Supreme Court clarifies reasonable protection measures

Taiwan’s Supreme Court has handed down its decision in a case filed by a chemical company against a competitor and clarified the meaning of ‘reasonable measures’ as stipulated in Article 2 of the Trade Secrets Act (Supreme Court Judgment Tai Kan Ji 687 (2018)).

According to Article 2, information deemed to be a trade secret must meet three requirements:

• be unknown to persons generally involved in information of this type;
• have economic value – actual or potential – due to its secretive nature; and
• its holder must be able to prove that they have taken reasonable measures to maintain its secrecy.

However, the definition of ‘reasonable measures’ is somewhat ambiguous. Is a company that has a trade secret required to take all measures possible to keep it secret in order to satisfy this requirement? The lack of clarity on what constitutes reasonable measures has affected companies in Taiwan, as the definition of ‘reasonable’ as it applies to ‘measures’ was previously never clearly indicated.

In this case, the Supreme Court indicated that the trade secret holder took measures to classify or categorise information or materials that were unknown to the public and disclosed this to its employees (based on their level of authorisation within the company) and took into account the holder’s power and financial resources. These measures met the requirement and were considered to be reasonable. The court ruled that although the emails, which involved important client information (ie, sales agreements, product price calculation methods, sales meeting minutes and sales information) were not marked as confidential, the company had taken reasonable measures to protect the information. It was thus deemed by the court to be protected trade secrets.

The court emphasised that establishing user accounts or passwords is a common measure that companies can utilise to protect information. It also stated that if a trade secret holder announces internal document management regulations, this can serve as an example of another measure of protection that is deemed to be reasonable.

In the past, prosecutors and lower courts have mistakenly believed that companies must take all possible measures to meet the reasonable measures requirement. This strict, high standard placed a significant burden on companies. For example, a prosecutor could state that a company should monitor its employees’ email accounts periodically to prevent unusual acts. However, this is too expensive for companies, as advanced technology is necessary to conduct such monitoring. This type of strict requirement is both inefficient – as the volume of employees’ emails is likely to be substantial – and impractical (if not impossible) for companies to monitor all such email traffic.

This latest judgment provides companies in Taiwan with a clear and efficient definition, as well as illustrative examples of reasonable measures. A company does not need to take all possible protection measures in order to meet the requirement. Measures that classify or categorise the employees or persons who are able to access confidential information based on their different levels of authorisation are sufficient to meet the reasonable measures requirement.