Those are sort of basic things. But you need to have-- at a bigger level, you need to have some planning in place that prioritizes your trade secrets. And this involves-- we heard a lot about knowing where they are, mapping it, identifying it properly.
This is crucial in a cyber attack where your documents, all your files, all your systems could be frozen. You need to know if they've attacked that drive, what's on that drive? Is that where the trade secrets are? You need to be able to recover from an attack and investigate it at the same time. I can't stress this enough. Don't rely on your own IT people to do this right. It's not their-- they may be excellent, but it's the different discipline from cyber security. They don't think like cyber people do. And the cyber professionals you need to bring in for this are going to be focused on preserving the evidence and properly investigating it so that you can find out who did this.
So back to what you can actually do about this. Again, there's technical measures. The basic things we talked about. For more sophisticated attacks, you need to take this to another level. And you need things like continuous thread monitoring and detection, penetration testing, so that you're always testing how good are our defenses. Encryption doesn't get used enough. So these are technical measures. A lot of this comes down to procedure and policy as well. If you're not doing this already, you really need to look at what we call least privilege, which means if an employee, a new employee doesn't need to have access to everything, don't give them access to everything.
If somebody is a contractor who's on for a limited time and then they move on, or an employee is leaving, make sure that you close out their accounts. Make sure their credentials aren't still usable. We often see attacks where credentials that have been leveraged are from an employee who had no idea it was happening, or sometimes is a disgruntled ex-employee who doesn't like what the company is doing, and so on.
And again to the culture point, emphasizing the importance of the trade secrets, all of this stuff. Emphasizing the importance to your employees of good cyber hygiene. You need to be doing a lot of training. And it's got to be frequent because most businesses have high turnover these days, and people forget. You need to be doing what we call tabletop exercises where you break out your incident response plan. And this is the document that tells you, first step, we've been hit by attack, what do I do? Who do I call? What are the things I have to do and in what order? You'd be surprised how quickly those plans fall out of date, and that's why you need to be running through them regularly.
When we first had the attacks with COVID, first step that you would have seen in a lot of these attacks when everyone was stuck at home, would be get everyone together are in a room. Can't do that, so your plan is already out of date. And the other thing is this, threat intelligence. We should be sharing a lot more of it. I talked at the outset about Five Eyes intelligence network. So states are already doing this. Organizations at the corporate level need to be doing this as well.
And there are organizations you can join. In Canada, for instance, is the Canadian Cyber Threat Exchange where organizations and government and law enforcement are all exchanging technical information about cyber threats so that they can all work together to recognize in advance and prevent these attacks. I can't emphasize that enough.
GORDON HARRIS: Thanks Brent.
BRENT ARNOLD: Yeah. Sure go ahead.
GORDON HARRIS: That's terrific, thanks very much indeed. What I've been musing while I was listening too is looking over your shoulder at that guitar. I'm thinking, are you going to finish with a song? And what would it be?
BRENT ARNOLD: How much time do we have?
GORDON HARRIS: A beautiful song for this occasion.
BRENT ARNOLD: I might do back in the USSR.
[LAUGHS]
GORDON HARRIS: Laurent, at a high level, can you tell us when and why a client should even be thinking about trade secret litigation.
LAURENT MASSAM: Yeah, absolutely. And what I'll be talking about in the next short while is really a distillation of what we've heard from the other panelists. I think there are really three primary reasons for a company to litigate trade secrets, or to be ready to litigate trade secrets. And the first and most important reason is prevention and deterrence, present and future. And this is a theme that we've heard about before. And it was the ultimate slide from Neena and Jonathan about litigate only when necessary.
Prevention is really key. And so, of course, if an employee or a third party knows that a company is prepared and ready to litigate, that they are watching their trade secrets, they may be much less inclined to try to misappropriate them and misuse them because they know that they're being watched. And if as part of your culture, you make it very clear to everybody that you are watching your trade secrets and you are watching what happens to them, that too will have a very strong deterrent effect. So the preventative aspect of preparation is really quite powerful.
