什麼都保護意味着什麼都不保護

| 譯者：寇海俠 北京taptap点点体育官方网站 合夥人、陳泓月 清華大學法學院 研究生

Princess Leia wasn’t the first person to use the “tighten your grip” metaphor, but I think she’s the most memorable. To be totally accurate, she warned Tarkin that “more star systems will slip through your fingers.” And her philosophizing did not stop him moments later from using the Death Star to destroy her home planet, Alderaan. But that’s a quibble. The point for our purposes is that tightening your grip on a company’s trade secrets can actually lead to losing them. Stay with me here; this kind of excessive protection is more widespread than you might think, and most companies don’t appreciate the risks that they are taking by overdoing it.

萊婭公主並非使用“緊握”比喻的第一人，但我認爲她的話是最令人難忘的。準確來講，她警告塔金“更多星系將從你的指間溜走”。然而她這番富有哲理的話並沒有阻止塔金在片刻之後使用“死亡之星”摧毀了她的母星奧德蘭。我們是想用這個小情節來說明，過度保護公司的商業祕密事實上可能導致公司失去它們。請相信我：這種過度保護比您想象的要普遍得多，並且大多數公司都沒有意識到過度保護帶來的風險。

The first category is legal risk. Recall that courts require, as part of any case for misappropriation of trade secrets, that you prove you have taken “reasonable measures” to maintain control over the information. Because most trade secret loss happens through employees, you might assume that judges want you to have strong confidentiality agreements. And you would be right; in fact, if you don’t have them, you are statistically likely to lose. But here’s the hidden problem: if your employee non-disclosure agreements (NDAs) are too broad, courts could throw them out.

第一類風險是法律風險。衆所周知，在任何商業祕密侵權案件中，法院都要求您證明已採取“合理措施”來掌控信息。由於大多數商業祕密的泄露都是由員工造成的，您可能會認爲，法官希望您簽訂強有力的保密協議。您是對的；事實上，如果沒有這些協議，您大概率會敗訴。但這裏存在一個深層次的問題，就是如果您的員工保密協議（NDAs）過於寬泛，這份協議可能不會被法院採信。

On this issue lawyers may not be your best friend. Trained to turn over every pebble on the path, they come up with contracts that identify as “confidential information” everything that happens or is communicated in the business. Avoiding any attempt at actually explaining what makes particular information sensitive and in need of special handling, they opt instead for an open-ended set of examples, usually preceded by “including but not limited to” and listing such high-level abstractions as “all information regarding business methods and procedures, clients or prospective clients” or any information the employee “may obtain knowledge of” while working for the company.

在這個問題上，律師可能不是您最好的朋友。律師接受的訓練是“翻遍路上的每一塊石頭”，把業務過程中產生或交流的所有內容都在保密協議中定義爲“保密信息”。他們不去試圖真正解釋何爲保密信息並且爲什麼應該對這些信息給予特殊對待，相反，選擇以列舉加開放式解釋的方式進行定義，通常以“包括但不限於”作爲開頭，列舉諸如“有關商業方法和程序、客戶或潛在客戶的所有信息”或員工在公司工作期間“可能獲取的任何信息”等高度抽象的內容。

This was the language used in one recent case, TLS Management v. Rodriguez-Toledo, where the judge concluded that the contract would cover information that was in the public domain or general knowledge of the sort that employees are supposed to be able to take to the next job. The court refused to “fix” the agreement by narrowing its terms and instead held that it was totally unenforceable.

最近TLS Management 訴 Rodriguez-Toledo 一案中，權利人就使用了上述表述。法院認爲，涉案協議的保密信息已覆蓋了處於公共領域的信息或員工應當能夠帶到下一份工作中的一般常識。法院拒絕通過限縮解釋協議條款的方式“修正”協議，而是認定該協議完全不可執行。

Let’s pause and acknowledge that the business is always on the razor’s edge regarding confidentiality agreements, in the sense that employee NDAs must be fairly vague. That is because at the outset no one can predict exactly what trade secrets the company will have, and what the employee will be exposed to, during what may be years of employment.

