For many tech companies, patents grab the headlines, but trade secrets do most of the quiet work. Your pricing models, recommendation algorithms, vendor lists, or even how you organize your infrastructure may all qualify as trade secrets. Unlike patents, they don’t expire — but they’re only valuable if you actually protect them.
So what does “protection” mean in practice for an in-house lawyer juggling hiring, procurement, and daily fire drills? It’s not about exhaustive audits or thick binders of policies. It’s about embedding a handful of practices into the company’s daily operations.
What Counts as a Trade Secret
The primary federal law is the Defend Trade Secrets Act (DTSA), passed in 2016. It created a nationwide cause of action for trade secret misappropriation and sets the baseline test for what qualifies.
At the state level, most states follow some version of the Uniform Trade Secrets Act (UTSA), with California’s California Uniform Trade Secrets Act (CUTSA) being one of the most frequently litigated. While the elements are broadly similar, California courts in particular are very active in interpreting how employee mobility and trade secrets interact.
Across federal and state frameworks, three questions always come up:
- Secrecy: Is it something people outside the company couldn’t just Google, buy, or reverse engineer? Example: Your server architecture or your churn-prediction algorithm.
- Value: Would a competitor get an advantage if they had it? Example: Your customer list or product roadmap.
- Protection: Are you treating it like it’s actually confidential? Example: Locked behind permissions, not just sitting in a shared drive open to “everyone@company.”
If you can answer “yes” to all three, you’re probably looking at a trade secret. As a practical matter, in-house counsel can only really control the third factor — protection — and that is where the biggest value add comes from. The test under both the DTSA and CUTSA is whether the company took “reasonable measures” to safeguard its information. Courts look at the substance of what the company actually does, not the labels it applies, to decide whether information is truly protected.
A recent case, Sysco Machinery Corp. v. DCS USA Corp., 93 F.4th 271 (4th Cir. 2025), drives this home: the court rejected trade secret claims where the company repeatedly referred to its information in vague terms like “confidential data” but did not identify specific trade secrets or demonstrate concrete protections. The court noted that without evidence of measures such as confidentiality agreements, restricted access, or security protocols, merely labeling something as confidential is not enough. The lesson for in-house teams is clear — calling something “confidential” isn’t enough; you need to be able to point to concrete protections like agreements, access controls, and training.
The Seven Things That Matter Most for In-House Counsel
When you strip away the noise, protecting trade secrets inside a modern tech company comes down to seven priorities. Each of these steps is a concrete example of the kind of “reasonable measures” courts look for under DTSA and CUTSA.
1. Employment Agreements
Every employee, contractor, or intern should sign an agreement — before they start — that clearly obligates them to keep company information confidential. No exceptions, no “we’ll get it signed later.” Confidentiality agreements are one of the most basic and powerful “reasonable measures” you can show a court.
In Fail-Safe, LLC v. A.O. Smith Corp., 674 F.3d 889 (7th Cir. 2012), the court found no trade secret protection where information had been shared with a potential business partner without requiring nondisclosure agreements. Because the company failed to use even basic contractual safeguards, the court held it had not taken reasonable steps to preserve secrecy, and therefore could not claim trade secret protection.
2. Procurement & Vendor Contracts
Most sensitive data now lives in third-party systems (cloud storage, CRM, HRIS, AI vendors). Your procurement process should screen for:
- Industry-standard security certifications (SOC 2, ISO 27001, etc.)
- Contractual confidentiality obligations
- Data return/deletion clauses at termination
These protections matter because once sensitive data leaves your four walls, your ability to argue it was kept secret depends on whether your contracts required vendors to keep it secure. Without clear obligations around confidentiality and data handling, a court may find you failed to take reasonable measures to protect your trade secrets.
3. AI Usage Policies and Vendor Terms
Generative AI tools present new risks for trade secrets. Employees may unintentionally paste sensitive information into public platforms, and AI vendors may seek broad rights to use customer inputs for training. To mitigate these risks, companies should:
- Adopt a clear policy governing what information may be shared with AI systems, emphasizing that trade secrets should never be disclosed to public tools.
