什么都保护意味着什么都不保护

| 译者：寇海侠 北京天驰君泰律师事务所 合伙人、陈泓月 清华大学法学院 研究生

Princess Leia wasn’t the first person to use the “tighten your grip” metaphor, but I think she’s the most memorable. To be totally accurate, she warned Tarkin that “more star systems will slip through your fingers.” And her philosophizing did not stop him moments later from using the Death Star to destroy her home planet, Alderaan. But that’s a quibble. The point for our purposes is that tightening your grip on a company’s trade secrets can actually lead to losing them. Stay with me here; this kind of excessive protection is more widespread than you might think, and most companies don’t appreciate the risks that they are taking by overdoing it.

莱娅公主并非使用“紧握”比喻的第一人，但我认为她的话是最令人难忘的。准确来讲，她警告塔金“更多星系将从你的指间溜走”。然而她这番富有哲理的话并没有阻止塔金在片刻之后使用“死亡之星”摧毁了她的母星奥德兰。我们是想用这个小情节来说明，过度保护公司的商业秘密事实上可能导致公司失去它们。请相信我：这种过度保护比您想象的要普遍得多，并且大多数公司都没有意识到过度保护带来的风险。

The first category is legal risk. Recall that courts require, as part of any case for misappropriation of trade secrets, that you prove you have taken “reasonable measures” to maintain control over the information. Because most trade secret loss happens through employees, you might assume that judges want you to have strong confidentiality agreements. And you would be right; in fact, if you don’t have them, you are statistically likely to lose. But here’s the hidden problem: if your employee non-disclosure agreements (NDAs) are too broad, courts could throw them out.

第一类风险是法律风险。众所周知，在任何商业秘密侵权案件中，法院都要求您证明已采取“合理措施”来掌控信息。由于大多数商业秘密的泄露都是由员工造成的，您可能会认为，法官希望您签订强有力的保密协议。您是对的；事实上，如果没有这些协议，您大概率会败诉。但这里存在一个深层次的问题，就是如果您的员工保密协议（NDAs）过于宽泛，这份协议可能不会被法院采信。

On this issue lawyers may not be your best friend. Trained to turn over every pebble on the path, they come up with contracts that identify as “confidential information” everything that happens or is communicated in the business. Avoiding any attempt at actually explaining what makes particular information sensitive and in need of special handling, they opt instead for an open-ended set of examples, usually preceded by “including but not limited to” and listing such high-level abstractions as “all information regarding business methods and procedures, clients or prospective clients” or any information the employee “may obtain knowledge of” while working for the company.

在这个问题上，律师可能不是您最好的朋友。律师接受的训练是“翻遍路上的每一块石头”，把业务过程中产生或交流的所有内容都在保密协议中定义为“保密信息”。他们不去试图真正解释何为保密信息并且为什么应该对这些信息给予特殊对待，相反，选择以列举加开放式解释的方式进行定义，通常以“包括但不限于”作为开头，列举诸如“有关商业方法和程序、客户或潜在客户的所有信息”或员工在公司工作期间“可能获取的任何信息”等高度抽象的内容。

This was the language used in one recent case, TLS Management v. Rodriguez-Toledo, where the judge concluded that the contract would cover information that was in the public domain or general knowledge of the sort that employees are supposed to be able to take to the next job. The court refused to “fix” the agreement by narrowing its terms and instead held that it was totally unenforceable.

最近TLS Management 诉 Rodriguez-Toledo 一案中，权利人就使用了上述表述。法院认为，涉案协议的保密信息已覆盖了处于公共领域的信息或员工应当能够带到下一份工作中的一般常识。法院拒绝通过限缩解释协议条款的方式“修正”协议，而是认定该协议完全不可执行。

Let’s pause and acknowledge that the business is always on the razor’s edge regarding confidentiality agreements, in the sense that employee NDAs must be fairly vague. That is because at the outset no one can predict exactly what trade secrets the company will have, and what the employee will be exposed to, during what may be years of employment.

