企業機密における対策はOLCでもいろいろと取り上げてきましたが、やはり企業機密が漏れないようにする日々の保護体制が一番大切なポイントです。今回のAbrasic 90 Inc. v. Weldcote Medals, Inc.のように、保護をする姿勢が全く見れないと会社に重要な情報が盗まれ悪用されても法律による保護の恩恵が受けられない可能性があります。
背景
今回の企業機密の搾取も多くのケースと同じように元従業員による情報の持ち出しが原因でした。しかし、以下のように機密情報を盗まれた企業側が全くと言っていいほど情報漏洩対策を為ていなかったことから、裁判所は企業側の差止命令の要求を却下しました。
裁判所が指摘した企業側の至らなかった点
- Failing to confine access to the alleged trade secret information to those who had a need to access it (aka “need to know” access).
- Permitting employees to access the confidential information without requiring them to sign non-disclosure agreements (NDAs).
- Using employment policies that do not require employees to maintain the confidentiality of the company’s confidential information after the employment ends.
- At termination of employment, failing to ask the employee if she possesses any of the company’s confidential information and failing to ask the employee to delete or return it.
- Failing to admonish employees at termination of an on-going obligation to protect the company’s confidential information.
- Using confidentiality employment policies that are vague and do not give employees sufficient guidance about what information they are to treat as confidential to the company.
- Doing nothing to train or educate employees about their obligations to protect the company’s confidential information.
- Failing to require suppliers and distributors who had access to the information to execute NDAs.
- Failing to password-protect and encrypt the company’s trade secrets.
- Permitting employees unfettered ability to download, save elsewhere (e.g., a USB drive), print, and email files containing the company’s confidential information.
- Allowing employees to share passwords.
- Failing to label “proprietary” or “confidential” documents or files containing the company’s confidential information.
- Disclosing publicly supposedly confidential information.
- Using an IT Manager who has no training in data security or is otherwise unqualified.
- Not implementing security measure recommendations of its IT Manager, such as requiring employees to remove company data from their personal devices when their employment ends.
- Taking no measures to protect supposedly confidential information that are different than measures taken to protect non-confidential information.
どのような対策が「十分」な漏洩対策かというのはケースバイケースですが、Abrasic 90 Inc. v. Weldcote Medals, Inc.のように何も対策を取っていないと、訴訟を起こしてもいい結果にはなりません。
この判例を教訓として、少しずつでもいいので、企業機密は漏れる前に対策を行っていきたいものです。
まとめ作成者:野口剛史
元記事著者: Rebecca Edelson, Seong Kim and Youngbin Son. Sheppard Mullin Richter & Hampton LLP(元記事を見る)