I very much enjoyed reading this article by Matthias Koch from Freshfields on the New Trade Secrets Act, which came into force on 26 April 2019 and implements the European Directive on the Protection of Trade Secrets (2016/943/EU).  It appears to be something that companies should familiarise themselves with and establish how best to act under the new rules, both in terms of protective measures as well as investigative ones should the worst happen.

As stated in the article: "It is not yet clear what the courts will accept as “reasonable steps" but companies should take appropriate steps to guard their crown jewels.  From a technical perspective, there are a number of steps that can be taken but the most important is to ensure that data regarded as trade secrets is managed as such, and as appropriate, user access controls and other security measures are applied to it - it cannot be freely available to all and sundry.  

Applying appropriate cyber controls is a mammoth topic in its own right but doing the simple things rights can make a huge difference.  These include:

  • understanding that a strong perimeter defence is not enough and internal defences must also be implemented to create layers of security within an company
  • utilising application white-listing and hardening to ensure that people use a standard and secure base system
  • ensuring that systems are patched quickly and effectively to avoid being 'hit' by known weaknesses
  • restricting administration rights to only those who really need and even then they should (a) have individual administration accounts for accountability; and (b) use their normal accounts unless the administration account is really needed
  • implementing multi-factor authentication when users are connecting to a system
  • establishing and testing a backup or disaster recovery plan to ensure that data is protected should the worst happen to the live systems
  • planning for the worst...you need to know what to do when an attack occurs - it should not be the first time you have thought about it

However, often with cases related to trade secrets involves an "insider" and therefore in the event of an incident, appropriate forensic measures need to be taken to secure data from systems that could contain vital evidence, such as the computer and mobile device used by the suspect.  Ensuring that forensic procedures are followed, not only protects the integrity of the data captured, but also allows for a more thorough analysis of the data.  

This goes beyond the simple files and emails, and can include: deleted file recovery, Internet usage analysis, analysing the use of USB and cloud storage and examining what has happened on a system over time.  This is important because often people undertaking nefarious tasks do not use their company emails to communicate or file servers to store data. They tend to try and fly below the radar...hence you need to look deeper to find the evidence and intelligence needed to pursue a matter.  It is appreciated that some of the above may have data protection/privacy implications and they need to be carefully considered and discussed before proceeding.

In the end companies should review their processes to ensure that they can profit from the improved protection provided by this new Act.