If you do have to litigate, it also acts as a future deterrent for others, because they know that you are ready to actually take action on threats. And so litigation not only prepares to try to stop the theft, it also can help to prevent future theft, because it will be noticed to the industry that you are ready, willing and able to actually defend your trade secrets on a moment's notice, so prevention is the first reason to be ready to litigate. The second reason to be ready to litigate is to obtain an injunction. I mean, the whole value of a trade secret is the fact that it's secret. And so if a trade secret has just gotten out or is about to get out, there is a brief window where you could run to court and try to put that genie back in the bottle.
You need to be ready to move fast. And that is absolutely critical when you're going for an injunction. That's the second reason to be ready. And the third is that, if unfortunately prevention hasn't worked and you have not been able to put the horse back in the barn, you may still want to try to recover the harm that you've suffered through either damages or lost profits in order to maintain or recapture your market share. So those are the three reasons, prevention being the highest and best, injunction and then damages.
GORDON HARRIS: Right. Well, the horse has bolted let's say. It's out of the stable and on its way. You've got your litigators standing by ready to get to work, what would your clients wish that they had put in place if they haven't already done so to litigate a trade secret theft, whether as claimant or defendant? What should they have done?
LAURENT MASSAM: Right. And this is really critical, is the preparation and being ready to move. I think the good news is that the fundamentals to be prepared for any of the three objectives of litigation are really similar. And I think that it's important to note that these preparation steps, I think safe to say are the same or would be relevant in any jurisdiction in the world. So these comments really should apply interjurisdictionally. I'm going to talk about four steps.
The first one which we've heard about from others is, to have protocols and practices in place to ensure you know what your trade secret is, and that you're able to quickly and correctly identify them and describe them. And this may sound obvious, but if you don't know what you have, there's a very high chance you won't know when somebody has taken it from you. So that's the first really important point. The second is that if you are going to go to court to try to litigate this, whether it's for an injunction or for damages, you need to be able to answer a key question for the court which is, what is it that you say was taken from you?
And I think this ties into a question that's been posed in the Q&A, a very good question as to, what would you put into your trade secret database, and how would you describe the trade secret? And I think briefly the answer to that is, well, it depends on what the trade secret is. But let's say it's software, you would have a copy of the software. If it's a particular process, you would have a description of the particular process. You would want to include a description of how that particular process was developed or acquired by whom. Who are the authors of it?
You want to talk about what that particular piece of information allows you to do. Why it is that it is different from what the rest of the public has. So those are key elements that I would say should go into a description of this, of the trade secret database. And that goes to identifying what it is you have.
The second point is to have protocols and practices in place to track who has access to your trade secrets, and importantly, who has actually accessed your trade secrets. And those are of course two different things because who should have access, and who did have access can be the very issue at the heart of trade secret litigation. So knowing who has access to your trade secrets and knowing who has actually accessed them, could be the smoking gun that you need in trade secret litigation.
And this actually ties to another good question that's been posed in the Q&A. And that is, how do you limit access? And I think this goes to the point that was made of least privilege. And so you want to limit access to your trade secrets. You want to control who has access that. It may be a locked cabinet, it may be a locked room, it may be digital controls, it may be technological controls. It may also be the implementation of sophisticated software that frankly the hackers are using that tracks your software or that tracks your code or that tracks your design and knows whether or not elements of it may be showing up in third party products. So this is all part of tracking your software.
The third point is knowing the value of your trade secrets. So if you show up and you say, I have a trade secret, you need to be able to demonstrate tangibly what the value of that protectable asset is. If you're going for an injunction, you have to be able to demonstrate that it is. That you will suffer irreparable or unquantifiable harm. If you're going for damages and profits, you need to be able to explain to a court what it is that you have lost, what it is that you have suffered.
