Corporate entities that share confidential personal information with each other, including those in franchise relationships, should strongly consider potential privacy and trade secret risks and consider available alternative measures before taking any action that could compromise data security.
This article was published in the January 2017 issue of Intellectual Property & Technology Law Journal, published monthly by Wolters Kluwer.
Companies must consider seriously the potential trade secret and privacy implications of sharing personal information with third parties. In the age of “big data,” companies recently have begun to take the position that personal information collected from their consumers is subject to protection under the trade secret laws, such as the recently enacted Defend Trade Secrets Act (DTSA), 18 U.S.C. § 1839(3).
The DTSA, which was signed into law on May 11, 2016, creates, among other things, a federal cause of action for trade secret misappropriation and provides federal (but not exclusive) jurisdiction over trade secret theft. The DTSA is an amendment to the Economic Espionage Act (EEA), which relates to the protection of trade secrets but previously only included criminal provisions. The DTSA is nearly identical to the Uniform Trade Secrets Act (UTSA), which has been adopted by 48 states. The DTSA will not preempt existing state law, but it could provide much-needed uniformity, which was lacking under the UTSA due, in part, to varying interpretations by courts of the state statutes adopting it.
The DTSA uses the definition of “trade secret” set forth in the EEA. The definition includes “all forms and types of” information, if:
(A) the owner thereof has taken reasonable measures to keep such information secret; and
(B) the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.
18 U.S.C. § 1839(3).
Sears Hometown v. KS Enterprises
A recent lawsuit filed by a franchisor against one of its franchisees illustrates the liability risk that companies take on when they share personal information. On July 26, 2016, Sears Authorized Hometown Stores, LLC filed a complaint against a Michigan franchisee, KS Enterprises, LLC, and its guarantor, Keith Boucher, for breach of contract, conversion and alleged violations of trade secret laws for failure to return computers containing consumers’ confidential personal information.
Sears Hometown and KS were parties to a franchise agreement, pursuant to which Sears Hometown authorized KS to establish a Sears Hometown store and to distribute merchandise of Sears Hometown and its affiliates. The franchise agreement was for an initial term of three years, through July 7, 2018.
Sears Hometown claims that, under the franchise agreement and a separate guaranty, KS and Boucher both agreed that all personal information about consumers who purchased merchandise or services from KS’s store would be the confidential and exclusive property of Sears Hometown. This information purportedly included the consumers’ names, addresses, telephone numbers, Social Security numbers, account numbers, information supplied by credit-reporting agencies, demographic and financial information, inclusion on mailing and other lists, and information about their transactions (collectively, the confidential personal information). Sears Hometown further alleges that KS and Boucher agreed that, upon Sears Hometown’s request, they would return the confidential personal information to Sears Hometown.
On July 24, 2016, KS and Boucher closed and abandoned the store. Sears Hometown claims that, during the shutdown, a Sears Hometown representative witnessed Boucher remove three computers from the store. Additionally, Sears Hometown alleges that, later that day, an individual claiming to be Boucher’s father contacted Sears Hometown and demanded money in exchange for the return of a server that contained all of the confidential personal information.
Sears Hometown responded by demanding that KS and Boucher return the three computers and the server so that it could perform an “end of life” procedure to remove all of the confidential personal information in order to ensure that it would remain protected. KS and Boucher, however, allegedly refused to return the computers and server.
As set forth above, Sears Hometown responded by filing a complaint against KS and Boucher asserting, among other things, alleged violations of the DTSA and the Illinois Trade Secrets Act (ITSA), 765 Ill. Comp. Stat. Ann. 1065/1, et seq., for failure to return the computers and server containing the consumers’ confidential personal information.
Although the confidential personal information referenced in Sears Hometown’s complaint may not appear to be trade secret information at first glance, there is at least some chance that it may meet the DTSA and ITSA statutory definitions, which are nearly identical. Indeed, while customer lists — the most analogous example — have received varying treatment under the UTSA, lists with selective accumulation of detailed, valuable information about customers, such as particular needs, preferences or characteristics, have been found to be trade secret information. Thus, due to the specific detail of the information allegedly collected by Sears Hometown, it would appear there is at least a fair chance that the confidential personal information that is the subject of Sears Hometown’s complaint may qualify as a trade secret.
Companies that share confidential personal information, including franchisors and their franchisees, should be reminded of the importance of the following:
Privacy and trade secret issues can arise from even basic corporate transactions. Many of the potential pitfalls, however, can be avoided through consultation with counsel before a transaction is consummated.
Franchisors, franchisees and other corporate entities that share confidential personal information should strongly consider potential privacy and trade secret risks and consider available alternative measures before taking any action that could compromise data security.
Companies should implement robust data privacy and security policies and procedures and assemble a response team with appropriate training in order to address immediately any suspected misappropriation of trade secrets and/or potentially private consumer information. Having a plan in place will minimize response time and business disruption and protect the company’s rights.1
The best time for addressing privacy and trade secret issues is before they occur. Counterparties can avoid privacy and trade secret disputes through the use of specific contractual language.
It is important to establish at the outset of any contractual relationship the ownership rights of all property, whether real or intangible, such as data.
As a result of the DTSA, trade secret claims can now be brought directly in federal court, without having to resort to diversity jurisdiction.
Limit confidential personal data to those employees who have a need to know.
De-identify personal data where possible.
Consider reviewing existing insurance coverage for data protection risks.
1 For more information on establishing data privacy and security plans and policies, see our other articles, “Once More Unto the Breach: How Counsel Should Help Clients Prepare for and Respond to Data Incidents,” available at http://www.pepperlaw.com/publications/once-more-unto-the-breach-how-counsel-should-help-clients-prepare-for-and-respond-to-data-incidents-2016-07-01/, and “How to Avoid and Respond to a Cybersecurity Breach,” available at http://www.pepperlaw.com/publications/how-to-avoid-and-respond-to-a-cybersecurity-breach-2015-09-11/.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.