Delaware Court Finds Password Protection for Electronic Documents Insufficient to Preserve Trade Secrets

by Quinn Emanuel Urquhart & Sullivan, LLP
Contact

Key questions in most trade secret cases are whether information was misappropriated and whether that information qualified as a trade secret in the first place. Under the Uniform Trade Secrets Act’s definition of a trade secret, whether information is a qualified trade secret depends on whether the efforts taken to maintain the information’s secrecy are “reasonable under the circumstances.” See, e.g., Del. Code Ann. tit. 6, § 2001(4) (West) (adopting, like the majority of states, the Uniform Trade Secrets Act’s definition of a trade secret). For example, strict password policies are a common business practice when it comes to protecting digital files, and one might assume they are a “reasonable” method of protecting digitally stored trade secrets. Not so, according to the Delaware Court of Chancery, which ruled that in the circumstances of a recent case, password protection alone was not sufficient to maintain trade secret status. Wayman Fire Prot., Inc. v. Premium Fire & Sec., LLC, No. 7866-VCP, 2014 WL 897223 (Del. Ch. Mar. 5, 2014).

At issue in Wayman Fire Protection were two reports taken from the plaintiff’s Salesforce.com account. The first, an “opportunities report,” identified Wayman’s prior bids, prospective business opportunities, and Wayman’s internal assessments of those opportunities. Id. at *13. The second, a “contacts report,” simply listed the names and contact information of Wayman’s current clients. Id. Both reports wound up in the hands of a competitor, Premium Fire & Security, when a Wayman employee departed for Premium Fire and took his backup of the electronic files he used at Wayman with him. Id. at *7. The employee then copied this entire backup drive, including the Salesforce reports from Wayman, onto his Premium Fire computer. Id. After losing a bid to Premium Fire, Wayman began to suspect that the employee had taken Wayman’s files with him to his new employer, and ultimately it sued Premium Fire and Wayman’s former employees for tortious interference with prospective contractual relations, misappropriation of trade secrets, misuse of computer system information, breach of the duty of loyalty, conversion, and civil conspiracy. Id. at *8. After a bench trial, the court found no liability for misappropriation of trade secrets, in part because Wayman failed to show its password policies met the standard for reasonable efforts to protect the secrecy of the information. Id. at *15-16 (addressing faults in plaintiff’s proof of misappropriation). Although the defendants conceded that the former employee had copied the files to Premium Fire’s computer and used them without Wayman’s permission, the court ruled that the Salesforce reports did not qualify for trade secret protection. Id.

In Delaware, as in other states, customer lists are recognized as potentially eligible for trade secret protection. See, e.g., Am. Family Mut. Ins. Co. v. Roth, 485 F.3d 930, 933 (7th Cir. 2007) (under Wisconsin’s implementation of the Uniform Trade Secrets Act, customer lists are eligible for protection as trade secrets); N. Atl. Instruments, Inc. v. Haber, 188 F.3d 38, 44 (2d Cir. 1999) (under New York law customer lists are protectable as trade secrets); cf. Nationwide Mut. Ins. Co. v. Mortensen, 606 F.3d 22, 28 (2d Cir. 2010) (under Connecticut law, customer lists are within the scope of trade secret protection, but a number of the state’s courts have noted that they often lie on the periphery of the law of trade secrets) (quotation omitted). In Wayman Fire Protection, however, the court was “not persuaded that merely password protecting the Salesforce information at issue here constitute[d] reasonable efforts to protect the confidentiality of that information.” 2014 WL 897223, at *16. Wayman protected the Salesforce documents by limiting access to only a handful of employees, each of whom had a Salesforce password that had to be changed every 30-60 days. Id. at *8. But limiting access to the documents was not enough: What mattered to the court was whether Wayman’s efforts sufficiently conveyed “that the Salesforce information was highly confidential or secret.” Id. at *16. The Delaware Court of Chancery found that because it was not “inherently obvious” that client names and phone numbers—most of which competitors could easily have found on their own simply by determining which businesses were subject to fire alarm and protection regulations—were confidential, proprietary information, Wayman “should have done something more to impress that fact upon those with access to Salesforce.” See id. For example, Wayman could have “monitor[ed] its authorized employees’ use of Salesforce or restrict[ed] those employees’ abilities to download, export, or otherwise transmit Wayman’s Salesforce data.” Id. at *8.

