Like any other type of litigation, trade secret cases rise or fall on the strength of the evidence that can be put before the factfinder. Yet before a lawyer can focus on what evidence they have to make or defend their case, they must first collect that evidence. And with information technology being incorporated into every business at a lightning-fast pace, evidence has accordingly become increasingly complicated to source.
There are three primary considerations for the identification, collection, and preservation of evidence for use in a trade secrets case:
- The identification of targets that bad actors may look to appropriate confidential, proprietary, and trade secreted information.
- Once located, the preservation of evidence that shows that the targeted areas have been improperly accessed and by whom.
- The collection of this evidence for use in litigation.
Best practices for these considerations is described below.
A. Collecting and Preserving Evidence in a Trade Secret Case
i. Identification of Preservation Targets
Misappropriation requires unauthorized access: a defendant cannot use or disclose sensitive information without having the ability to access and appropriate that information in the first place. Obtaining evidence of this access is therefore critical. The process of culling that evidence involves a number of considerations, such as identifying the potential locations where a bad actor may have accessed the trade secreted information, understanding what systems (if any) the client has in place to monitor and document such access, and collecting the records (if any) those systems may generate.
Communicating with the client and the client’s technical staff about the IT systems in place is the first step in this process. If possible, that consultation should take place along with a forensic analyst who can assist in collecting pertinent data and analyzing what it shows. There are several additional steps—beyond merely collecting laptops and personal devices—that should be employed to cull further evidence of misappropriation. During the initial assessment with the client, the following discussion points should be raised:
- Incident response plan. IT systems routinely experience “anomalous activity,” meaning any activity that is outside the norm. This is as broad as it sounds—anomalous activity encompasses a broad variety of acts, whether caused by a program (malware) or a user (improper access). Consequently, many IT departments have created incident response plans: a set of immediate actions taken by the department or system to identify the “who, what, where, when, and why” of the anomalous activity. These plans also contain the immediate corrective actions the IT department or system should take in responding to the anomalous action. Because an incident response plan lays out the corrective steps taken in responding to anomalous activity, they can contain a broad swath of information that identifies the sources of system or data access, the date and time of that access, the identity of the accessing user, and any actions taken by the IT department or system in response. It can be a valuable postmortem laying out other sources of potential evidence.
- Email protection systems. Email protection systems are security frameworks implemented to act as barriers between email servers and users. They track information detailing the identity of email authors and recipients, the contents of emails, and email attachments. This information can be a useful source of proof to show the identity of a bad actor, the information they expropriated, and the recipient of the information. It is critical to note that email protection systems typically have retention policies that routinely delete the information that they track. As a result, counsel should immediately have these policies suspended to ensure that pertinent data is not deleted.
- Endpoint detection and response. These systems monitor activity on endpoints such as workstations, laptops, and mobile devices. As a part of this monitoring, they generate records of unusual user behavior, such as access, creation, deletion, and movement of information. Therefore, these systems provide yet another source of evidence that can be used to trace improper access. As with email protection systems, endpoint detection and response systems may be subject to routine retention policies that must be suspended to preserve data.
- Log monitoring. Some organizations employ security information and event management (SIEM) systems. These systems collect and analyze logs of all activity occurring on the IT infrastructure. In turn, these logs can be used to track and isolate inappropriate user behavior (including system access, transmission of data inside or outside the organization, data destruction, etc.). Depending on the SIEM, event reports can be generated that show a timeline of events. These reports can be another useful source of evidence showing improper use and by whom. These systems also contain retention procedures that should be suspended during the conduct of litigation.
- Data backups. Organizations also tend to employ backup systems that periodically capture snapshots of pertinent systems and data. In the event that improper access is not timely identified, and evidence of improper access is not preserved, these backups can nevertheless be used to create a timeline that would indicate improper access. For example, a backup could show that certain data existed on a server prior to the date of termination of an employee but did not exist after, creating a potentially strong presumption that the terminated employee deleted that data.
