In trade secrets cases, many courts emphasize how login and password information can help protect trade secrets stored in computer systems.  Nonetheless, the traditional case law on trade secrets does not address whether login and password information can itself constitute a trade secret.  A recent decision by the United States District Court for the Northern District of California, however, permitted a company to assert a trade secret claim for misappropriation of login and password information in order to gain unauthorized access to other trade secrets stored in computer systems.  The case is TMX Funding, Inc. v. Impero Technologies, Inc., No. C 10-00202 JF (PVT), 2010 U.S. Dist. LEXIS 60260 (N.D. Cal. Jun. 17, 2010).  For a copy of the decision, click here.

The Uniform Trade Secrets Act states that one of the requirements for the existence of a trade secret is that the alleged trade secret be “the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”  Uniform Trade Secrets Act § 1(4)(ii); Cal. Civil Code § 3426.1(d)(2).  Maintaining trade secrets in computer systems and protecting them by login/password information helps to maintain the secrecy of electronically stored information.  Accordingly, passwords (or other access control methods) help maintain the trade secret status of other information. 

In TMX Funding, however, the plaintiff maintained that login and password information to access networks, servers, and computer and telephone systems was itself a trade secret.  The plaintiff also claimed that it had other categories of trade secrets, including source code, business planning information, product information, customer lists and contact information, and customer profile information.  The plaintiff identified the login and password information as a category of trade secret separate and apart from these other categories of information.

The case arose from the termination of employees of a company whose assets the plaintiff purchased.  The acquired company designed and manufactured hotel guest telecommunication solutions.  The plaintiff acquiring company terminated the individual defendants after the acquisition.  The individual defendants then allegedly formed the corporate defendant Impero to compete against the plaintiff.  The plaintiff suspected that the defendants stole laptops, servers, and hard drives, and took trade secret electronically stored information from the acquired company.  The plaintiff, as the acquired company’s successor in interest, sued the defendants for trade secret misappropriation and related claims. 

The defendants filed a motion to dismiss various claims in the complaint.  They contended that the plaintiff failed to distinguish the identified trade secrets from general knowledge of the subject matter.  Also, the defendants said that the plaintiff failed to allege efforts to maintain secrecy of the information.  Finally, the defendants claimed that the plaintiff failed to allege actual misappropriation of the information.  Nonetheless, the Court rejected each of the defendant’s arguments.

The Court held that login and password information would not be generally known to entities outside the acquired company and that its only economic value derives from the fact that it is not generally known to others.  For efforts to maintain secrecy, the court pointed to the employees’ proprietary information and employee inventions agreements and the procedures to maintain protection of passwords (without mentioning much detail about them).  Thus, the Court held that the allegations of the complaint were sufficient to allege measures to protect secrecy.  Finally, the court stated that the plaintiff adequately alleged misappropriation by alleging unauthorized access to information, identifying the method of the misappropriation, and indicating the date of the misappropriation.  Presumably, the plaintiff discovered the alleged misappropriation and its particulars with the help of forensic experts. 

I believe that the TMX Funding case will be a typical fact pattern for trade secret cases involving departing employees.  Former employers are concerned about departing employees stealing information on the way out.  By contrast, former employees are concerned about former employers using baseless trade secret litigation to stifle competition.  In any case, information security practices of the former employer are highly relevant to the outcome.  They will show the extent to which the plaintiff maintained reasonable measures to protect their alleged trade secrets.  And TJX Funding now adds a new ingredient to the analysis – the status of authentication information as a possible separate category of trade secret. 

Stephen Wu

Partner, Cooke Kobrick & Wu LLP