Tools of the Trade (Secrets): Confidential Is Not Enough

Most companies say they protect their trade secrets. In practice, most protect confidential information instead, and the law treats those two things very differently. Confidential information is a broad category with some recourse. Trade secrets are narrower, protectible under the Defend Trade Secrets Act (DTSA) and state equivalents, but only if you have done the work to earn that protection. Courts do not reward companies simply for having confidential information; they reward companies for treating their most valuable information like it actually is their most valuable information.

If you are unconcerned about the distinction, that may be appropriate. Not every piece of confidential information warrants the overhead of full trade secret protection. But if you derive significant economic advantage from your confidential information, and the information at issue is your source code, your pricing algorithms, your AI training data, or your proprietary formulations, then calling it “confidential” is not enough, nor is calling it a “trade secret” without any additional control. Courts are making it painfully clear that it is not enough to claim you value trade secrets. You have to be able to prove it.

The Cost of Blurring the Trade Secret Line

Under the DTSA, trade secret protection turns on whether the owner took “reasonable measures” to keep the information secret. 18 U.S.C. § 1839(3). Most companies hear that phrase and assume they have it handled. A firewall here, a password policy there, maybe an NDA tucked into the onboarding packet. They are wrong. And they usually do not find out how wrong until they are sitting across from opposing counsel trying to explain what, exactly, they did to protect information. The reasonable measures inquiry does not begin with technology. It begins with definition. Can the trade secrets be identified with specificity? Can you draw a clear, documented, defensible line between those assets and the ordinary information that flows through your business every day? When companies blur that line, whatever protection the trade secret may have had vanishes.

This is exactly where access control enters the picture, and it is far more than an IT checklist. Access control is the operational backbone of any serious trade secret program. It is the mechanism that translates a company's claimed secrecy into demonstrable, provable conduct. It answers the questions a court will inevitably ask: Who had access to this information? Why did they have it? What kept everyone else out? By the time misappropriation happens, you are not building a program. You are defending the absence of one.

Take for instance Snyder v. Beam Techs., Inc., 147 F.4th 1246 (10th Cir. 2025):

• Background: While working at Guardian Life Insurance Company, Snyder downloaded a national broker list of over 40,000 names from Guardian’s CRM and emailed it to his personal account (potentially its own trade secret misappropriation issue). After leaving Guardian, he joined Beam Technologies and brought the list with him. He created state-specific derivative lists using it as a template, but accidentally included the full Guardian list as an additional tab in three Excel spreadsheets, which he then emailed to Beam employees with no markings, no password protection, and no restrictions. Summary judgment affirmed: his conduct “can only be described as unreasonable, given the context and circumstances of the trade secret claim.”
• Why It Matters: The list should never have been something Snyder could email in the first place. If access controls had limited the list to a secure system, no local copies, no ability to attach it to an outbound email, there would have been no accidental disclosure to remediate. That is the point. Reasonable measures are not about reacting to a breach. They are about making the breach structurally difficult to cause.

The Computer Password Problem

Courts are not looking for security generally – they are looking for documented, deliberate, and proportionate to the value of what you are protecting. That means role-based access controls, segmented repositories that separate trade secret materials from general business records, access logs, and confidentiality markings that make clear to anyone with access that they are handling something valuable. A standard vendor contract sitting in a shared folder is not a crown jewel, and treating it the same way you treat your proprietary source code tells a court you never drew the line in the first place.

Most companies will say they protect their trade secrets, and they will point to their IT infrastructure, their NDAs, and their employee handbooks. But a password on a laptop is not evidence of differentiation. It is a baseline security measure that applies uniformly to everything on the device, from your most sensitive source code to your HR announcements. Uniform treatment is the opposite of what the reasonable measures standard demands, and it is the mistake that keeps showing up in the case law.

Negative, Inc. v. McNamara, 770 F. Supp. 3d 472 (E.D.N.Y. Mar. 13, 2025) illustrates the point:

• Background: Fashion company alleged a former freelance contractor misappropriated customer data, pricing strategies, product designs, and proprietary information. The company had uniform access controls, including multi factor authentication and access termination on departure. Dismissed at the motion to dismiss stage. The court held that standard login procedures and data protection that did not provide a differentiation between alleged trade secrets and other confidential information don’t make something a trade secret – even if users “would have no reason at all ever to access.”
• Why It Matters: Technical controls without communication of confidentiality, telling people what information is a trade secret, and without segmentation of that information from general confidential business records are not enough.

So What Does This Actually Take?

Yes, building a real trade secret program takes work. It is not free, it is not automatic, and it requires choices about what matters most. But here is the honest question: if you are not willing to take the basic steps to protect something, is it really a trade secret worth protecting? If the answer is yes, and for most businesses, at least a handful of assets clearly are, then there is a minimum set of practices you need to have in place. As our prior post covers and Double Eagle shows, identification failures and access control failures go hand in hand. Reasonable measures is a connected system, not a checklist of isolated steps.

• Segment your information. Trade secret materials need to live separately from, or be tagged and restricted differently than, general confidential information.
• Restrict access by role. Limit access based on job function, document who has access and why, and review that access periodically.
• Communicate secrecy explicitly. makes clear, employees and contractors need to be told, in writing, that the information is confidential. An NDA is a floor, not a ceiling.
• Log access. Track who accesses trade secret materials and when, because that contemporaneous record is exactly what you will need if a dispute arises.
• Build offboarding into the process. Revoke access, recover materials, and confirm ongoing obligations in writing. And if an accidental disclosure occurs, move quickly to remedy it.

The case law is clear: if you want trade secret protection, you need to up your game beyond confidentiality agreements and computer passwords. The steps above are a starting point, not an exhaustive program, but the baseline that courts expect to see. In our next piece, we will focus on the decision that comes before any of this: how to determine whether something is trade secret-worthy in the first place, and how to make that call efficiently without boiling the ocean. Spoiler: for most businesses, a handful of well-picked trade secrets will carry the lion’s share of the value.

Subscribe To Viewpoints