Trade secret claims increasingly are weaponized in competitive fights: a dominant player threatens litigation, forces a smaller rival into discovery, and leverages that as leverage—even when the underlying “secret” was left unguarded. In many of those cases, the defendant’s best defense is simple: the plaintiff never treated the information as a secret, and thus never satisfied the bedrock requirement of the law.
At both the federal and state levels (DTSA and SCTSA), a plaintiff must show (1) that it took reasonable measures to maintain secrecy, and (2) that the information had independent economic value by virtue of its secrecy. If you fail on reasonable measures, you lose—even if the information is valuable.
The “reasonable steps” prong is not a checkbox exercise. Courts examine whether a company’s protective regime, taken as a whole and over time, was robust enough to render secrecy credible. In jurisdictions like South Carolina, this is augmented by the concept of “eternal vigilance”—the idea that confidentiality must be actively maintained, not just assumed.
A recent Fourth Circuit decision, Synopsys, Inc. v. Risk Based Sec., Inc., No. 22-1812, 2023 WL 4009505 (4th Cir. June 15, 2023), illustrates how tightly courts now view the connection between value and secrecy. The court held that a plaintiff cannot simply rely on generalized evidence of commercial value (e.g. licensing revenue or acquisition price); rather, the plaintiff must tie that value to the asserted secret itself and show that the secrecy was integral to that value. In that case, Risk Based Security failed because it could not show that its asserted secrets derived value because they were secret, as opposed to simply being commercially useful.
For defendants, that means two things: (i) you can challenge the sufficiency of the plaintiff’s evidence of independent value, and (ii) you can show that even if the plaintiff alleged value, its secrecy regimes were weak or inconsistent. A plaintiff who cannot prove both prongs is vulnerable on summary judgment or dismissal.
So what do “reasonable steps” look like in practice? Below are the types of efforts courts expect to see (and which too many plaintiffs lack):
-
Comprehensive written agreements. Every employee, vendor, manufacturer, and distributor who accesses sensitive information should be bound by a nondisclosure or confidentiality provision. The lack of a contract with key parties is a frequent fatal gap.
-
Tiers of access control. Access should be strictly on a “need-to-know” basis. Use IT segmentation, firewalls, password protections, audit logs, network restrictions, and badge-access controls for physical spaces.
-
Ongoing training and policy reinforcement. It’s not enough to hand a confidentiality policy to employees once. Periodic training, reminders, refresher courses, and accountability tighten credibility.
-
Monitoring, audits, and enforcement. You must show that the policies had “teeth” — internal audits, occasional reviews of who accessed what, logs of suspicious activity, and disciplinary enforcement where violations occur.
-
Exit processes and reminders. When an employee departs, a company should remind them of their continuing obligations, restrict post-employment access, retrieve devices, and monitor for any suspicious data flows.
The phrase reasonable steps sounds modest, yet the standard is deceptively simple. Courts don’t demand perfection—and they acknowledge that protection is more expensive in some industries than others—but they do demand consistency, documentation, and evidence that secrecy was actively maintained. Laxity, gaps in enforcement, or inconsistent practices invite attack.
If a plaintiff cannot show that secrecy was meaningful and protected, its claim collapses—even if the information seems valuable on its face. In the final post in this series, we’ll explore reverse engineering—a lawful method by which a competitor may decode a product—and how that doctrine defines the outer limits of trade-secret protection.
