What Counts as ‘Reasonable Measures’ to Protect Trade Secrets?

ByAaron Hall, Attorney Last reviewed Business Law, Trade Secrets

You can have the most valuable trade secret in your industry—a formula, a process, a customer database that took years to build—and lose all legal protection for it because you didn’t take adequate steps to keep it secret. This isn’t a theoretical risk. It’s the single most common reason trade secret claims fail.

Under the Minnesota Uniform Trade Secrets Act (MUTSA, Minn. Stat. § 325C.01), information qualifies as a trade secret only if it “is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.” The federal Defend Trade Secrets Act (DTSA, 18 U.S.C. § 1836 et seq.) contains a nearly identical requirement. Fail the “reasonable measures” test, and it doesn’t matter how valuable your information is or how clearly it was stolen—the court will rule it wasn’t a trade secret at all.

Understanding what courts consider “reasonable” is essential for every business owner who wants to protect proprietary information.

Why Reasonable Measures Are the Make-or-Break Element

Trade secret protection has three requirements: the information must (1) derive economic value from being secret, (2) not be generally known or readily ascertainable, and (3) be the subject of reasonable efforts to maintain secrecy. The first two elements are usually straightforward—if you’re bringing a claim, the information almost certainly has value and isn’t public knowledge.

The third element is where cases are won or lost.

Courts apply the reasonable measures requirement for a practical reason: if the owner didn’t bother to protect the information, it signals that the information either wasn’t truly secret or wasn’t truly valuable. The law doesn’t protect companies that treat their most sensitive information carelessly and then turn to the courts when someone walks away with it.

The standard is not perfection. “Reasonable under the circumstances” means proportional to the value of the information, the size of the business, and the nature of the threat. A two-person startup isn’t held to the same standard as a Fortune 500 company. But every company must demonstrate meaningful, affirmative efforts.

What Courts Look For

Courts evaluate reasonable measures holistically. No single factor is dispositive, and no checklist guarantees success. But decisions across jurisdictions consistently examine the same categories of protective measures.

Physical Security Measures

Physical security was the original battleground for reasonable measures, and it remains relevant even in a digital world.

Facility access controls. Locked facilities, key card systems, visitor sign-in requirements, and restricted areas for sensitive operations all demonstrate that the company takes physical security seriously.

Clean desk policies. Requiring employees to secure sensitive documents when not in use—rather than leaving them on desks or in common areas—shows attention to everyday secrecy.

Secure disposal. Shredding confidential documents rather than tossing them in recycling bins. Destroying hard drives rather than simply deleting files.

Visitor management. Controlling and monitoring who enters areas where trade secrets are accessible, including requiring NDAs from visitors, vendors, and contractors before granting access.

Physical security alone is insufficient in a modern business, but its absence can undermine a trade secret claim. A court may question why a company invested in sophisticated digital protections but left the server room unlocked.

Digital and IT Security Measures

For most businesses today, digital security measures carry the most weight in a court’s analysis. The specific measures that constitute “reasonable” depend on the nature of the trade secret, but courts consistently examine several areas.

Access controls and authentication. Role-based access, multi-factor authentication, strong password policies, and the principle of least privilege (employees access only what their role requires). These are foundational. A company that gives every employee access to every system will struggle to argue it maintained secrecy.

Encryption. Encrypting trade secret information both at rest (stored on servers and devices) and in transit (moving across networks). Full-disk encryption on laptops is particularly important given the risk of device loss or theft.

Network security. Firewalls, intrusion detection systems, VPN requirements for remote access, and network segmentation that isolates systems containing trade secrets from general business systems.

Monitoring and logging. Access logs that record who viewed what information and when. Data loss prevention tools that flag bulk downloads or transfers of sensitive data. These measures serve double duty—they deter misappropriation and provide evidence if it occurs.

Cloud and SaaS security. Proper configuration of cloud platforms, vendor security assessments, and contractual protections with service providers. Misconfigured cloud storage has become a common basis for challenging the adequacy of security measures.

Contractual Protections

Agreements are among the most cited factors in reasonable measures analysis. Courts expect businesses to use contracts to establish and reinforce secrecy obligations.

Nondisclosure agreements (NDAs). The most direct contractual tool. NDAs should be signed before an individual gains access to trade secrets—whether the individual is an employee, contractor, vendor, or prospective business partner. Generic NDAs that cover “all information” are less effective than agreements that identify the categories of trade secret information with specificity.

