Your Source Code Is a Trade Secret: The Cybersecurity Measures Courts Require

Your company’s most valuable assets probably aren’t sitting in a warehouse or a bank vault. They live on servers, in cloud platforms, and across the laptops your team carries home every night. Source code, customer analytics, pricing algorithms, proprietary databases—these digital assets drive competitive advantage. But here’s the problem: if you aren’t protecting them with adequate cybersecurity measures, the law may not protect them either.

Under the Minnesota Uniform Trade Secrets Act (MUTSA, Minn. Stat. § 325C.01 et seq.) and the federal Defend Trade Secrets Act (DTSA, 18 U.S.C. § 1836 et seq.), information qualifies as a trade secret only if the owner takes “efforts that are reasonable under the circumstances to maintain its secrecy.” For digital assets, that means your cybersecurity program isn’t just an IT concern—it’s a legal requirement.

What Qualifies as a Digital Trade Secret

Not every piece of digital information is a trade secret. To qualify, the information must derive independent economic value from not being generally known and must be subject to reasonable secrecy measures. Common categories include:

Source Code and Software Architecture. The code that powers your products or internal systems, including proprietary algorithms, data structures, and system designs.

Customer Data and Analytics. Customer lists alone may or may not qualify, but compiled customer analytics—purchasing patterns, lifetime value calculations, segmentation models—often do. The key is whether the compilation required substantial effort and provides competitive advantage.

Pricing Models and Financial Data. Dynamic pricing algorithms, cost structures, margin analyses, and vendor pricing that competitors could exploit.

Proprietary Databases. Curated datasets, research compilations, and structured information that took significant resources to develop.

Business Process Automation. Custom workflows, automated decision trees, and operational systems that give your company an efficiency edge.

AI and Machine Learning Models. Trained models, training datasets, and the parameters that make your AI systems perform—these are increasingly recognized as protectable trade secrets.

The common thread: the information must provide a genuine competitive advantage because others don’t have it.

What Courts Consider “Reasonable” Cybersecurity Under MUTSA

When a trade secret dispute reaches court, one of the first questions is whether the owner took reasonable steps to protect the information. For digital trade secrets, courts evaluate the company’s cybersecurity posture. No single measure is required, but courts look at the overall picture.

Access Controls

Role-based access. Not everyone needs access to everything. Courts look favorably on companies that limit access to sensitive information based on job function. Your marketing team doesn’t need access to source code repositories, and your developers don’t need access to financial models.

Multi-factor authentication (MFA). Single-password access to systems containing trade secrets is increasingly viewed as insufficient. MFA—requiring a second verification factor like a mobile authenticator—has become a baseline expectation.

Principle of least privilege. Employees should have only the minimum access needed to perform their jobs. This means regularly reviewing and adjusting permissions as roles change.

Encryption

Data at rest. Trade secret information stored on servers, databases, and devices should be encrypted. Full-disk encryption on laptops and mobile devices is particularly important given the risk of physical theft.

Data in transit. Information moving across networks—especially the internet—should travel through encrypted channels (TLS/SSL, VPN tunnels).

Key management. Encryption is only as strong as the key management practices behind it. Courts may examine whether encryption keys are properly secured and rotated.

Monitoring and Logging

Access logging. Maintaining records of who accessed what information and when creates both a deterrent and an evidence trail. If an employee downloads your entire customer database the night before resigning, access logs make that provable.

Anomaly detection. Systems that flag unusual access patterns—bulk downloads, access from unfamiliar locations, off-hours activity—demonstrate proactive protection.

Data loss prevention (DLP). Tools that monitor and restrict the movement of sensitive data outside corporate systems show courts that the company took its secrecy obligations seriously.

Cloud Storage and SaaS Considerations

Most businesses today store trade secrets in cloud platforms—AWS, Azure, Google Cloud, Salesforce, or specialized SaaS tools. This creates unique challenges for trade secret protection.

Vendor agreements matter. Your contracts with cloud providers should include confidentiality provisions, data security requirements, and clear terms about data ownership. A court evaluating your “reasonable efforts” may look at whether your vendor agreements protect your information.