As expected, these various sources of record keeping can work in concert with one another to create compelling arguments of improper use. For example, a SIEM report could show precisely what a terminated employee accessed and transmitted, while data backups could show that the information accessed was subsequently destroyed.
ii. Preservation of Evidence
Evidence preservation procedures should begin immediately after identifying the potential sources of data that may have been accessed. These activities are essential to maintain the integrity of the evidence that has been collected and as a best practice against claims of spoliation. They include:
- Physical quarantine. In the event that the bad actor had been provided a laptop, computer, or mobile device from the organization, that hardware should immediately be located and preserved. The quarantine is essential to maintaining the integrity of data reflecting data accessed or deleted, email traffic, and external device use. A chain of custody should be created to ensure that a link back to the bad actor remains in place. The easiest way to employ the quarantine may be through a forensic consultant.
- Retention holds. As detailed above, useful evidence may be deleted as a part of the routine retention policies employed by endpoint management systems, reporting servers, etc. As a result, counsel should immediately ascertain the parameters of all systems that employ retention policies and have the client put a litigation hold in place.
- Routine preservation policies. Otherwise, counsel should instruct the client to observe all other routine preservation procedures that would be used in any litigation.
iii. Collection of Evidence
Collecting evidence of access in the manner outlined above is not any different or unique than any other type of litigation. Best practices should be employed to maintain metadata, chain of custody, and ensure all relevant custodians have collected and provided their data.
B. Statutory Protections on Using Trade Secreted Evidence in Litigation
A separate, but no less concrete, evidentiary concern is preserving the secrecy of the information being litigated while still being able to litigate the matter in the first place. To that end, TUTSA mandates that courts “shall preserve the secrecy of an alleged trade secret by reasonable means” Tex. Civ. Prac. & Rem. Code §134A.006(a). The act creates a “presumption in favor of granting protective orders to preserve the secrecy of trade secrets.” Id. These orders may include provisions that limit access to confidential information to only the attorneys and their experts, that empower the court to hold in camera hearings, that require sealing of court records, and that order any person involved in the litigation to not disclose the alleged trade secret without prior court approval. Id.
TUTSA also contains a procedure whereby the court can exclude a party or limit its access to the alleged trade secret. Id. §134A.006(b). Such relief requires a balancing of seven factors: 1) the value of the trade secret; 2) the degree of competitive harm that would be suffered by disclosure of the trade secret; 3) whether the other party is alleged to already possess the trade secret; 4) whether the party’s representative acts as a competitive decision maker; 5) the degree to which the party’s defense is impaired by lack of access to the trade secret; 6) whether the party has specialized expertise unavailable to their outside expert; and 7) the stage of the action. Id.
While analyzing the cases construing this section of TUTSA, the Supreme Court of Texas has weighed in on a potential conflict between TUTSA’s “presumption in favor of granting protective orders” and Texas Rule of Civil Procedure 76’s presumption in favor of open courts. HouseCanary, 612 S.W.3d at 254. In HouseCanary, a trial court, initially denying a motion to seal trial exhibits under Section 134A.006, later reversed course and sealed a number of exhibits. Id. at 264. The court of appeals reversed, holding that Rule 76 governed the issue of sealing court records and the trial court had failed to follow “the standards and procedures for the parties to follow when seeking to seal exhibits at trial.” Id. at 259. Reversing the court of appeals, the Supreme Court blended TUTSA with Rule 76 to provide a specific procedure for sealing records in a trade secret case. The court noted that while TUTSA preempted conflicting law—specifically including Rule 76—its preemption of other rules only extended to the extent that there was an actual conflict: “[s]howing a conflict between TUTSA and one part of Rule 76 does not displace the whole rule.” Id. at 261-262. Noting that TUTSA only provided standards, not procedures, the court harmonized the act with Rule 76 by i) still imposing Rule 76’s public notice requirements in trade secrets cases; ii) applying Rule 76’s bar on motions to reconsider; and iii) emphasizing Rule 76’s requirement that a party demonstrate the absence of measures less restrictive than a seal. Id. at 262-263. Thus, a party wishing to seal records in a case brought under TUTSA still must be mindful of the procedures laid out in Rule 76.
Nevertheless, the protections afforded by Section 134A.006 are robust. For example, in In re M-I L.L.C., the Texas Supreme Court held that Rule 76 only applied to the “sealing of court records” and did not implicate oral testimony. 505 S.W.3d 569, 579 (Tex. 2016). As a result, the court held it was an abuse of discretion for the trial judge to not exclude a corporate representative from hearing testimony regarding the trade secret that the representative was otherwise unaware of. Id.