The finding that the password protected files did not qualify for trade secret protection stands out in contrast with the court’s other findings on related issues where Wayman established liability. Notably, the defendants conceded liability under Delaware’s Misuse of Computer System Information Act. See id. at *17 (citing 11 Del. C. § 935). The court specifically found that Premium Fire knowingly retained and improperly used computer data, in violation of the statute. Id. at *19. As a consequence, the court awarded Wayman unjust enrichment damages. Id. at *29-30. However, the court held that Wayman had not shown any of the defendants acted “wilfully and maliciously” in misusing the computer files, a prerequisite for treble damages under the statute. Id. at *19. Furthermore, the court found the computer files which the former employee copied from Wayman and used during the course of his job at Premium Fire were sufficiently “confidential” to trigger a duty of loyalty on the part of the employee. Id. at *22; see also id. at *20 (noting that under Delaware law, “if an employee in the course of his employment acquires secret information relating to his employer’s business, he occupies a position of trust and confidence toward it and must govern his actions accordingly”). Based on that finding, the court concluded that the former employee’s misuse of Wayman’s confidential information breached his duty of loyalty by benefiting Premium Fire, a direct competitor of Wayman. Id. at *22. Thus, the court distinguished both the defendants’ unauthorized use of Wayman’s information—required to support Wayman’s Misuse of Computer System Information Act claim—and the mere confidentiality of the information—required to support Wayman’s breach of duty of loyalty claim—from the more restrictive requirement that efforts to maintain secrecy be “reasonable under the circumstances” as required to support a trade secret misappropriation claim.

The court also distinguished the facts of Wayman Fire Protection from a strikingly similar earlier case finding that electronic customer lists did qualify for trade secret protection. Id. at *14 n.108 (citing Great Am. Opportunities, Inc. v. Cherrydale Fundraising, LLC, 2010 WL 338219, at *19 (Del. Ch. Jan. 29, 2010). In Great American Opportunities, the electronic customer lists were password protected, but were further addressed in provisions in an employment contract and handbook, and in letters the company sent its employees following termination notifying them of the sensitive and proprietary nature of that information and prohibiting them from disclosing such information both during and after their employment. 2010 WL 338219, at *19. On these facts, the court held that the electronic customer lists qualified for trade secret protection. Id. at *20.

The court’s opinion in Wayman Fire Protection, reaching the opposite conclusion, can be seen as suggesting that passwords have proliferated to the point where typing in a password is no longer adequate to put employees on sufficient notice that the information protected by that password is to be kept secret. This is consistent with the reality that today passwords are no longer reserved only for the most important or confidential information, but are becoming ubiquitous.

Wayman Fire Protection signals that the Delaware court is likely to enforce the burden on trade secret plaintiffs to show that alleged trade secrets are confidential and proprietary—that they are, in fact, secrets. There is no exhaustive list of acceptable methods, but in light of Great American Opportunities and Wayman Fire Protection, the more traditional instruments such as contracts, handbooks, and post-employment letters are likely to remain important tools in securing protection for trade secrets. At the same time, the Wayman Fire Protection opinion confirms that improper use of confidential information by former employees and competitors, even if it does not rise to the level of misappropriation of trade secrets, may establish significant liability for other torts under both statutory and common law claims.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Quinn Emanuel Urquhart & Sullivan, LLP | Attorney Advertising

Written by:

Quinn Emanuel Urquhart & Sullivan, LLP
Contact
more
less

Quinn Emanuel Urquhart & Sullivan, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.