Shared responsibility model. Cloud providers secure the infrastructure; you secure your data and access. Understanding this division—and documenting your side of the responsibility—is essential. Amazon securing its data centers doesn’t mean your S3 buckets are properly configured.

Data residency and access. Know where your data is stored and who at the vendor can access it. Some industries and some trade secrets warrant additional restrictions on data location and vendor employee access.

Configuration management. Misconfigured cloud storage is one of the most common causes of data exposure. Regular audits of cloud configurations—permissions, public access settings, API keys—are both good security practice and evidence of reasonable efforts.

Remote Workforce Challenges

The shift to remote and hybrid work has expanded the attack surface for trade secret theft. Information that once stayed within a controlled office environment now flows to home offices, coffee shops, and co-working spaces.

Secure remote access. VPN or zero-trust network access ensures that remote connections to corporate systems are encrypted and authenticated. Simply allowing employees to access trade secret information over unsecured home Wi-Fi undermines your legal position.

Endpoint security. Company-issued devices should have endpoint protection—antivirus, firewalls, remote wipe capability. If employees use personal devices, the risks multiply significantly.

Home office security. While you can’t control every aspect of an employee’s home setup, policies addressing physical security of devices and documents, secure Wi-Fi requirements, and screen privacy demonstrate that you’ve considered the remote work threat model.

BYOD Policies and Trade Secret Exposure

Bring-your-own-device (BYOD) programs create one of the most difficult trade secret protection challenges. When employees access proprietary information on personal phones and laptops, the line between corporate and personal data blurs.

The core problem. If an employee leaves and takes their personal device—which contains your trade secret information—recovery becomes complicated. You can’t simply demand return of a personal device the way you can a company-issued laptop.

Mobile Device Management (MDM). MDM solutions allow you to create a secure container on personal devices, separating corporate data from personal data. This enables remote wiping of corporate information without touching personal files—and it demonstrates reasonable measures.

Clear BYOD policies. Written policies should address:
– What types of information can be accessed on personal devices
– Security requirements for personal devices (passcodes, OS updates, encryption)
– The company’s right to remotely wipe corporate data
– Obligations upon termination of employment

Consider the alternative. For roles with access to high-value trade secrets, providing company-owned devices may be more practical and legally defensible than managing BYOD risks.

Incident Response: When Digital Trade Secrets Are Compromised

Despite reasonable precautions, trade secret compromises happen. How you respond matters—both for mitigating damage and for preserving legal claims.

Immediate Steps

1. Preserve evidence. Before anything else, preserve logs, access records, and forensic images of relevant systems. Spoliation of evidence can destroy your legal case.

2. Assess the scope. Determine what information was accessed or taken, by whom, and how. This assessment drives every subsequent decision.

3. Contain the breach. Revoke access credentials, disable accounts, and isolate affected systems. Speed matters—every hour of continued access is additional exposure.

4. Engage forensics. For significant compromises, a digital forensics firm can preserve evidence in a legally defensible manner, trace the full scope of access, and provide testimony if litigation follows.

Legal Response

1. Evaluate claims. Under MUTSA and the DTSA, misappropriation includes both acquisition by improper means and disclosure or use without consent. Your attorney will assess which claims apply and the strength of available evidence.

2. Consider emergency relief. Courts can issue temporary restraining orders and preliminary injunctions to prevent further use or disclosure of misappropriated trade secrets. The DTSA also provides for ex parte seizure orders in extraordinary circumstances.

3. Notify affected parties. Depending on the nature of the information, you may have notification obligations under Minnesota’s data breach notification statute (Minn. Stat. § 325E.61) or other regulatory requirements.

4. Document everything. Maintain a detailed timeline of the incident and your response. This documentation serves dual purposes: guiding your legal strategy and demonstrating to future courts that you take trade secret protection seriously.

Post-Incident Review

1. Conduct a root cause analysis. Understand how the compromise occurred and what controls failed.

2. Update security measures. Implement changes to prevent similar incidents. Courts in future disputes will look at whether you learned from past compromises.

