Trade secret protection is the only form of intellectual property you earn by effort rather than by registration. There is no certificate to wave at a court. Under the Defend Trade Secrets Act (DTSA), 18 U.S.C. § 1839(3), and the Uniform Trade Secrets Act (UTSA) adopted in every state but New York, information is a protectable trade secret only if it (1) derives independent economic value from not being generally known and (2) is the subject of "reasonable measures" to keep it secret. The entire burden of proving that second element falls on the owner's conduct — which means a protection program is, in the end, the manufacture of evidence you hope you never have to use.

This checklist tells you how to build that program. It is written so a founder, an in-house lawyer, and a judge can all follow it. Use it alongside our companion article protection of trade secrets for the underlying doctrine and building a trade secret protection program from scratch for the narrative deep dive. For the audit discipline specifically, see the trade secret audit checklist.

A word on proportionality before you begin: "reasonable under the circumstances" scales with your size and the value of the secret. A four-person startup is not held to a Fortune 500 standard. The point is not perfect security — which is impossible — but demonstrable, proportionate effort.

Phase 1: Identify and inventory what you actually have

  • Convene the people who know where the secrets live — R&D, engineering, sales operations, finance, and IT — because no single team knows the full portfolio.
  • For each candidate secret, ask the three diagnostic questions: What would help a competitor? What did we invest heavily to develop? What would be costly for an outsider to recreate?
  • Catalog technical secrets (formulas, processes, source code, algorithms, architectures), including negative know-how — the approaches that failed, which have value precisely because they save a rival the same dead ends.
  • Catalog business secrets (curated customer lists with non-public preferences and contacts, pricing and cost structures, strategic plans, supplier terms).
  • For each item, record what it is, where it lives (physically and electronically), who can access it, why it has value, and what agreements already govern it.
  • Capture a rough value note for each crown jewel (e.g., "~18 person-months to develop; sustains ~15% price premium") — it doubles as evidence of "independent economic value" and the seed of a damages theory.
  • Exclude information that is generally known, readily ascertainable, or lacking real value. Over-claiming is worse than useless.

Why this matters. You cannot protect what you have not identified, and federal courts require a trade secret plaintiff to identify its secrets with specificity rather than gesturing at "all confidential business information"; vague pleading draws dismissal under Twombly and Iqbal. A peacetime inventory is the document that later lets you describe the secret "with sufficient specificity" without further exposing it. Customer lists deserve special caution: a list anyone could pull from a directory is not a secret, but a compilation that took time and expertise and confers value over the raw public data can be — AirFacts, Inc. v. de Amezaga, 909 F.3d 84 (4th Cir. 2018).

Common mistakes. Skipping the inventory entirely; claiming everything is a secret (which persuades a court nothing was treated as one); and letting the inventory go stale so it points investigators at the wrong systems.

Phase 2: Build the three layers of security

Physical security

  • Control access to labs, prototype areas, and any space where a secret process is performed; log and escort visitors.
  • Adopt clean-desk practices, locked storage, conspicuous "Confidential" marking, and shredding rather than discarding.
  • On the factory floor, compartmentalize a visible process so no single person sees the whole, and route plant tours away from sensitive areas.
  • Before installing biometric access (fingerprint/retina), confirm compliance with state biometric-privacy statutes such as Illinois's BIPA.

Technical security

  • Apply least privilege: restrict crown-jewel repositories to the handful of people who actually work on them, not the whole team.
  • Require authentication (ideally multifactor) and enable logging that records who accessed what and when — these logs are the single most persuasive evidence in most departure cases.
  • Encrypt data at rest and in transit; enforce full-disk encryption on every device that touches a secret.
  • Deploy network controls (firewalls, segmentation) and data-loss-prevention tools that flag confidential files emailed externally or copied to removable media.
  • Disable USB ports on machines that touch the most sensitive repositories where feasible.
  • Reclaim company data from personal devices and never leave valuable information on devices you do not control.

Administrative security

  • Adopt a written trade secret policy that defines confidential information, sets classification levels, specifies handling rules, and states consequences.
  • Implement a tiered classification system (e.g., public / internal / confidential / restricted) with handling, storage, transmission, and disposal rules for each tier.
  • Apply the "need-to-know" principle so every additional holder is a deliberate choice, not an accident.
  • Confine confidentiality policies to genuine proprietary business, customer, and vendor information and add an NLRA savings clause so the policy does not collide with employees' Section 7 rights.

Why this matters. No single layer suffices; each compensates for the others' gaps. Courts bracket the spectrum sharply. In Abrasic 90 Inc. v. Weldcote Metals, Inc., 364 F. Supp. 3d 888 (N.D. Ill. 2019), the plaintiff lost a preliminary injunction because it had done "virtually nothing" — no NDAs, no access limits. In Yellowfin Yachts, Inc. v. Barker Boatworks, LLC, 898 F.3d 1279 (11th Cir. 2018), the employer failed the reasonable-measures test even with a password-protected network, because it encouraged storage on a personal device, never marked the information confidential, and never got a confidentiality agreement. The difference between winning and losing is rarely the value of the information — it is the paperwork and the discipline.

