In the recent years the number of cases where companies tries to protect their trade secret from unlawful use by ex-employees as their competitors in Bulgaria has increased.
Foremost, this trend concerns the IT sector. The companies have two main options to act against violators either claim unfair competition before the Bulgarian Commission for Protection of Competition (the "CPC"), or claim violation their trade secret under the Act for Protection of Trade Secret before the civil court. Very often, the companies prefer the proceeding before the CPC because it is shorter and does not contain risk for the claimant in case it fails to prove its claim. In addition, the companies do not choose the other option because the Act for Protection of Trade Secret is relatively new, and there is not so much court practice.
In general, the Bulgarian Competition Protection Act (the "CPA") prohibits an undertaking to learn, use or announce trade secret of the competitors as a form of unfair trading practices which may harm competitors. However, in its practice the CPC sets certain additional interpretations what trade secret means and when it should be considered for protected under the CPA. In the CPC's practice it turns very often so that the companies drawn up and applied certain internal policies, including for protection of their trade secret, which are not acceptable for the CPC and thus, their claims are rejected. This is also the case of the companies which have ISO 27001. Why is it so?!
First, CPC investigates the internal policies of the companies how the trade secret is defined. Usually, these policies, including the ones within ISO 27001, defines the trade secret as different types of information, e.g.: agreements with the clients, know-how, clients and clients' details, management reports, financial documents, etc. CPC considers these definitions for too broad.
Companies also use non-disclosure agreements (NDAs) with the employees which in the common case contain general definitions of their trade secret according to the CPC's practice. CPC requires the companies to define the information that is trade secret very specific. However, CPC does not provide guidelines which information is specific. This understanding of CPC makes the application of ISO 27001 policies impossible. As mentioned above the ISO 27001 policies use more general definitions because it concerns companies with high information flow. At such companies specifying information as trade secret is difficult and contains risk for leaving some data out of the policies' scope.
Second, CPC requires companies to undertake measures for protection of their trade secret. For CPC this means, on one hand, the managing bodies to issue decision by which they appoint specifically which information is trade secret and who has access in the companies to each information – trade secret. Again, such information is not included usually in policies such as ISO 27001. As per the practice, these policies provide only categories of employees which have access to trade secret which is not sufficient for CPC. Moreover, the internal organization of the work process, in the physical and digital environment, must be such that access to the trade secret can only be given to persons who are authorized by the management decision to work with a trade secret.
Very often in ISO 27001 policies is not clearly indicated which company and which management body has approved them and how. In such cases, CPC does not accept the respective policy as authentic document. Further, ISO 27001 policies usually are applied for the entire economic group. Considering the recent practice of the CPC this approach is also not acceptable. It seems that CPC expects the management body of each company within an economic group to approve list of information which is trade secret and the exact employees who are authorized to have access to it.
At the end, CPC requires the employees of the company to be informed about the management decision. So, the companies must be able to prove it. There are different approaches, such as: signing of the policy, participating in trainings, or conducting internal workshops, etc., but CPC does not specify which one it considers as best practice.
In view of the above, companies should be very cautious about the CPC practice on the protection of trade secret. Usually, they believe that they undertook all the necessary steps to protect their trade secret just by having internal policies and/or NDAs with the employees with general definition of the trade secret without any internal organisation of the work process. In view of the CPC practice, irrespective good or bad, this is not sufficient.
By Mariya Papazova, Partner, PPG Lawyers