Auditing Trade Secret Policies and Practices: A Checklist

Introduction

Organizations must audit their governance programs to confirm that they are employing reasonable measures to protect their trade secrets. The middle of litigation is the worst time to learn those measures fall short and that there is, in consequence, no trade secret and no claim. Reasonableness hinges on the organization's size and sophistication and on the practice of comparable companies in the industry, but recurring issues establish a bare minimum every program must observe. The audit must confirm that the basic requirements below are reflected in the organization's policies and operational practice.

1) Identification: what is the organization protecting?

Are the organization's trade secrets inventoried in some way? If so, how is that inventory drafted and protected? Does it describe the IP with reasonable particularity or does it employ generic descriptions of broad categories instead?

Consider: StoneEagle Services, Inc. v. Valentine, 2013 WL 9554563, at *5 (N.D. Tex. June 5, 2013) ("Requiring a list that separately breaks out each individually alleged trade secret would help Defendants craft their discovery responses, provide relevant documents, and limit objections. Requiring Plaintiffs to describe how the claimed trade secret is unique from that which is found in the public domain will be helpful for the same reasons, especially in light of the fact that the processes at issue may also be found in Plaintiffs' public patent filings.").

2) Contractual Restrictions: are the right agreements in place?

Is every person or entity with access to protected IP under a contractual restriction that safeguards the IP? Are those agreements current, reciprocal, and broad enough to ensure the information is protected? Where appropriate, are there supplemental safeguards or agreements bolstering those protections?

Consider: Pie Dev., L.L.C. v. Pie Ins. Holdings, Inc., 2023 WL 2707184, at *3 (5th Cir. Mar. 30, 2023) (holding that, despite the presence of an NDA, the agreement was insufficient to constitute a "reasonable measure" because it did not bind the parties to the lawsuit, did not mention the trade secret owner, and did not indicate that the actual trade secrets were subject to the NDA itself).

3) Access Restrictions: are lock-and-key measures in place?

Is protected IP sequestered behind technical and physical controls (password protection, multi-factor authentication, access limitations to key personnel, encryption at rest and in transit, segmented network access, badge-controlled physical spaces)? Is access appropriately logged? Is protected IP sufficiently marked as protected and confidential?

Consider: Scientific Machine & Welding, Inc. v. Rose, 2022 WL 850409 (Tex. App.—Austin Mar. 23, 2022, no pet.) (mem. op.) (holding information not a trade secret because the IP was available to all its employees and was not password protected; owner/president's email and company vendor lists not password protected; third-party vendors provided drawings without non-disclosure agreements; and defendant allowed "full access" to company's design work as well as customer and vendor lists for three days after departing from employment).

4) Organizational Implementation: does practice match policy?

Is the program actually enforced? Is training conducted periodically, and is attendance documented? Are deviations from policy identified, escalated, and remediated?

Consider: DB Riley, Inc. v. AB Eng'g Corp., 977 F. Supp. 84, 92 (D. Mass. 1997) ("[T]here was an unwritten, informal policy which overrode the formal policy. Consequently, design drawings were distributed haphazardly to both customers and parts suppliers for years.").

5) Industry Custom and Practice: is the program current and appropriate?

Is the organization employing best practices to ensure that it meets industry custom and practice as it pertains to information security (e.g., consulting ESI, cybersecurity, or industry-specific security experts? Is this process iterative and on-going)? Is the program reviewed and updated periodically? Are deficiencies identified in prior reviews actually closed, with documentation?

Consider: Elmer Miller, Inc. v. Landis, 253 Ill. App. 3d 129, 134, 625 N.E.2d 338, 342 (1993) ("[R]easonable steps for a two or three person shop may be different from reasonable steps for a larger company.").

6) Emerging and Industry-Specific Issues

Artificial intelligence.

Has the organization adopted enforceable AI-use policies covering consumer LLM tools, coding assistants, and enterprise AI deployments? Are vendor data-handling terms reviewed for retention and training rights inconsistent with the organization's confidentiality obligations? Is there a documented record showing the issue was analyzed?

Evidence preservation infrastructure.

Are log retention schedules, forensic imaging capabilities, and litigation-hold protocols calibrated for the timeline of a trade secret dispute, not just for routine cybersecurity incidents?

M&A protocols.

When the organization acquires a business, are the target's NDA chains, access controls, and trade secret inventories audited and integrated rather than left to degrade?