Phase 3: Layer contracts on top of the statutes

  • Have every employee sign a confidentiality agreement at the start of employment, before any secrets are shared (the employment relationship supplies consideration).
  • For mid-employment rollouts, pair the agreement with genuine new consideration (bonus, raise, equity) and document it.
  • Have every employee sign an invention assignment agreement using present-tense "hereby assigns" language; respect state carve-outs (e.g., Cal. Lab. Code § 2870). See the drafting a nondisclosure agreement checklist and the employee departure trade secret protection checklist.
  • Include the Section 1833(b) whistleblower-immunity notice in every agreement (employee and contractor) that governs the use of a trade secret or confidential information, entered into or amended after May 11, 2016. You may cross-reference a policy that contains it — but for contractors who cannot see internal policies, put the notice in the contract itself.
  • Bind third parties — customers, suppliers, partners — with confidentiality terms (mutual NDAs where both sides disclose) before sharing anything.
  • Treat non-competes as a fragile, state-law-dependent supplement, never the foundation; prefer non-solicitation agreements, which hold up even in non-compete-hostile states.

Why this matters. Contracts both reach information that fails the statutory test and themselves count as evidence of reasonable measures. The Section 1833(b) notice is the cheapest insurance in trade secret law: omit it, and you "may not be awarded exemplary damages or attorney fees" under the DTSA against an employee who never received it — 18 U.S.C. § 1833(b)(3)(C); Xoran Holdings LLC v. Luick, 2017 WL 4039178 (E.D. Mich. 2017). Sharing a secret with a third party under no confidentiality obligation can extinguish it outright — Farmers' Edge Inc. v. Farmobile, LLC, 970 F.3d 1027 (8th Cir. 2020). And the FTC's nationwide non-compete ban is dead (vacated in Ryan LLC v. FTC and removed from the C.F.R. in early 2026), so non-compete enforceability is now governed entirely by widely varying state law — see non-compete agreements under siege.

Phase 4: Make the people the strongest layer

  • Train new hires on what trade secrets are, your specific policies, how to identify and handle confidential information, and the consequences of violations — and capture a signed acknowledgment.
  • Deliver role-specific training: depth on technical secrets and publication risk for R&D; permissible-use guidance for sales; security training for IT.
  • On hiring from a competitor, ask candidates to identify prior-employer agreements and instruct them, in writing, not to bring or use any former employer's confidential materials.
  • Build a culture where protecting confidential information is part of everyone's job, signaled by leadership emphasis and consistent enforcement.

Why this matters. Courts assessing "reasonable measures" routinely ask whether the company trained its workforce, and a documented program with signed acknowledgments turns a close case. Hiring carelessly can also drag you into a misappropriation suit as a defendant; the Apple Inc. v. Rivos litigation shows that a written instruction not to bring a prior employer's secrets can be case-dispositive.

Phase 5: Keep the program alive

  • Run a trade secret audit at least annually and after major changes (a fundraise, an acquisition, a shift to remote work).
  • Keep the inventory a living document; add new secrets, retire disclosed or obsolete ones, and update access lists as people change roles.
  • Track changes in law (non-compete developments, NLRA guidance, new biometric/privacy statutes), in technology (new collaboration and storage platforms), and in peer practice.
  • Benchmark against what competitors and courts treat as reasonable, since "reasonable under the circumstances" is a moving target.

Why this matters. A policy honored only on paper is worse than none, because it advertises the gap between what you claimed and what you did. The remote-work dimension is now central; see trade secrets in the age of remote work and cloud computing.

Common mistakes (program-wide)

  • Treating protection as a one-time project rather than a continuous program.
  • Relying on a non-compete as the secrecy plan instead of access controls, contracts, and enforcement.
  • Forgetting the Section 1833(b) notice in offer letters and contractor agreements.
  • Letting valuable information live on unmanaged personal devices and never reclaiming it.
  • Building departure strategy on the inevitable-disclosure doctrine, which is unavailable or narrow in many states, instead of on documentary proof (access logs, bulk downloads, deletions).

Primary authority

  • Defend Trade Secrets Act, 18 U.S.C. §§ 1836–1839 — civil cause of action (§ 1836(b)); definition and "reasonable measures" (§ 1839(3)); whistleblower immunity and notice (§ 1833(b)); ex parte seizure (§ 1836(b)(2)); remedies (§ 1836(b)(3)).
  • Uniform Trade Secrets Act §§ 1, 3–5 (adopted in every state but New York).
  • Economic Espionage Act, 18 U.S.C. §§ 1831–1832 (criminal track).
  • Key cases: Yellowfin Yachts v. Barker Boatworks, 898 F.3d 1279 (11th Cir. 2018); Abrasic 90 v. Weldcote Metals, 364 F. Supp. 3d 888 (N.D. Ill. 2019); Farmers' Edge v. Farmobile, 970 F.3d 1027 (8th Cir. 2020); AirFacts v. de Amezaga, 909 F.3d 84 (4th Cir. 2018); Xoran Holdings v. Luick, 2017 WL 4039178 (E.D. Mich. 2017).

Related resources

This checklist is for general informational purposes only and does not constitute legal advice or create an attorney-client relationship. Trade secret and employment law vary by jurisdiction and continue to evolve. Consult qualified counsel about your specific circumstances before acting.