Employment agreements. Beyond standalone NDAs, employment agreements should address confidentiality obligations, invention assignment, acceptable use of company systems, and obligations upon termination. These provisions establish expectations from day one.

Non-solicitation agreements. While non-compete agreements are no longer available for post-July 2023 employment in Minnesota (Minn. Stat. § 181.988), non-solicitation agreements restricting customer and employee solicitation remain enforceable and demonstrate protection efforts.

Vendor and contractor agreements. Trade secrets shared with outside parties—outsourced development firms, consultants, joint venture partners—require contractual protections. The absence of confidentiality provisions in vendor agreements is a common weakness courts identify.

The agreement itself isn’t enough. Courts look at whether NDAs and other agreements are consistently used, not just whether a template exists. If some employees signed NDAs and others didn’t—particularly those with significant access—the inconsistency undermines the company’s position.

Organizational Measures

Beyond physical, digital, and contractual protections, courts examine whether the company’s organizational practices reflect a commitment to secrecy.

Information classification. Labeling documents and materials as “Confidential,” “Proprietary,” or “Trade Secret” signals to employees and third parties that the information requires special handling. Classification systems should be meaningful—when everything is marked confidential, nothing is.

Need-to-know access policies. Restricting access to trade secrets based on job function, not just job title. A sales manager may need access to customer pricing data but not to product formulas. Documented access policies that reflect these distinctions carry significant weight.

Compartmentalization. For high-value trade secrets, limiting access so that no single person has the complete picture. Different teams may work on different components without seeing the full system—a practice common in technology companies and manufacturing.

Governance and oversight. Designating responsibility for trade secret protection—whether to a specific executive, a cross-functional committee, or an outside advisor—demonstrates that the company treats trade secret management as an ongoing priority, not an afterthought.

Employee Training and Awareness

Courts increasingly look at whether employees understood their confidentiality obligations and the company’s expectations.

Onboarding training. New employees should receive training on what constitutes a trade secret, what information at the company is considered proprietary, and what their obligations are.

Ongoing reminders. Annual refresher training, policy acknowledgment forms, and periodic communications about confidentiality demonstrate sustained commitment. A one-time orientation session followed by years of silence is a weak foundation.

Role-specific training. Employees with access to particularly sensitive trade secrets—engineering teams, sales leaders, executives—should receive training tailored to the specific information they handle and the specific risks they face.

Documentation. Training records—who attended, when, and what was covered—provide concrete evidence. A company that claims it “always trained employees on confidentiality” but cannot produce records of any training will struggle in court.

The Exit Process as a Reasonable Measure

How a company handles employee departures is one of the most scrutinized elements of the reasonable measures analysis. Departing employees are the highest-risk vector for trade secret misappropriation, and courts expect companies to address this risk systematically.

Exit interviews. A structured conversation covering the employee’s confidentiality obligations, the requirement to return all company property and information, and a reminder that trade secret protections survive employment.

Return of materials. Collection of all company-owned devices—laptops, phones, external drives—and deletion of company data from personal devices.

Access revocation. Immediate termination of access to all company systems, including email, cloud platforms, VPN, and physical key cards. “Immediate” matters—access that remains active for days or weeks after departure creates both risk and the appearance of inadequate controls.

Written confirmation. Having the departing employee sign a certification that they have returned all company property and materials and have not retained copies of trade secret information.

Forensic review. In high-risk departures—key employees leaving for competitors, individuals with access to the company’s most valuable trade secrets—forensic review of the departing employee’s activity during the notice period may be warranted. Access logs showing bulk downloads or file transfers to personal accounts are powerful evidence in subsequent litigation.

Common Failures That Destroy Trade Secret Protection

Understanding what courts have found insufficient is as instructive as understanding what they require:

  • The unprotected spreadsheet. Critical customer data in a shared file accessible to every employee, with no password protection or access logging.
  • The forgotten NDA. An NDA template exists, but the employee who misappropriated trade secrets never signed one.
  • The open door. Sensitive areas—labs, server rooms—accessible without restriction; visitors walk through without signing in.
  • The uncontrolled departure. An employee resigns and no one collects their laptop for days; system access stays active for a week.
  • The paper-only policy. A 40-page security policy sits in a binder no one has read, with no training and no compliance monitoring.
  • Selective enforcement. Senior executives are exempt from security protocols. If the company doesn’t enforce its own rules consistently, courts conclude the rules aren’t genuine.

