Ms. Pohlid

Hospitality Law

Protecting Your Proprietary Information

By Kathleen Pohlid, Founder and Managing Member, Pohlid, PLLC

The first step in protection is to identify confidential and proprietary information. This information - also referred to as trade secrets - may exist in different forms. In general, it includes any information belonging to your establishment from which an economic benefit is derived by it not being made readily available.

For a hotel establishment, trade secrets may include information obtained from guest surveys, guest contact information, vendor information, financial information and records, security and pass codes, occupancy rates and prices, guest preferences, strategies for minimizing costs, staffing information, and marketing studies and plans. A compromise of this information can be very costly to an establishment and provide significant leverage for a competitor, as well as resulting in significant litigation costs for all entities involved.

In 2009, Starwood Hotels and Resorts sued Hilton Hotel alleging that two Hilton executives, both former Starwood employees, stole over 100,000 documents containing Starwood trade secrets in order to accelerate Hilton's entry into the lifestyle luxury hotel market. Starwood alleged that the theft of its trade secrets constituted unfair competition providing Hilton a significant advantage in reducing the costs as well as a head start in implementing the market venture. In February of 2011, the Wall Street Journal reported that Hilton settled the dispute for a reported $75 million and that the hotel would be under review by a court-appointed monitor to ensure that it would not derive benefit from the information obtained. This incident serves as a reminder that establishments should be mindful that current partners or managers may be future competitors. Establishments must ensure that adequate protections are in place to address this concern.

Business partnership and employee agreements should clearly set forth the ownership interests in products and processes developed for the establishment as well as clearly defining the information which is deemed to be confidential and proprietary. Additionally, even if a product or process is not "confidential," the processes and information used in development may be confidential and if so, should be protected. In BLT Restaurant Group LLC v. Tourondel, 855 F.Supp.2d 4 (S.D. N.Y. 2012), a dispute arose involving the issue of whether a former manager violated the company's operating agreement which prohibited disclosure of confidential information when he developed restaurant menus that mimicked those of his former employer.

Lauret Tourondel, an acclaimed French chef, formerly worked for BLT and played a central role in designing the BLT restaurants, bearing the acronym for Bistrol Laurent Tourondel. After Tourondel left BLT to form his own restaurants which he named "LT," BLT filed suit claiming that he breached the operating agreement by copying recipes, appropriating fanciful names for dishes used in BLT menus and mimicking BLT menu combinations and pricing. The agreement included confidentiality/proprietary rights provisions specifying that members agree that they have "no rights in, or claims with respect to, any inventions, original works or authorship, developments, improvements, or trade secrets which were made by the [employee] prior to the date hereof and which relate to the business, products or services of the Company." Also if an employee incorporates into a product, process, device or system a prior invention owned by him, BLT will have "a nonexclusive, royalty-free, irrevocable, perpetual, worldwide license" to use and sell that prior invention as part of its product, process, device or system. The agreement also provided that discoveries made, inventions created, ideas, concepts and techniques related to the company's business, shall remain the sole and exclusive property of the company. Under the agreement, employee members assign their rights to the company and acknowledge that all original works made solely or with others during the scope of employment and that are protect-able by copyright are "works made for hire."

Although the agreement contained a provision allowing BLT to continue use of the BLT trademark with restaurants which were pre-existing or under construction, the agreement did not specifically prohibit Tourondel, after leaving BLT, from developing menus based upon information obtained during his employment. Tourondel asserted that the complaint should be dismissed in summary judgment because the BLT menus were public and not confidential. However, the court reasoned that even though the "menus are not themselves confidential[,]" this does not establish that "Tourondel did not use confidential information" in creating the LT menus. Therefore, the court denied summary judgment finding that the agreement could be interpreted to prohibit use of BLT's confidential information such as marketing studies in designing competing menus with winning combinations of offerings, catchy names for the dishes, or optimal pricing.

These incidents and disputes reveal the stakes and interest in maintaining confidentiality of an establishment's trade secrets and ensuring that policies and agreements are effective in doing so.

Protection of trade secrets involves implementation of appropriate administrative, technological and physical controls and safeguards. The focus is to adopt measures to maintain the secrecy of an establishment's trade secrets, to deter potential compromise, and where possible, to identify a compromise when it has occurred.

Maintaining the secrecy of trade secrets is critical especially if an establishment desires to enforce civil or criminal action against a person who has stolen or misappropriated its trade secrets. Most states have adopted the Uniform Trade Secrets Act which provides protection against misappropriation of "trade secrets." The UTSA defines "trade secrets" to include all forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing," but only if: (1) "the owner thereof has taken reasonable measures to keep such information secret," and; (2) "the information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by the public."