但是，与员工的保密协议又必须保持适当的模糊，从这个角度说，公司实际上是在刀尖上跳舞。公司之所以会这么做的原因在于，最初没有人能够准确预测公司将会有什么商业秘密，以及员工在或许长达数年的雇佣期间将会接触到什么商业秘密。

But what seems a conundrum for the business – how to be comprehensive enough without being overbroad – can be resolved if there’s not almost exclusive reliance on the contract (and perhaps an equivalently vague Code of Conduct or Employee Handbook). The business has it within its power – and some courts might say has the responsibility – to communicate effectively to the workforce about confidentiality by training and other messaging delivered throughout the employment lifecycle. This can continue through the exit process, which presents a particularly powerful opportunity to ensure a common understanding of what the company views as its trade secrets and what are its expectations for the departing employee’s behavior after they leave.

对公司而言，保密协议如何做到既足够全面而又不过于宽泛似乎是个难题。如果并不完全依赖协议（也许还有同样模糊的《行为准则》或《员工手册》），这个难题就能得到解决。公司有权（一些法院可能会说有责任）在整个雇佣期间通过培训和其他方式，向员工有效传达保密义务。这一过程可以一直持续到员工离职程序，这让公司有机会向离职员工明确何为公司的商业秘密以及公司对其离职之后的要求。

The second kind of risk is operational. By making your confidentiality controls and rules too complex, or too demanding, chances are that a substantial portion of the workforce will either ignore them, or even deliberately circumvent them. For example, consider the requirement that the word “confidential” must be placed on every sensitive document. Unless you have a simple and easy way for people to add that term every time, they will tend to ignore the rule, especially if they see that others are doing the same. Another example is the prohibition against taking confidential information off the premises (or sending it to a private email address), when people need to work at home to get the job done.

第二类风险是实际操作风险。如果您的保密措施和规则过于复杂或苛刻，那么很大一部分员工很可能会忽视它们，甚至故意规避它们。例如，关于在每份敏感文件都必须加上“保密”字样这件事，除非您有一种简单易行的方法让人们每次都能加上这个标记词，否则他们往往会忽视这项规则，尤其是如果他们看到其他人也在这样做的话。另一个例子是，当人们需要在家完成工作时，而公司又有禁止将保密信息带离工作场所（或发送到私人的电子邮箱）的规定，这个规则此时如何执行？。

In a Texas case where I testified as an expert in 2021, FMC Techs. v. Murphy, the company had sued a departing senior engineer for taking a secret, unpublished patent application describing undersea oil drilling equipment. The company had a suite of policies about protecting confidential information, including a requirement to mark sensitive documents. But in practice, documents were seldom marked “confidential,” including the patent application at the center of the dispute. Worse, the senior manager in charge of engineering couldn’t even explain what confidential information was. Basically, this was a company with valuable information, but they had decided to protect it mainly by patenting, and ultimately failed to police compliance with the “standard” rules they had established for trade secrets.

在2021年我作为专家证人出庭的一个得克萨斯州的案件（FMC Techs诉Murphy）中，涉诉商业秘密是未公开的海底石油钻探设备专利申请，涉案公司起诉了一名离职的高级工程师，指控其窃取了该商业秘密。该公司制定了一套保护保密信息的规则，包括要求标记保密文件。但实际上，文件很少被标记“保密”字样，包括案涉的专利申请。更糟糕的是，负责工程的高级经理甚至无法解释什么是保密信息。实际上上，这是一家拥有宝贵信息的公司，但他们决定主要通过专利保护这些信息，并且最终未能监督他们为商业秘密制定的“标准”规则的执行情况。

The jury decided that the claimed trade secrets didn’t qualify, because the company failed to exercise reasonable security measures. The moral of the story: if you create a rules-based framework for trade secret protection, you need to enforce it. And a corollary: only create rules that you reasonably expect the workforce to follow.