但是，與員工的保密協議又必須保持適當的模糊，從這個角度說，公司實際上是在刀尖上跳舞。公司之所以會這麼做的原因在於，最初沒有人能夠準確預測公司將會有什麼商業祕密，以及員工在或許長達數年的僱傭期間將會接觸到什麼商業祕密。

But what seems a conundrum for the business – how to be comprehensive enough without being overbroad – can be resolved if there’s not almost exclusive reliance on the contract (and perhaps an equivalently vague Code of Conduct or Employee Handbook). The business has it within its power – and some courts might say has the responsibility – to communicate effectively to the workforce about confidentiality by training and other messaging delivered throughout the employment lifecycle. This can continue through the exit process, which presents a particularly powerful opportunity to ensure a common understanding of what the company views as its trade secrets and what are its expectations for the departing employee’s behavior after they leave.

對公司而言，保密協議如何做到既足夠全面而又不過於寬泛似乎是個難題。如果並不完全依賴協議（也許還有同樣模糊的《行爲準則》或《員工手冊》），這個難題就能得到解決。公司有權（一些法院可能會說有責任）在整個僱傭期間通過培訓和其他方式，向員工有效傳達保密義務。這一過程可以一直持續到員工離職程序，這讓公司有機會向離職員工明確何爲公司的商業祕密以及公司對其離職之後的要求。

The second kind of risk is operational. By making your confidentiality controls and rules too complex, or too demanding, chances are that a substantial portion of the workforce will either ignore them, or even deliberately circumvent them. For example, consider the requirement that the word “confidential” must be placed on every sensitive document. Unless you have a simple and easy way for people to add that term every time, they will tend to ignore the rule, especially if they see that others are doing the same. Another example is the prohibition against taking confidential information off the premises (or sending it to a private email address), when people need to work at home to get the job done.

第二類風險是實際操作風險。如果您的保密措施和規則過於複雜或苛刻，那麼很大一部分員工很可能會忽視它們，甚至故意規避它們。例如，關於在每份敏感文件都必須加上“保密”字樣這件事，除非您有一種簡單易行的方法讓人們每次都能加上這個標記詞，否則他們往往會忽視這項規則，尤其是如果他們看到其他人也在這樣做的話。另一個例子是，當人們需要在家完成工作時，而公司又有禁止將保密信息帶離工作場所（或發送到私人的電子郵箱）的規定，這個規則此時如何執行？。

In a Texas case where I testified as an expert in 2021, FMC Techs. v. Murphy, the company had sued a departing senior engineer for taking a secret, unpublished patent application describing undersea oil drilling equipment. The company had a suite of policies about protecting confidential information, including a requirement to mark sensitive documents. But in practice, documents were seldom marked “confidential,” including the patent application at the center of the dispute. Worse, the senior manager in charge of engineering couldn’t even explain what confidential information was. Basically, this was a company with valuable information, but they had decided to protect it mainly by patenting, and ultimately failed to police compliance with the “standard” rules they had established for trade secrets.

在2021年我作爲專家證人出庭的一個得克薩斯州的案件（FMC Techs訴Murphy）中，涉訴商業祕密是未公開的海底石油鑽探設備專利申請，涉案公司起訴了一名離職的高級工程師，指控其竊取了該商業祕密。該公司制定了一套保護保密信息的規則，包括要求標記保密文件。但實際上，文件很少被標記“保密”字樣，包括案涉的專利申請。更糟糕的是，負責工程的高級經理甚至無法解釋什麼是保密信息。實際上上，這是一家擁有寶貴信息的公司，但他們決定主要通過專利保護這些信息，並且最終未能監督他們爲商業祕密制定的“標準”規則的執行情況。

The jury decided that the claimed trade secrets didn’t qualify, because the company failed to exercise reasonable security measures. The moral of the story: if you create a rules-based framework for trade secret protection, you need to enforce it. And a corollary: only create rules that you reasonably expect the workforce to follow.