And for anyone who has tried to get their arms around this question of, what is the value of something intangible? You will know that it is not an exercise that is completed in one day. So having a very good understanding of, how long would it take another company to develop this kind of information? Or why would it cause irreparable harm? What's the value in terms of market share that you may have lost? All of that information would be really important to have on hand.
And this concept of on hand is where I'm going to end. And it's a point that Brent just made. And that is that, having all of this information in your database tracked is only good if it's current. It's not going to be much help to you to say two years ago this was the state of play, and I don't know what the current state of play is. So preparation means updates, regular updates, regular assessments of what you have as a trade secret. Who's accessing it? What their value is. It's really important to stay current with your information. So that is a distillation of, I think, key points that we've heard of and that run through all of the presentations today.
GORDON HARRIS: That's great. Thanks very much Laurent. And uncannily, you actually managed to answer one of the questions, which I don't think you would have even seen before you started talking about valuation. So that was great. OK, some really good tips there. Let's just look at one very obvious area where the challenge of policing trade secrets just got a whole lot more difficult. And frankly, this wouldn't be a proper webinar if we didn't talk about this. Brent, AI.
BRENT ARNOLD: We all knew it was coming and here we are. And AI is like privacy. It's getting to the point where it permeates and intrudes everything else a business does. So yeah, happy to talk about this. As with any other sort of cutting edge technology, we're seeing AI sort of aiding both sides in this cold war that I started by talking about. We're seeing AI-aided cyber theft. We're seeing AI used to generate malicious code sometimes by people that are-- I'm not a hacker but I can figure out how to use-- generate a large language model, so I'll get it to make a virus for me or tell me a story about somebody making a virus and then make the virus.
It can automate the process of creating new viruses, modifying new viruses in ways that save hackers a lot of time, which I'm sure they appreciate. It's being used to weaponize phishing attacks by-- we're moving to a stage where people are being more careful about authenticating instructions they receive because they're worried that what if somebody hacked in, and this is a fake email from my boss? Well, I'll call my boss. Here's the problem, the threat actors may have generated. And we've seen this very recently actually happening, a very convincing audio deepfake of my boss confirming the instructions that the hacker had sent me by email.
So it's being used to get around authentication and multifactor protections put in place to avoid the attacks we were already worried about. Now, it's also the good news is, coming in very useful in threat detection, because AI is able to analyze and recognize patterns in what can seem like random data in ways that humans would struggle with. So it's making it easier to detect threats and detect malicious code. So that's very helpful. It can be used to verify users by sifting through behavioral data and confirming, yeah, this is how this person operates as opposed to this is probably fake.
It's also very useful, particularly in the blockchain context in threat attribution. I've dealt with cyber attacks where we can say with a fair amount of certainty, thanks to the AI-assisted review of incredible vast amounts of data, that a particular attack is coming from China, North Korea, somewhere in Russia and so on. It's also in the litigation context. As we've been talking about the litigating trade secrets theft piece already, there are tools coming out now that allow you to go through your opponents whether it's code or whatever else, to look for components that came from your trade secrets.
So this is a really useful way of creating the evidence that you need to prosecute a case in the event of theft by let's say a competitor. So good news and bad news as with any other cutting edge technology.
GORDON HARRIS: I think that's super really interesting. And about 20 years ago, I had a case about software theft where someone had basically broken the software down into multiple parts and reassembled it in a different way and thought that they'd done it. But we did find an expert who was able to untangle that and show that it had been stolen, but it took months. And I'm kind of guessing that an AI machine would do that in about a nanosecond. But anyway, there we are. So yeah, good as well as bad. And let's look on the bright side.
We said at the outset that we wanted to be really, really practical today. So I'm going to give the panelists a chance to leave us with the most important takeaway tips from their areas of expertise. So panel, keep it short and snappy. Let's start with Wendy.