- Provide employees with access to enterprise-grade AI platforms that include confidentiality protections.
- Negotiate vendor contracts to require that inputs and outputs are kept confidential and not used for model training.
These steps demonstrate to a court that the company is adapting its “reasonable measures” to modern technology risks and actively working to prevent inadvertent disclosures.
4. Role-Based Access (“Least Privilege”)
Confidential information should only be available to people who need it to do their job. Work with IT to:
- Limit sensitive systems to employees (or vetted contractors)
- Apply least-privilege principles: give the narrowest access necessary, not blanket rights
- Review permissions regularly to clean up “permission creep”
Courts view robust access controls as another core “reasonable measure.” In WeRide Corp. v. Kun Huang, 379 F. Supp. 3d 834 (N.D. Cal. 2019), the court considered whether information qualified as a trade secret when access had been granted to broad groups of employees without meaningful restrictions, and not all of those employees were covered by confidentiality agreements. The court noted that failing to limit access and ensure confidentiality obligations undermined the claim that the information was treated as secret. The case illustrates that while broad internal access alone does not automatically destroy secrecy, the absence of agreements and monitoring can make it much harder to show reasonable steps were taken.
5. Training & Culture
Employees don’t always realize what counts as confidential. Build it into:
- New hire onboarding: a simple 15-minute module or live training
- Ongoing refreshers: short reminders, ideally tied to real-world examples (e.g. don’t upload proprietary code to public GitHub)
Training shows the company didn’t just rely on paper policies — it actively tried to build awareness. Courts are more likely to view this as evidence of reasonable measures when assessing whether trade secrets were protected.
6. Audit & Logging
For your most sensitive systems (source code repos, product roadmaps, financials), keep logs of who accessed what and when. Just as important: make sure you can actually review them if an issue arises.
Audit logs allow you to detect suspicious behavior and prove who accessed information. Courts often look to whether a company could track and investigate misuse as part of the reasonable measures inquiry.
7. Offboarding Protocols
When someone leaves — especially for a competitor — access should be shut off immediately. Best practices include:
- IT checklist: disable accounts, recover devices, confirm deletion of local files
- HR/legal exit interview: remind them of continuing confidentiality obligations
- Flagging “at-risk” departures for closer monitoring
Courts scrutinize offboarding procedures closely, particularly where former employees join competitors. In Allison Transmission, Inc. v. Boudouris, 2020 WL 3451828 (S.D. Ind. June 24, 2020), former employees downloaded large amounts of confidential data shortly before leaving. The court emphasized that the company’s ability to show it had promptly cut off access and enforced exit procedures would be critical to proving reasonable measures. California courts have also taken this issue seriously; in Altavion, Inc. v. Konica Minolta Systems Laboratory, Inc., 226 Cal. App. 4th 26 (2014), the court stressed that documenting and enforcing confidentiality restrictions around departing employees was a key factor in sustaining trade secret claims under CUTSA.
Why This Works
If you ever find yourself in court, the question isn’t whether you did everything possible to protect your secrets — it’s whether you took “reasonable measures.” That standard under both the DTSA and CUTSA is intentionally flexible: courts don’t expect perfection, but they do expect evidence that the company treated the information as valuable and took concrete steps to protect it. The seven steps outlined in this playbook are what “reasonable measures” typically look like inside a modern tech company. They’re the difference between a judge saying, “This company clearly took secrecy seriously,” versus “You called it a secret, but you left the back door wide open.”
Final Thought
For in-house counsel, trade secret protection isn’t about massive audits or endless checklists. It’s about embedding a few simple, durable practices into the company’s DNA — hiring, procurement, AI usage, IT permissions, training, logging, and offboarding.
Run a quick gap check on these seven areas. Wherever you find weakness, that’s where to start.
This post is for general informational use only. This is not legal advice and does not form an attorney-client relationship. For any specific situation, you should seek out legal representation and counsel.
Portions of this blog may constitute attorney advertising. Any testimonial or endorsement on this profile does not constitute a guarantee, warranty, or prediction regarding the outcome of your legal matter. Prior results do not guarantee a similar outcome. Results depend upon a variety of factors unique to each representation.