陪审团认定：案涉信息不构成商业秘密，因为该公司未能采取合理的保密措施。这个案例告诉我们：如果您为商业秘密保护制定了规则框架，那就需要严格执行它。这告诉我们，公司应当制定一个可以被员工合理接纳并遵守的保密规则。

Trying to protect every bit of the company’s information as if it is equally important creates its own set of risks. First, that approach almost always results in a false sense of security. It leads management to think “we have set up really tight procedures for handling secrets, and so we must be safe.” The trouble is, the vast majority of information loss – whether through carelessness or espionage – happens below the awareness of management. When you have lost control of secret information, it’s still there, so you may not know that there’s a problem. As a result, you can easily miss all sorts of related vulnerabilities and ways to address them.

试图保护公司的每一条信息，将它们看得同样重要，这本身就会带来一系列风险。第一，这种方法几乎总会带来一种错误的安全感。这使得管理层认为“我们已经制定了非常严格的保密程序，所以我们一定是安全的”。问题在于，绝大多数信息的泄露——无论是出于疏忽还是间谍活动——都在管理层意识不到的情况下发生。当您失去对秘密信息的控制时，秘密信息仍然在那里，您可能不知道已经出了问题。因此，您会很容易忽视各种相关的漏洞和弥补漏洞的方法。

Second, by treating everything at the same level of sensitivity – for example, by giving all your engineers access to the entire database of information about the company’s ongoing research and development – you may think that you are encouraging collaboration and creative work. But by choosing not to partition access by project groups, you could be missing opportunities for more supervised collaboration, where managers know what’s going on, participants stay focused on their projects, and confidential information is less likely to leak.

第二，以同等的保密程度对待所有的内容，例如，让所有工程师都能接触公司正在进行的研发工作的全部信息，您可能认为是在鼓励合作和激励创造。但是，如果选择不按照项目组划分访问权限，您可能会错过更多受到监督的合作机会。在有监督的情况下，经理知道工作进展，参与者专注于他们的项目，并且保密信息泄露的可能性较低。

Third, overly aggressive rules can slow things down when they need to move very fast, as in response to a reported data breach. The same phenomenon can work to reduce compliance with external regulatory requirements, where a too “locked-down” environment collides with the need for a certain amount of managed transparency that enables effective reporting.

第三，过于繁冗的规则在需要快速行动时（例如应对数据安全事件）会拖延进度，也会降低对外部监管的合规，因为过于“封闭”的环境与有效管理的透明度是相矛盾的，而透明是有效的事件报告所需要的。

Fourth, and perhaps most important, your workforce, properly trained and incentivized, is your primary bulwark against possible loss or contamination of data assets. If you put them inside a security regime that is too strict, not only do you risk noncompliance and circumvention, but you will be sending a message that you don’t trust them. Conversely, if you design your systems in a way that distributes an appropriate level of authority to determine what is confidential and how to protect it, employees are likely to be more engaged and effective.

第四，也许是最重要的一点，经过恰当培训和激励的员工是防止数据资产被泄露或污染的首要屏障。如果公司将员工置于一套过于严格的保密制度中，不仅会面临规则不被遵守和被规避的风险，还会传达出不信任员工的信息。相反，如果公司设计的制度能够适当放权，让相关人员能够确定哪些信息是保密信息以及如何保护它们，员工可能会更加专注，其工作也会更高效。

This balanced way of implementing security measures takes more time and effort than simply issuing a standard set of policies and expecting that they will work. You need to have a good idea of what data assets are most important for protecting the company’s competitive advantage, and what are the risks to their integrity. From that point, you manage to those risks, and not so much to a precooked set of rules. Be realistic about what can work in your business. Often, that requires that you relax your grip.

相比于简单发布一套标准规则并期待其发挥作用，上述保密措施，更能够取得激励员工与信息保密之间的平衡，但需要花更多的时间和精力。您需要充分了解哪些数据资产对于保持公司的竞争优势最为重要，它们面临哪些风险。由此，您可以管理这些风险，而不是依赖一系列成规。您要现实地认识到在公司中什么是可行的。通常这需要您适当放手。

[1] 由北京天驰君泰律师事务所国际业务专业委员会高级合伙人朱尉贤律师、陈哲远律师审校。