Know-how, strategies, ideas, innovations and customer lists are all crucial company assets that constitute sensitive information. Although this information cannot always be protected as industrial property rights (trademarks, designs, patents, etc.), it nevertheless needs to be safeguarded against unauthorised access by third parties. There is otherwise a risk that these crucial corporate assets could be stolen with impunity by third parties.
Up to now, companies have been able to rely on quasi-automatic protection of this type of confidential information as business secrets. Although statutes only provided incomplete protection of trade secrets (Sections 17 - 19 of the Unfair Competition Act (UWG)), case law to date has defined as a trade or business secret any fact relating to a business operation that
- is not obvious, but
- known only to a limited group of persons, and
- which the business owner aims to keep secret.
This meant that it was sufficient to mark an item of information as confidential, for example, to show that it was intended to be confidential and as such a trade secret. Case law actually went one step further, allowing trade secret protection to apply if the desire for secrecy was evident “from the nature of the fact to be kept secret”. This was generally the case with regard to confidential information relating to complex matters, for example. As a result, legal protection of trade secrets was mostly in place without action of any kind being taken by the owner of the secret.
Neither the Trade Secrets Protection Act nor the associated explanatory notes say what constitutes “reasonable steps to keep information secret”. Whether a trade secret is subject to “reasonable” protection therefore depends on the specific business information to be protected. The more important, complex and confidential the information is, the stricter the requirements for reasonable protection. When a company’s “crown jewels” are involved, the organisation must take much tougher and more extensive steps to maintain confidentiality than is the case for routine confidential information, for example.
This means that design drawings, ideas or business models, for instance, must be assessed individually to determine whether they require stringent confidentiality measures, such as internal access restrictions, detailed non-disclosure agreements with partners and strict IT security. In the case of less critical confidential business information, such as simple customer lists, less stringent measures may be sufficient and reasonable.