A Practical Reasonable-Measures Audit

Business owners should conduct a periodic audit of their trade secret protection measures. This audit doesn’t need to be complex, but it should be honest.

Identification

  • [ ] We have identified our trade secrets and maintain a current inventory
  • [ ] Trade secrets are categorized by value and sensitivity
  • [ ] We know which employees and third parties have access to each category

Physical Security

  • [ ] Facilities containing trade secrets have controlled access
  • [ ] Visitors to sensitive areas sign in and are escorted
  • [ ] Confidential documents are secured when not in active use
  • [ ] Document disposal uses shredding or secure destruction

Digital Security

  • [ ] Access to systems containing trade secrets requires multi-factor authentication
  • [ ] Access is limited based on role and need-to-know
  • [ ] Trade secret data is encrypted at rest and in transit
  • [ ] Access is logged and logs are periodically reviewed
  • [ ] Cloud platforms are configured to restrict unauthorized access
  • [ ] Remote access requires VPN or equivalent secure connection
  • [ ] Data loss prevention tools monitor for unusual data movement

Contractual Protections

  • [ ] All employees with trade secret access have signed NDAs
  • [ ] All vendors and contractors with trade secret access have signed NDAs
  • [ ] Employment agreements address confidentiality, invention assignment, and exit obligations
  • [ ] Non-solicitation agreements are in place where appropriate
  • [ ] Agreements are signed before access is granted, not after

Organizational and Training

  • [ ] Confidential information is labeled or marked appropriately
  • [ ] Access is granted on a need-to-know basis with documented justification
  • [ ] Responsibility for trade secret protection is assigned to a specific person or team
  • [ ] New employees receive confidentiality training during onboarding
  • [ ] Annual refresher training is conducted, documented, and records are maintained

Exit Process and Ongoing Review

  • [ ] A standardized exit procedure exists and is consistently followed
  • [ ] All company property and data are collected; system access is revoked on or before the last day
  • [ ] Departing employees sign a return-of-materials certification
  • [ ] High-risk departures trigger forensic review of recent activity
  • [ ] Security policies and the overall program are reviewed and updated annually

No company will check every box, and the law doesn’t require it. But a company that can demonstrate thoughtful, documented, consistently applied measures across these categories will be in a strong position when it matters most—standing before a judge, asking the court to protect what belongs to you.

Frequently Asked Questions

Does the “reasonable measures” standard mean we need to spend a lot of money on security?

Not necessarily. The standard is “reasonable under the circumstances,” which accounts for the size of your company, the value of the information, and the resources available. A 10-person company isn’t expected to have the security infrastructure of a Fortune 500 firm. What courts look for is proportional effort—meaningful steps that reflect the importance of the information. Sometimes the most impactful measures (consistent use of NDAs, access controls, exit procedures) are low-cost.

Can we lose trade secret protection if we share the information with a business partner?

You can, but you don’t have to. Sharing trade secrets with vendors, partners, or contractors is often necessary. The key is sharing under appropriate protections—NDA in place before disclosure, access limited to what the partner needs, and controls on how the partner stores and uses the information. Uncontrolled sharing without contractual protections is one of the fastest ways to lose trade secret status.

What if we had a strong program in the past but let it lapse?

Courts evaluate your measures at the time of the alleged misappropriation. A program that was robust three years ago but has since been neglected—outdated policies, expired training, access controls that haven’t been reviewed—may not satisfy the reasonable measures standard today. The good news is that gaps can be addressed. Updating your program now strengthens your position for any future dispute.

Is marking documents “Confidential” enough?

Marking is one factor, but standing alone it’s insufficient. A “Confidential” stamp on a document that sits in an unlocked filing cabinet, accessible to anyone in the office, doesn’t demonstrate reasonable measures. Marking works as part of a comprehensive program—it signals to employees that the information requires special handling, which reinforces access controls, NDAs, and training. Courts view marking as necessary but not sufficient.

How do we prove we took reasonable measures if we end up in court?

Documentation is the answer. Written policies, signed NDAs, training attendance records, access logs, exit interview forms, and records of security audits all serve as evidence. The time to build this documentation is now—not after a misappropriation occurs. Courts are skeptical of companies that reconstruct their security practices from memory. Contemporaneous records are far more persuasive than after-the-fact testimony about what the company “always did.”

Related Articles

For guidance specific to your situation, contact Aaron Hall, attorney for business owners, at aaronhall.com or 612-466-0040.