The Intersection of Cybersecurity and Trade Secret Law

Trade secret law and cybersecurity are converging in ways that business owners cannot afford to ignore.

Regulatory expectations are rising. Industry-specific regulations (HIPAA, SOX, state privacy laws) increasingly mandate cybersecurity measures that overlap with trade secret protection requirements. Compliance programs that address both create efficiency and strengthen your legal position.

Courts are becoming more sophisticated. Judges evaluating “reasonable measures” have growing familiarity with cybersecurity concepts. Arguments that would have sufficed a decade ago—”we told employees it was confidential”—are no longer enough when the information is digital.

Insurance considerations. Cyber insurance policies may require specific security measures. Failing to implement required controls can void coverage—leaving you exposed to both the loss of trade secrets and the financial consequences.

The documentation imperative. Courts can only evaluate measures you can prove you implemented. Written security policies, training records, audit logs, and configuration documentation aren’t bureaucratic overhead—they’re the evidence that supports your trade secret claims.

Practical Cybersecurity Checklist for Trade Secret Protection

Use this checklist to evaluate whether your digital trade secret protection would withstand legal scrutiny:

• [ ] Trade secrets are identified and inventoried (you know what you’re protecting)
• [ ] Access is restricted based on role and need-to-know
• [ ] Multi-factor authentication is required for systems containing trade secrets
• [ ] Data is encrypted at rest and in transit
• [ ] Access logs are maintained and periodically reviewed
• [ ] Cloud configurations are audited regularly
• [ ] Remote access requires VPN or zero-trust authentication
• [ ] BYOD policies address trade secret information on personal devices
• [ ] Employee onboarding includes cybersecurity and confidentiality training
• [ ] Exit procedures include access revocation and device return/wipe
• [ ] Vendor agreements include appropriate confidentiality and security terms
• [ ] An incident response plan exists and has been tested
• [ ] Security policies are documented and updated at least annually

No company needs to implement every possible security measure. The standard is reasonableness under the circumstances—but “the circumstances” now include a digital threat environment that evolves constantly.

Frequently Asked Questions

Does using cloud storage weaken my trade secret protection?

Not inherently. Cloud storage can actually strengthen protection through enterprise-grade encryption, access controls, and monitoring that many small and mid-size companies couldn’t afford to build in-house. The key is proper configuration, strong vendor agreements, and maintaining your side of the shared responsibility model. Misconfigured cloud storage—not cloud storage itself—is what creates risk.

What cybersecurity measures are legally required for trade secret protection?

Neither MUTSA nor the DTSA prescribes specific technical requirements. The standard is “reasonable efforts under the circumstances,” which means the measures should be proportional to the value of the information and the risks it faces. A two-person startup has different obligations than a 200-employee company, but both must demonstrate meaningful effort.

Can an employee’s use of personal devices forfeit our trade secret protection?

It can weaken your position if you haven’t addressed it. Allowing employees to access trade secrets on personal devices without any BYOD policy, MDM solution, or contractual restrictions suggests you aren’t treating the information as secret. The solution isn’t necessarily banning personal devices—it’s implementing reasonable controls and documenting them.

What should we do if we discover an employee downloaded trade secrets before leaving?

Act quickly. Preserve all evidence of the download (access logs, forensic images). Revoke the former employee’s access immediately. Engage legal counsel to assess your options, which may include emergency court relief to prevent use or disclosure. Delay weakens both your legal position and your ability to contain the damage.

How often should we update our cybersecurity measures for trade secret protection?

At minimum, review security policies and controls annually. Beyond that, update whenever there’s a material change—new technology deployment, shift to remote work, a security incident, or significant changes in the threat landscape. Courts are more likely to view your measures as reasonable if they reflect current—not outdated—security practices.

Related Articles

• Trade Secrets: Overview and Legal Framework
• What Counts as ‘Reasonable Measures’ to Protect Trade Secrets?
• Does Your Business Actually Protect Its Trade Secrets? How to Find Out
• NDAs That Actually Hold Up: What Minnesota Courts Require

---

For guidance specific to your situation, contact Aaron Hall, attorney for business owners, at aaronhall.com or 612-466-0040.