In addition to state civil laws that protect proprietary information, the federal Economic Espionage Act of 1996 (18 U.S.C. 1831 et seq.) criminalizes theft and misappropriation of trade secrets. Additionally, the federal Computer Fraud and Abuse Act, 18 U.S.C. 1030, prohibits unauthorized access to a protected computer and criminalizes fraud committed in connection with such conduct. However, establishments should be aware that the CFAA may have limited application in situations involving employee violations of computer use policies. Since the CFAA is primarily aimed at computer hackers, courts have indicated a reluctance to impose criminal violations under the CFAA involving employee infractions of employer computer use policies. For example, in 2011, the U.S. Court of Appeals for the Ninth Circuit held that employees who have employer authorization to access computer systems, but violate their employer's computer use policy, do not violate the CFAA. United States v. Nosa, 642 F.3d 781 (9th Cir. 2011).

In Nosal, the employee, David Nosal, worked for an executive recruiting company and as part of his employment had access to confidential proprietary information including names and contact information. Before leaving the company, he accessed the company computers and downloaded confidential and proprietary information, which he later used after forming a competing business. Although Nosal's act of downloading confidential information was unauthorized, his access into the system was not unauthorized. Therefore, the court concluded that a violation of the CFAA could not be asserted because he did not "exceed authorized access," as defined by the CFAA.

Develop Administrative Controls

Administrative controls - which consist of policies and procedures - are an important measure for protecting an establishment's trade secrets. These policies and procedures include development of a computer use policy, social media policy and use of confidentiality/non-disclosure agreements. Consult with legal counsel and information technology advisors in developing effective administrative controls for your establishment.

Establishments which provide employee access to electronic communications via company computers or network systems should consider developing a written electronic communications policy. An effective policy will include definitions of confidential and proprietary information and also specify that the definition includes information identified or marked as "confidential," "proprietary," or as a "trade secret," as well as information that is treated as such by the establishment.

In addition to emphasizing that the company's computer and network systems and devices are intended for company business purposes, the policy should specify impermissible uses, including prohibition against the transmission, use or access to confidential and proprietary information without both authorization and a legitimate business purpose. The policy should also specify that disclosure of confidential information to unauthorized entities, or for unauthorized purposes, is prohibited and emphasize the responsibility of employees to safeguard confidential information. Similarly, social media policies should address the prohibition of disclosure of confidential and proprietary information.

The computer systems policy should also recognize that unauthorized use may also involve access obtained through inadvertence or outside hackers. Administrative controls for maintaining password security should also be addressed in a computer systems policy. This would include protocols for creating passwords, changing passwords, safeguarding passwords, and providing management access to passwords. Additionally, your establishment should incorporate these procedures into existing policies so that when an employee is transferred to another position or is terminated, password access is changed. The policies should also address administrative controls for automatic logoffs or screens left unattended, prohibitions against installing software and devices without company approval. In some cases, computer devices such as laptops and smart phones may need to be encrypted to prevent unauthorized access to sensitive data.

The electronic communications policy should also address the issue of privacy. Employees should be put on notice that they do not have an expectation of privacy in their communications transmitted on company equipment/networks. Inform employees that the company monitors its equipment and networks and has the authority and ability to access, monitor, copy, modify, and delete any information stored/transmitted on its equipment/network. Furthermore, notify employees that the company can monitor and obtain access to employee communications and data stored on computer equipment and networks even if the information is deleted or accessed through private emails.

Most courts have upheld employer actions in monitoring communications and information on company networks and equipment. Recently a federal district judge in New York held that an executive did not have a privacy interest in email communications with his attorney which he sent using his employer's email system. In United States v. Finazzo, No. 10-CR-457 (E.D. N.Y. Feb. 19, 2013), the judge noted that courts consider four factors in assessing an employee's reasonable expectation of privacy in work computer and email accounts: "(1) does the corporation maintain a policy banning personal or objectionable use, (2) does the company monitor the use of the employee's computer or e-mail, (3) do third parties have a right of access to the computer or e-mails, and (4) did the corporation notify the employee, or was the employee aware, of the use and monitoring policies?"

The judge reviewed these four factors with respect to the employer's computer system and found that the company policy stated that except for limited and reasonable personal use, the company systems were to be used for company business only. The policies also identified communications which were prohibited and stated that users have no expectation of privacy. Although the company did not have a practice of "actually reviewing employee's emails," the judge found that the warning that it "may monitor, access, delete or disclose all use of the Company systems, including e-mail . . . at any time without notification or [employee] consent," factored against finding a reasonable expectation of privacy. Even though the employee claimed he immediately deleted the email from his attorney after he read it, the judge concluded that additional factors to justify an expectation of privacy were not present since the email was deleted from the company's server and the employee knew that access to the email was obtained through that server. Finally, the fact that the employee admitted awareness of the company's computer use and monitoring policy weighed heavily against any expectation of privacy. This decision illustrates the importance of ensuring that establishments obtain signed acknowledgements from employees of their electronic computer policies.