陪審團認定：案涉信息不構成商業祕密，因爲該公司未能採取合理的保密措施。這個案例告訴我們：如果您爲商業祕密保護制定了規則框架，那就需要嚴格執行它。這告訴我們，公司應當制定一個可以被員工合理接納並遵守的保密規則。

Trying to protect every bit of the company’s information as if it is equally important creates its own set of risks. First, that approach almost always results in a false sense of security. It leads management to think “we have set up really tight procedures for handling secrets, and so we must be safe.” The trouble is, the vast majority of information loss – whether through carelessness or espionage – happens below the awareness of management. When you have lost control of secret information, it’s still there, so you may not know that there’s a problem. As a result, you can easily miss all sorts of related vulnerabilities and ways to address them.

試圖保護公司的每一條信息，將它們看得同樣重要，這本身就會帶來一系列風險。第一，這種方法幾乎總會帶來一種錯誤的安全感。這使得管理層認爲“我們已經制定了非常嚴格的保密程序，所以我們一定是安全的”。問題在於，絕大多數信息的泄露——無論是出於疏忽還是間諜活動——都在管理層意識不到的情況下發生。當您失去對祕密信息的控制時，祕密信息仍然在那裏，您可能不知道已經出了問題。因此，您會很容易忽視各種相關的漏洞和彌補漏洞的方法。

Second, by treating everything at the same level of sensitivity – for example, by giving all your engineers access to the entire database of information about the company’s ongoing research and development – you may think that you are encouraging collaboration and creative work. But by choosing not to partition access by project groups, you could be missing opportunities for more supervised collaboration, where managers know what’s going on, participants stay focused on their projects, and confidential information is less likely to leak.

第二，以同等的保密程度對待所有的內容，例如，讓所有工程師都能接觸公司正在進行的研發工作的全部信息，您可能認爲是在鼓勵合作和激勵創造。但是，如果選擇不按照項目組劃分訪問權限，您可能會錯過更多受到監督的合作機會。在有監督的情況下，經理知道工作進展，參與者專注於他們的項目，並且保密信息泄露的可能性較低。

Third, overly aggressive rules can slow things down when they need to move very fast, as in response to a reported data breach. The same phenomenon can work to reduce compliance with external regulatory requirements, where a too “locked-down” environment collides with the need for a certain amount of managed transparency that enables effective reporting.

第三，過於繁冗的規則在需要快速行動時（例如應對數據安全事件）會拖延進度，也會降低對外部監管的合規，因爲過於“封閉”的環境與有效管理的透明度是相矛盾的，而透明是有效的事件報告所需要的。

Fourth, and perhaps most important, your workforce, properly trained and incentivized, is your primary bulwark against possible loss or contamination of data assets. If you put them inside a security regime that is too strict, not only do you risk noncompliance and circumvention, but you will be sending a message that you don’t trust them. Conversely, if you design your systems in a way that distributes an appropriate level of authority to determine what is confidential and how to protect it, employees are likely to be more engaged and effective.

第四，也許是最重要的一點，經過恰當培訓和激勵的員工是防止數據資產被泄露或污染的首要屏障。如果公司將員工置於一套過於嚴格的保密制度中，不僅會面臨規則不被遵守和被規避的風險，還會傳達出不信任員工的信息。相反，如果公司設計的制度能夠適當放權，讓相關人員能夠確定哪些信息是保密信息以及如何保護它們，員工可能會更加專注，其工作也會更高效。

This balanced way of implementing security measures takes more time and effort than simply issuing a standard set of policies and expecting that they will work. You need to have a good idea of what data assets are most important for protecting the company’s competitive advantage, and what are the risks to their integrity. From that point, you manage to those risks, and not so much to a precooked set of rules. Be realistic about what can work in your business. Often, that requires that you relax your grip.

相比於簡單發佈一套標準規則並期待其發揮作用，上述保密措施，更能夠取得激勵員工與信息保密之間的平衡，但需要花更多的時間和精力。您需要充分瞭解哪些數據資產對於保持公司的競爭優勢最爲重要，它們面臨哪些風險。由此，您可以管理這些風險，而不是依賴一系列成規。您要現實地認識到在公司中什麼是可行的。通常這需要您適當放手。

[1] 由北京taptap点点体育官方网站國際業務專業委員會高級合夥人朱尉賢律師、陳哲遠律師審校。