SAINT ISLAND INTELLECTUAL PROPERTY GROUP

News

News

Supreme Court’s Recent Decision on Protective Measures for Trade Secrets

A trade secret is defined by Taiwan's Trade Secret Act as a piece of information that passes a tripartite test (roughly the same test as adopted in Article 39 of the TRIPS Agreement).  First, the information must not be known to persons generally involved in the information of this type. Second, the information must have actual or potential economic value due to its secretive nature. Third, the information need be subject to reasonable measures adopted by its owner to protect its secrecy.  The third prong is obviously the most difficult part, and the most possible area in which a secret owner, especially when it is an SME, might get ambushed in an infringement case. So, what is the court's basic stance on the requirement of “reasonable protective measure?”

The answer is basically favorable to the secret owner. In a decision rendered in July this year (2019) for a criminal lawsuit, Taiwan's Supreme Court held:

[The test of reasonable protective measure is met] when the trade secret owner has made reasonable efforts to prevent others from easily accessing, using or disclosing the trade secret, … yet his actions to protect the confidentiality of the trade secret do not need to reach a strictly “watertight” extent.  More specifically, a protective measure is reasonable if it is in accord with its owner's human and financial resources as well as the nature of the information and business concerned, employs a method or technology that the public deems common and feasible, and is carried out in such a manner that keeps the safeguarded trade secret difficult to be accessed unauthorizedly and hence serves to maintain the secrecy.  Prosecutors of the IP Branch of the High Prosecutors Office v. Liu, 108 Tai Shang 1608, Taiwan's Supreme Court (2019).

The trade secrets disputed in this case were mainly client data and pricing information stored in electronic files preserved in an internal (intranet) platform the complainant company set up for its sales unit, where the defendant worked before leaving the company.  Employees in that unit were each allowed to access those files via their office computers and then save them in these computers' hard discs; none of these activities however was checked by a password or other protective measures (e.g. internal alerts) attached directly to these files.  Although logging-in to these computers required entering accounts and passwords, the employees were allowed to set the passwords themselves.  Moreover, employees' email delivery to a personal external mailbox was not subject to real-time monitoring.  While the company asserted that an employee was required to obtain a supervisor's prior approval before sending sensitive data out to a personal external mailbox, this rule was not written in any document, and no evidence shows these approvals were rendered and recorded in writing. 

It was under such circumstances that the defendant, close to her leaving the company, mailed out the said sensitive information to her personal external mailbox absent any hindrance.  In fact, the company might have never thought of combing through the record of the defendant's mails but for a client's report that the defendant, after leaving the company, was now working with the company's competitor. 

Despite the imperfection in the company's protection for sensitive files, all three levels of the courts agreed that the files the defendant leaked had been subject to reasonable protective measures and hence qualified as trade secrets.

First, the prior approval policy, although not supported by documentary evidence, was testified by peer employees in the same unit to be in place and implemented to control employees' risky outbound mailing activities.  Second, the company's technical restrictions on access, reproduction and transmission of the trade secrets were held by the courts to be reasonably sufficient.  Of all employees (number unknown though), only the 12 people in the sales unit were granted the authority to access the files at issue. In addition, portable storage devices like memory sticks could not link with the employees' office computers, and an oversized outbound email would be barred automatically by the company's mailing system.  Third, the password check at the computer log-in phase, although challenged by the defendant as irrelevant, was deemed by the courts to be with reasonable proximity to the leaked files, since using and updating these files were the sales unit's daily work.

Additionally, the defendant contended that her intention behind the controversial conduct was to work overtime at home organizing the information at issue to facilitate her successor.  Given the company's porous protective measures, this argument seemed plausible at first glance.  However, it was not accepted by the courts, since no record shows the defendant made any amendments to the leaked information and then sent them back to the company.

All in all, in light of the principle postulated in the above-quoted Supreme Court opinion, the imperfections in the complainant company's protective measures could be pardoned, since a protective measure does not need to reach perfection to be deemed reasonable, especially where, as here, the trade secret owner was an SME with modest resources and trade secret protection experiences. 

The courts' current friendly position should not be taken by secret owners as a signal that from now on they will be free to decrease the intensity of their protective measures. A safer takeaway would be that trade secret owners should better not leave a weakness in their info protection system unattended until a leak occurs and prompts a lawsuit (oftentimes lengthy if not plaguing) in which they are at the court's discretion to render a friendly opinion to bail them out.  Further, trade secret owners should not unthinkingly relax regulations on transmitting digital information to an environment out of their control even if employees have genuine need to work (overtime) at home; otherwise, both the leak risk and the lawsuit risk will increase, as this case proves.  But of course, this is a challenging issue in a time when working at home has become a growing trend.

Back