FileOpen Document Security Blog

Classification and Control: Keeping Trade Secrets Secret

Written by Sanford Bingham | Aug 22, 2017 11:32:53 PM

Much of the recent news out of Washington D.C. has included references to classified information, security clearances, and the many rules and mechanisms that have been developed to protect such important material. The amount of information marked secret in the U.S. is truly enormous--by one estimate, there are more than a trillion pages of classified information held by the U.S. government, an amount more than 200 times that of the information contained in the Library of Congress.

 

“Contemplate these numbers: about five times as many pages are being added to the classified universe than are being brought to the storehouses of human learning, including all the books and journals on any subject in any language collected in the largest repositories on the planet.”  

 

Harvard scholar Peter Galison

 

There is also an exponential function around classified information, insofar as any piece of information that references a piece of classified information must itself become classified, and any reference to that piece of information must also be classified, and so on. So-called “Derivative classification actions” vastly outnumber original classifications. By one calculation, “the number of derivative classification actions in 2008 numbered over one hundred times the number of original classifications, at 23,217,557.”

 

While there is some evidence that the rate of increase in both original and derivative classification is slowing (2014 numbers show a 20 percent reduction in original classification activity, to 46,800 decisions, and a three percent decrease in derivative classification action, down to 77,515,636 decisions), the ratio between the two is unchanged or growing. And so is the associated cost of maintaining this information, which in 2016 was calculated to be $16.89 billion, or more than twice the $7.57 billion spent in 2014.

 

Moreover, and more to the point, there is another vast universe of secret, or what should be secret, information inside the networks and repositories of commercial entities, in the form of Trade Secrets. Because these are by definition secret, there is no official count, no real way to know how many secrets are out there. Unlike patents, the number of which can be calculated (at about 10 million in force worldwide), the number of trade secrets can only be estimated. One well thought-out model puts the total number of trade secrets at 140 million.

 

Failing to Protect Trade Secrets Could Remove Their Legal Protection

The statistics for classified information cited above, however, measure the number of pages. How many pages does it take to express a trade secret? Of course this varies: the formula for Coca-Cola, often cited as the canonical trade secret (it is said that “only two employees are privy to the complete formula at any given time, and they are not permitted to travel together. When one dies, the other must choose a successor within the company and impart the secret to that person. The identity of the two employees in possession of the secret is itself a secret”; also there is a museum dedicated to the vault that holds the formula), can likely fit on one page. But the source code for Windows 10, another important trade secret, is on the order of 60 million lines; if printed from the Windows Notepad application, which fits 43 lines per page, it would fill about 1.3 million pages. Taking as an estimate that the average trade secret is 100 pages long, we can calculate that there are 14 billion pages of trade secret information (worldwide). That’s still an order of magnitude less than the one trillion pages of classified information in the U.S. alone, but still a big number.

 

Courtesy of https://teach.ceoblognation.com

 

In order to qualify as, and to remain, trade secrets all of those pages must be somehow protected. Trade Secret Law in the U.S. imposes a duty to control distribution of trade secrets: “if trade secret information is not closely controlled - is given to employees or business associates even though the recipients do not need that information to further the trade secret owner's interests - then courts may determine that the information no longer deserves protection as a trade secret because the information was not rigorously protected by its owner.”

 

Many types of information that are not commonly treated as trade secrets may in fact qualify as such: training materials, employee handbooks, facilities maps, price lists, salaries and benefits, etc. These are only some of the types of information that can be controlled by DRM systems such as FileOpen's. But is some kind of technical control over information a requirement for its protection as a trade secret?

 

The definition of trade secrets in the Uniform Trade Secrets Act is this:

"Trade secret" means information, including a formula, pattern, compilation, program, device, method, technique, or process that:

(i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and

(ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

 

The proper definition of “reasonable under the circumstances” is an interesting question, and one best answered by a lawyer. But the point would seem to be that if some piece of information is to be considered a trade secret it must be protected, and if not protected it cannot be called a trade secret. The same is true of classified information, which is only protected until it is either declassified or, as we’ve seen lately in Washington, leaked.

 

As defined by the Federation of American Scientists (many of whom have a deep and vested interest in the classification, in some cases forced, of their work), “Trade secret law does not protect a trade secret holder against discovery of that trade secret by "fair and honest means, such as by independent invention, accidental disclosure, or by so-called reverse engineering." In this respect, trade secret protection is the same as classification policy, “because the objective of classification is not to prevent an adversary from obtaining the information by independent efforts or by reverse engineering, but rather to avoid assisting the adversary in acquiring that information.”

 

The tools used by governments to protect classified information may be more sophisticated than those available to businesses for the control of trade secrets, and there may be many more pages of the former, but the intent and purpose of both is the same: enabling rightful owners to obtain the exclusive benefit of their hard-won knowledge.

 

If an ounce of prevention is worth a pound of cure, corporations and other IP owners would be well advised to scan, encrypt, and carefully control the use of documents containing trade secrets. These should be considered a valuable asset of the organization, and the fact that extra care was taken to protect them could be crucial ammunition should your IP ever be challenged legally.