WENDY WAGNER: Sure. Thanks Gordon. So I did go through most of these in the body of the presentation. But here's a few. So review your employee privacy policies and related policies like acceptable IT usage policies to make sure they give the company the leeway it needs to monitor and investigate employee use and misuse of trade secret information. Ascertain if the trade secret information within the organization is comprised of personal information of clients or customers. If so, think about the legal basis you have to use that information and what's derived from it.
Think about de-identification, anonymization, aggregation and consent to use that data, and how that's dealt with in contracts as well with business partners. Think about how data subject access requests will be handled to make sure that your employees who are handling those are not inadvertently disclosing your trade secrets and other confidential information. And think about what data you'll prioritize for protection within the company, such as personal information and trade secrets. And not everything can be protected with the same rigor, so you have to think about how you're prioritizing it and how you're protecting it.
GORDON HARRIS: Thanks very much Wendy. There's a lot to unpack there, that was really good. Laurent, over to you.
LAURENT MASSAM: Now, I would say that an ounce of preparation is worth a pound of cure would be my recommendation. Protecting a trade secret requires a lot of preparation from day one, from onboarding or exit interviews all the way through to being ready to litigate. So my conclusion is prepare.
GORDON HARRIS: Thanks very much. Neena, Jonathan, both of you preferably.
NEENA GUPTA: All right. Well, I think I would like to remind people that your trade secret policies and protection are only as good as your weakest links. And unfortunately, it's your humans that often are your weakest link. I hate to say this, but that's true. I mean, we just heard about that phishing attack and it was a human who made the mistake, granted after being fooled by a very sophisticated AI. So creating a human culture of protecting trade secrets, and so that employees understand how important it is, is really your best protection. It's that culture that you need to work on.
GORDON HARRIS: Thanks. Jonathan.
JONATHAN CHAMBERLAIN: Yeah. Well, I think there are various ways of saying the same thing. And we're doing it and that's no bad thing. Laurent, you talked about an ounce of preparation being worth a pound of litigation. I would say, build a fence at the top of the cliff, don't rely on the ambulance at the bottom. And what I'd also say in terms of practical employment steps, in particular one that often gets overlooked is, just check your non-competes when people change jobs, because again in most jurisdictions, that can unhook or in many jurisdictions, that can unhook the non-compete from the role and make it that much more difficult to enforce. And that's a small aspect of policy and policing of that policy that often gets missed. So gold stars if you get that one right.
GORDON HARRIS: Thanks very much. And Brent.
BRENT ARNOLD: Do I get a gold star if mine's the shortest, because here it is?
GORDON HARRIS: Yeah, sure.
BRENT ARNOLD: Fantastic. Assume that you're a target and plan accordingly.
GORDON HARRIS: Thanks very much. I think that is terrific advice in this field. And we've heard some fantastic stuff there. I mean I think Neena you're absolutely right about humans being the weakest link. And Professor Ryan Abbott, who's involved with AI and written books on the subject and what have you, he believes that once it's proved that autonomous vehicles are safer than vehicles driven by humans, humans should never be allowed to drive a car again, that everyone should go everywhere by autonomous vehicles. And I think we are the weakest link in most areas.
Now we've had a number of questions, many of which have been very well answered I think by the panelists as we go along and addressing them as they go. But there's one that I noticed in particular that was standing out to me. Someone said, "A trade secret is considered to be IP and protected under IP clauses in contracts, or should they always be addressed separately and deliberately?" I think that's a really great question. So would anyone out there on the panel-- we've got a bit of time. Would anyone like to take that on, or more than one of you?
LAURENT MASSAM: Gordon, I'm happy to jump in just with a couple of quick thoughts. Just on the IP side of things. IP of course, meaning intellectual property, is not just limited to patents, copyrights, and trademarks. It can most certainly include trade secrets, those that would be intellectual properties. It's just the regime to protect that particular type of property. The trade secret is going to be different from the statutory regime surrounding patent protection or trademark or copyright.
