Blog

Password protection may not sustain confidentiality

Passwords aren’t just for email these days. From jumping on a wi-fi network, to making a phone call, to downloading a song, everything electronic now seems under the proverbial lock and key, albeit a digital one. One recent decision from the Delaware Court of Chancery confronted this reality, holding that “merely password protecting” certain information did not constitute “reasonable efforts to protect the confidentiality of that information” and therefore, the information at issue could not be considered a trade secret. Wayman Fire Protection, Inc. v. Premium Fire & Security, LLC, No. 7866-VCP, 2014 WL 897223, at *16 (Del. Ch. Mar. 5, 2014).

After losing a bid to Premium Fire, Wayman began to suspect that Premium Fire had access to its data, and hired a forensic computer expert to determine whether its files had been copied by a former employee. Id. at *8. Based on the results of this investigation, Wayman filed suit against Premium Fire and other defendants, accusing them of tortious interference, misappropriation of trade secrets, misuse of computer system information, civil conspiracy, and conversion, among other things. Id. at *13.

Among its rulings, the Delaware Chancery Court found that the salesforce.com reports were not trade secrets under the Delaware Uniform Trade Secrets Act (“DUTSA”). Id. at *16. In relevant part, the DUTSA defines a “trade secret” as:

(4)       “Trade secret” shall mean information, including a formula, pattern, compilation, program, device, method, technique or process, that:

1. Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use; and

2. Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

Id. at *13.

Wayman argued that it had taken reasonable steps to maintain the secrecy of the reports. Id. at *15. It argued that access to the Salesforce documents was password protected, only a limited number of employees were given Salesforce passwords, and those with passwords were required to change their passwords every 30–60 days. Id. The Court, however, disagreed, finding that these efforts were insufficient to maintain the secrecy of the reports, particularly when viewed in light of the information contained in the reports. Id. at *16. “[B]ased on the nature of the information at issue, I find that in simply relying on the security features that came with Salesforce, primarily a password requirement, Wayman failed to make efforts that were reasonable under the circumstance to maintain secrecy of either of the Salesforce documents.” Id.

The lesson of Wayman Fire may be simple. In this age of ubiquitous passwords, where “Forgot Password?” appears below any login box, companies should take additional steps to impress upon their employees the confidentiality of the information laying behind that password. This may be as simple as providing a contract or handbook to its employees, that conveys the secrecy and importance of the information under protection. See id. (“Wayman has not presented evidence that it conveyed to those to whom it gave passwords to access Salesforce that the Salesforce information was highly confidential or secret.”). This additional step is particularly important where the confidential or proprietary nature of the information at issue is “not inherently obvious.”

Like a good password, the lessons of Wayman Fire should be written down.