Confidentiality and Non-Disclosure Agreements

Confidentiality and non-disclosure agreements provide an important measure of protection against compromise of confidential and proprietary information. Consider including such agreements as part of all employment and contractor arrangements which involve access to the establishment's confidential and proprietary information. Such agreements should define "confidential and proprietary information," as well as providing that information marked or treated as such shall be included within that definition.

It is important to consult with counsel in developing confidentiality agreements. Courts will consider several factors in enforcement of such agreements, including whether there is sufficient consideration and the duration for which the information is to be treated confidential. Ensure the agreement includes an acknowledgement by the employee/contractor that the information is confidential and that failure to maintain the confidentiality would result in irreparable harm to the establishment. Additionally, include a signed covenant or promise by the employee/contractor that acknowledging their responsibility to maintain the confidentiality and to promptly returned the information upon termination of the employment/contract relationship. Establishments should also consider establishing exit interviews or procedures to remind employees/contractors of their obligation to comply with the confidentiality provisions and to confirm that they have reviewed their obligations under the agreement.

Technological and Physical Controls

In addition to presenting challenges to maintaining security, technology also provides options and solutions to detect potential compromises and prevent them from occurring. Establishments should consult with technology experts for options to identify introduction of unauthorized devices, viruses, and programs into a computer system, protections against downloading files and information, and mechanisms to wipe out handheld devices where necessary. Establishments must also implement physical controls to limit unauthorized access to systems and work areas where confidential information is maintained, to include maintaining data in encrypted files.

While technology continues to pose numerous security challenges to establishments, these steps provide measures to protect and safeguard confidential and proprietary information.

Kathleen Pohlid is the founder and managing member of the law firm of Pohlid, PLLC in the Nashville, Tennessee area. She advises business clients in matters including employment, occupational safety and health, Americans with Disabilities Act (accommodation & discrimination) and regulatory compliance. Her goal is to enable clients to comply with the myriad of state and federal laws to succeed in their business, mindful of the challenges facing businesses and the importance of cost effectiveness. She has advised and represented businesses in a variety of industries including restaurants, hotels, and other entities in the tourism and hospitality industries. She has over 20 years of combined federal government and private sector experience in employment law and litigation. She holds an AV rating from Martindale-Hubbell (highest for professional competency and ethics), a B.S. degree from the U.S. Naval Academy and a J.D. from Samford University. Ms. Pohlid can be contacted at 615-369-0810 or kpohlid@pohlid.com Please visit http://www.pohlid.com for more information. Extended Bio...

HotelExecutive.com retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.com.

Receive our daily newsletter with the latest breaking news and hotel management best practices.
Hotel Business Review on Facebook
RESOURCE CENTER - SEARCH ARCHIVES
General Search:
Coming Up In The November Online Hotel Business Review




{300x250.media}
Feature Focus
Architecture & Design: Authentic, Interactive and Immersive
If there is one dominant trend in the field of hotel architecture and design, its that travelers are demanding authentic, immersive and interactive experiences. This is especially true for Millennials but Baby Boomers are seeking out meaningful experiences as well. As a result, the development of immersive travel experiences - winery resorts, culinary resorts, resorts geared toward specific sports enthusiasts - will continue to expand. Another kind of immersive experience is an urban resort one that provides all the elements you'd expect in a luxury resort, but urbanized. The urban resort hotel is designed as a staging area where the city itself provides all the amenities, and the hotel functions as a kind of sophisticated concierge service. Another trend is a re-thinking of the hotel lobby, which has evolved into an active social hub with flexible spaces for work and play, featuring cafe?s, bars, libraries, computer stations, game rooms, and more. The goal is to make this area as interactive as possible and to bring people together, making the space less of a traditional hotel lobby and more of a contemporary gathering place. This emphasis on the lobby has also had an associated effect on the size of hotel rooms they are getting smaller. Since most activities are designed to take place in the lobby, there is less time spent in rooms which justifies their smaller design. Finally, the wellness and ecology movements are also having a major impact on design. The industry is actively adopting standards so that new structures are not only environmentally sustainable, but also promote optimum health and well- being for the travelers who will inhabit them. These are a few of the current trends in the fields of hotel architecture and design that will be examined in the November issue of the Hotel Business Review.