Practical Determination Standards for the Requirement of Reasonable Confidentiality Measures for Trade Secrets (Taiwan)

Teresa Huang and Albert Yen[1]

During the global spread of the Covid-19 pandemic in 2020, Taiwan has been able to maintain almost normal life since it has managed the epidemic more appropriately than other countries.  In addition, alternative opportunities for industrial development have also presented themselves for the biotechnology industry companies in Taiwan during the outbreak of epidemic.  Not only is it feasible to obtain domestic and overseas market approvals and clinical trial approvals by focusing on the research and development of screening reagent and vaccines but also active efforts can be made to seek opportunities to collaborate with large domestic and overseas research institutions or pharmaceutical companies.  However, in the face of tempting collaboration, investment and M&A offers, Taiwan’s biotech companies, which are often focused on “research and development” in the division of labor in the industry, will inevitably worry about whether they will inadvertently disclose their own confidential technologies and then lose their original competitiveness as a result of collaborating with or accepting investments from large enterprises.

In general, a biotech company usually protects its proprietary know-how by filing patents or protecting it as trade secrets.  However, since the patent application process requires public disclosure of the content of technologies, the technology owners which attach importance to maintenance of technology secrecy will tend to protect their know-how as trade secrets.  Such tendency is more common for the protection of technology which has a longer lifecycle and is difficult to research and develop independently. Under Article 2 of the Trade Secrets Law, the term “trade secret” as used in this law means any method, technique, process, formula, program, design, or other information that may be used in the course of production, sales, or operations, and also meet the following requirements: (1) it is not known to persons generally involved in the information of this type; (2) it has economic value, actual or potential, due to its secretive nature; and (3) its owner has taken reasonable measures to maintain its secrecy.  One of the most common disputes in practice is whether a technology owner has taken reasonable confidentiality measures for the technology at issue.  If the owner has not adopted special confidentiality measures due to negligence in its business management system, the technology owner may fall into a dilemma where he/she may assume that the technology falls within the scope of trade secrets but cannot assert “trade secrets” at all from a legal perspective.

With respect to how to determine if a technology owner has taken reasonable confidentiality measures in court practice, findings in recent court decisions are summarized below:

I. Whether the confidentiality measures adopted by a trade secret owner are reasonable should be determined by considering the types of such trade secrets, the actual operation of the business, and the consensus or general construct of the society from the circumstances of the specific case. If it is objectively sufficient to prevent the general public from easily probing and learning the trade secrets, such measures would be reasonable confidentiality measures (see the 108-Tai-Shang-36 Civil Decision and the 109-Min-Ying-Su-2 Civil Decision of the Supreme Court).

II. That “reasonable confidentiality measures have been taken by the owner” means that the owner, based on its human and financial resources and according to the methods or technologies normally available in the society, has classified and graded the information that is not known to the public according to its business needs and made it known to people of different authority levels. For protecting information in computers, measures, such as establishing authorized accounts and passwords for users are especially common (see the 102-Tai-Shang-235 Civil Decision of the Supreme Court). In recent years, a number of court judgments have applied the above determination standard and conveyed more specific opinions in individual cases.

1. The 108-Min-Ying-Shang-Yi-1 Civil Decision of the Intellectual Property Court: Given that the information owner is a small and medium-sized enterprise, the information is limited to only a small number of people, the company’s emails are protected by restricting the users and setting up passwords, and the company signs an employment statement and a termination statement with its employees to impose contractual confidentiality obligation on the employees so that they are clearly aware of the company’s subjective intention to protect its trade secret information and of its objective measures, as a whole, the company should be deemed to have taken reasonable confidentiality measures for the information at issue.

2. The 108-Min-Ying-Su-11 Civil Decision of the Intellectual Property Court: The so-called “reasonable confidentiality measures” mean that the owner of trade secrets has the subjective intention to protect them and has objectively taken active confidentiality measures to make people understand its intention to protect such information as trade secrets, e.g., signing a confidentiality agreement with employees who may access such trade secrets, controlling those who have access to such trade secrets, marking documents with “confidential” or “restricted,” locking up materials containing such trade secrets, setting up passwords or taking security measures (such as restricting visitors’ access to locations where confidential information is stored). In addition, whether reasonable confidentiality measures have been taken is not preconditioned by the signing of a confidentiality agreement.  If the owner of trade secrets has objectively engaged in certain acts to the extent that other people understand its intent to protect such information as trade secrets and has controlled such information in manners that make its access difficult, such measures would be sufficient.

3. The 107-Min-Ying-Shang-1 Interim Civil Decision of the Intellectual Property Court: “Reasonable confidentiality measures mean that the owner of trade secrets has made reasonable efforts to protect the secrecy of the information, and there is no need to achieve the level of watertight or war in protection.  Reasonable confidentiality measures may include: specifying the scope of confidential information and the confidentiality obligations in employment agreements; signing confidentiality agreements with suppliers or clients who need to access confidential information; establishing all kinds of internal working rules within the company to protect trade secrets; adopting access control; classifying and grading confidential information appropriately; setting up dedicated custodians and special storage premises; setting up the authority level of the employees with respect to access and use of confidential information; and restricting access to confidential information.

Based on the foregoing, when determining if the owner of trade secrets has taken reasonable confidentiality measures, although the court will still make independent determination based on the circumstances of individual cases, still the main focus is on the subjective willingness of the trade secret owner to protect the trade secret and active confidentiality measures objectively taken so that the intention to protect such information as secrets is known.  Since it is difficult to investigate the subjective intent of the owner, the subjective intent of the owner can only be inferred by considering the various specific measures objectively taken by the owner in practice.

In conclusion, to ensure that the standard of “reasonable confidentiality measures” under the Trade Secrets Law is met, a company that intends to protect its proprietary know-how by means of “trade secrets” should first examine whether its existing internal control system has been designed in accordance with the aforementioned court opinions.  The most basic internal control procedures should at least include personnel management mechanisms (e.g. signing confidentiality agreements with employees), establishment of the authority for accessing research and development records, access control, control of important documents (e.g. contracts with suppliers or clients) and computer usage rules.  If deficiencies are identified, outside legal counsel should be sought immediately to design or adjust existing mechanisms to avoid the risk of not being recognized to fall within the scope of statutory “trade secrets” in advance.

[1] The authors are lawyers at Lee, Tsai & Partners.  However, the contents of this article merely reflect personal opinions and do not represent the position of this law firm.