I mentioned this at the outset that there is a rise in the importance of trade secret protection. And that is because of the nature of the information that is now being protected. It isn't necessarily fitting into the traditional boxes of patents primarily. And so is trade secrets considered to be IP? Yes. Can it be protected under clauses and contracts? Yes. But that doesn't mean that you don't have to do all the other protections that we've talked about. You absolutely do, otherwise it's not secret. And then on the NDA perhaps, I see Neena and Jonathan ready. And I'll leave it over to them. But whatever you can do to protect your trade secret and keep it secret, is a good thing as far as litigator is concerned.
GORDON HARRIS: So just following up on the question though, so I think you're basically saying, look, do you wrap trade secrets into the IP clause, or do you have a separate set of provisions in your contracts relating to IP? Maybe Neena and Jonathan would be well placed to deal with that. One of them anyway.
WENDY WAGNER: So one thing I would say is when you're drafting those clauses, it's a very good idea to have good definitions. So I often see that there's this kind of, we lump everything into IP. Some thought should be given depending on the nature of your industry in whether or not you want to spend some time alerting the new candidate of what you consider to be a trade secret in your definition section. And of course, this goes into a whole. Only nerds like me get excited about drafting, but I realize that. But you have to worry about, oh, if I'm defining it too precisely, am I excluding things?
But quite often, the even sophisticated tech workers don't really understand what's a trade secret. And if you ask them, they would probably focus on things like software and algorithms, technical design as opposed to business know how, processes, other things that we want to protect under trade secrets. So I think it's not about-- the question is a drafting question. And as everybody drafts differently, I do agree with the general point that is, the right section intellectual property and trade secrets is often put together, but give some thought given your industry, as to how much more explicit you need to be about what is trade secrets. And then make sure, you know me, culture, culture, culture, make sure that ties into your training, so that it's crystal clear and nobody had any misunderstanding.
GORDON HARRIS: That's great stuff. Jonathan, do you want to add anything to that?
JONATHAN CHAMBERLAIN: No.
GORDON HARRIS: Good. Excellent Neena, you've done a great job.
JONATHAN CHAMBERLAIN: What she said, we live and work several thousand miles apart, but I wouldn't change a word.
GORDON HARRIS: That's brilliant. Right, well, thank you very much indeed to our panelists today. I hope you out there in the audience have more insights now into protecting your valuable trade secret assets and what to do. Please take some time to answer our short survey. Let us know what we can do better next time, or maybe even what we've done well. That would be nice to hear. And let us know any other topic which we should be talking about in one of our future webinars in this series.
A full video of the webinar as well as our slides will be circulated in the next few weeks. They'll also be available on demand at our website, www.gowlingwlg.com/ip. And if you've got anyone else in the organization who you think would benefit from hearing this, then please feel free to share it in that context.
There were also earlier episodes in this webinar series and thought leadership on current hot topics available at the website. The next global IP webinars in this series, the life cycle of a smart idea, are already being planned. So stay tuned to receive our next invitations. Thank you very much indeed for joining us, and enjoy the rest of your day wherever you may be. Thank you very much indeed.
Protecting your company’s confidential information is a complex task, one that requires a multi-faceted approach merging intellectual property (IP) strategy, employment law best practices, and ironclad data privacy and cyber security protocols.
Don’t let your great ideas walk out the door. Join our international panel as they provide a practical, multi-disciplinary and multi-jurisdictional overview of trade secret protection and defence – including in relation to the following topics:
This is the 25th installment in our Lifecycle of a Smart Idea series, dedicated to helping you maximise opportunity and minimise risk when taking innovative ideas to the global market. Click here to explore past webinars.
*This program is eligible for up to 1 hour of substantive CPD credits with the LSO, the LSBC and the Barreau du Québec. If you indicate on your registration form that a certificate of participation is required, we will email you your certificate after the session.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.