For confidential information such as trade secrets, industrial espionage and theft are a real danger: Attacks on medium-sized and large companies are becoming increasingly targeted. They are often not aimed at sabotaging infrastructure, but at obtaining as much know-how and information as possible without being discovered. Almost 70 percent of all companies have already been affected by espionage, data theft or product piracy due to inadequate data security measures. In half of all cases, this has led to significant economic damage. It is noteworthy that almost two thirds of such damage is caused by former employees (cf. Bitkom study on economic security 2018). The Law on the Protection of Business Secrets (GeschGehG) aims, on the one hand, to ensure that companies take appropriate precautionary measures to reduce this macroeconomic risk by means of binding guidelines. On the other hand, the law gives companies the necessary means to enforce their rights.
What is required of companies? What is new?
Up until now, the protection of trade secrets has only been rudimentarily regulated by the laws against unfair competition (cf. §§17-19 Law Against Unfair Competition (UWG)). The Law on the Protection of Trade Secrets (GeschGehG), which transposes the EU Directive on the Protection of Secrets 2016/943 into national law in Germany, defines for the first time what a trade secret is. The law thus affects all companies whose success is based on protecting confidential information from competition. According to the law, a trade secret is information that:
- is neither fully nor with respect to its exact order and composition known or readily available to persons in the circles which normally deal with this type of information and therefore of economic value;
- is subject to reasonable steps to keep it secret by its lawful owner under the circumstances, and
- a legitimate interest to keep it secret exists.
The scope of protection of trade secrets is adapted to that of other intellectual property rights. It now goes far beyond what the previous requirements of German law stipulated. Rights and claims are defined, and prohibitions against certain actions are specified. However, the law puts owners of trade secrets under pressure to act: if no objective protective measures were previously necessary, the existence of a trade secret now requires reasonable steps to keep it secret as well as security measures. The burden of proof concerning the sufficiency of measures for the protection of trade secrets lies with the owner of the secret.
Under the GeschGehG, the courts may order non-disclosure measures in cases concerning trade secrets. These are necessary because the protection afforded to a trade secret depends on the fact that the information is not known, either in its entirety or in its details, to the persons in the circles who normally deal with this type of information. Without appropriate rules on confidentiality during proceedings, the owner of a trade secret would run the risk that the trade secret would lose its protection once it becomes the subject of a legal proceeding. Attempting to enforce the right to protection could, in the worst case, lead to further dissemination of the economically valuable information.
What do companies need to do now?
Sufficient protection does not only fulfill formal requirements (“reasonable steps […] to keep it secret”). It effectively protects against the loss of trade secrets, know-how and other intangible assets. Companies must now critically review their own measures to protect secrets. It is in the interest of the company that trade secrets remain secret. Synergistic effects can be exploited through a variety of overlaps with IT security and data protection.
We recommend a systematic approach:
1. Take inventory:
- What information is considered to be a trade secret?
- In what form and at what location is this information located, and who has access to it?
- What measures are in place to protect trade secrets, including data protection and IT security?
- How great is the need to protect the various trade secrets?
- Are they, “in accordance with the circumstance”, actually protected by sufficient technical measures of IT security and organizationally by guidelines, confidentiality agreements and/or contracts, or are there gaps?
- Are trade secrets recognizable as such, and is it clear who is the owner of the trade secret?
3. Adapt measures for the protection of trade secrets:
- Exploit synergistic effects – extend existing measures from other areas such as data protection and IT security to include protection of confidential information
- Supplement and implement both appropriate and economic measures in line with the protection requirements within the company
- Bindingly regulate the handling of trade secrets in the company and adapt contracts with select partners
- Document the reasonable steps taken for the protection of trade secrets, as the owner of the secret is obliged to provide evidence in the event of a dispute!
Do you have any questions? We are happy to help you.
We will gladly help you ensure that measures are in place to protect your trade secrets that are both appropriate and economic. In this way you protect your intangible assets and ensure your competitiveness. We can support you in identifying synergistic effects that result from the many overlaps with legal data protection and IT security requirements. Our interdisciplinary team consists of experienced lawyers and IT security experts who can ensure that your trade secrets remain confidential.