The Reasonable Secrecy Measures Checklist
The "reasonable measures" courts require to protect a trade secret — a practical checklist of NDAs, access controls, and IT security.
Quick answer: "Reasonable measures" are the security steps the law requires you to take to keep information secret — and they are the single element that decides most trade secret cases. Both the federal Defend Trade Secrets Act (DTSA) and the Uniform Trade Secrets Act require that a trade secret be "the subject of reasonable efforts to keep it secret." In practice that means: NDAs with everyone who touches the information, access limited to those who need it, IT controls like encryption and multi-factor authentication, confidentiality markings, physical security, and onboarding and exit protocols — all of it documented. You do not need perfect security; you need measures reasonable for the value of the secret and the size of your company.
You can have genuinely valuable, genuinely secret information and still lose a trade secret case — if you can’t show a court that you protected it. This checklist turns the abstract “reasonable measures” standard into a concrete list of things to do, sign, configure, and file away.
What does “reasonable measures” actually mean under the law?
Both the Defend Trade Secrets Act of 2016 (DTSA) and the Uniform Trade Secrets Act (UTSA) — adopted in some form by every state except New York, which uses common law — define a trade secret with two requirements: the information has independent economic value because it isn’t generally known, and it is “the subject of efforts that are reasonable under the circumstances to maintain its secrecy” (the federal definition lives in 18 U.S.C. § 1839).
That second phrase is where cases are won and lost. Defendants attack it first, and the argument writes itself: “If it were really a secret, they would have guarded it.” Courts don’t demand airtight security — the standard is explicitly “reasonable,” not “perfect.” But they do demand that you did something deliberate and proportionate.
Two principles shape everything below:
- Reasonableness scales. What’s reasonable for a biotech company guarding a formula worth nine figures is different from what’s reasonable for a five-person startup. The measures should track the value of the information and the size and resources of the company.
- Documentation is the deliverable. A measure you can’t prove you took is, for litigation purposes, a measure you didn’t take. Every item here should leave a paper trail.
For the strategic overview of how this fits into a full protection program, start with the trade secret protection playbook, and to confirm your information even qualifies in the first place, see what qualifies as a trade secret. If you’re still weighing secrecy against filing a patent, compare the two paths in patent vs. trade secret.
Which confidentiality agreements do you actually need?
NDAs are the backbone of the “reasonable measures” showing — not because a statute requires them, but because they are the clearest evidence you put people on notice and treated information as confidential. A durable program layers several agreements so that everyone who can see the secret is contractually bound to protect it:
- Employee confidentiality and invention-assignment agreements, signed at hire. These do double duty: they impose secrecy obligations and assign ownership of what employees create so there’s no dispute over who owns the secret.
- Contractor and freelancer NDAs, since the people who often touch your most sensitive material — developers, designers, consultants — aren’t on payroll.
- Vendor and supplier NDAs, especially for anyone in your manufacturing or data-handling chain.
- Mutual NDAs before sharing anything with prospective partners, investors, or acquirers during diligence.
A common, costly mistake is relying on a vague, overbroad NDA a court later refuses to enforce, or one that never defines the confidential information clearly. Definitions, duration, and permitted-use clauses all matter. See the NDA that holds up for what separates an enforceable agreement from decorative boilerplate.
One caution: an NDA is not a non-compete, and the two are treated very differently — in California, most non-competes are void under Business and Professions Code section 16600, while confidentiality agreements remain fully enforceable. Don’t let a bundled non-compete clause sink your NDA.
How do you limit access on a need-to-know basis?
The fastest way to lose the “reasonable measures” argument is for a defendant to prove that anyone in the company could open the file. Need-to-know access is the principle that people should only be able to reach information their job actually requires.
The checklist:
- Map your secrets. You can’t restrict what you haven’t identified. Keep an inventory of what your trade secrets are and where they live.
- Segment access by role. Not every engineer needs the master formula; not every salesperson needs the full pricing model. Grant access to specific folders, repositories, and systems by role.
- Restrict, don’t just trust. Use permissions and access controls so restriction is technically enforced, not merely a policy people are asked to honor.
- Log who accessed what, and when. Access logs are gold in litigation — they let you show both that access was limited and, later, exactly what a departing employee touched.
- Review access periodically. Revoke it when a project ends or a role changes, not just when someone leaves.
Compartmentalization also limits the blast radius: if no single person can see the whole secret, no single person can walk out with it.
What IT and technical controls do courts expect?
Technical security is where “reasonable” has climbed steadily. In 2026, a program that ignores basic cybersecurity looks unreasonable on its face. The baseline:
- Encryption of sensitive data both at rest and in transit.
- Multi-factor authentication (MFA) on systems that hold trade secrets — passwords alone are no longer treated as sufficient for genuinely sensitive material.
- Access logging and monitoring, so you can detect and later prove unusual access or bulk downloads.
- Restricted or blocked exfiltration paths — controls on USB drives, personal cloud storage, and mass email of files where feasible.
- Device management on laptops and phones, including the ability to wipe or disable a lost or former employee’s device.
- Network segmentation and strong passwords, plus prompt patching of the systems that store secrets.
You don’t need an enterprise security operations center. You do need to show you used the ordinary, available tools a company your size would be expected to use. When your program noticeably lags common practice, that gap becomes the defendant’s best exhibit.
Do confidentiality markings and physical security still matter?
Yes — and they’re among the cheapest, highest-leverage measures you can take.
Confidentiality markings. Labeling documents, files, and folders “Confidential” or “Trade Secret” removes ambiguity about what you consider protected and is heavily weighted by courts. The absence of marking is a favorite defense argument. But mark selectively: if you stamp every routine memo “Confidential,” the designation becomes meaningless and a defendant will argue you had no real system. Reserve it for material that genuinely qualifies.
Physical security. Digital-first companies forget that secrets still live in physical space:
- Locked offices, labs, file cabinets, and server rooms.
- Visitor controls — sign-in logs, badges, escorts, and no unsupervised access to sensitive areas.
- Clean-desk practices and secure disposal (shredding) of printed sensitive material.
- Restricted photography in labs or manufacturing areas where a phone camera is the whole threat model.
How do onboarding and exit protocols protect secrets?
Most trade secret loss isn’t espionage — it’s ordinary employee mobility. Someone joins from a competitor and brings tainted material, or leaves for one and takes files or knowledge with them. Your onboarding and offboarding are where you manage both risks.
Onboarding:
- Have new hires sign confidentiality and invention-assignment agreements before they get access.
- Get written confirmation that they are not bringing anyone else’s confidential information — this protects you from a poisoned-hire misappropriation claim.
- Train them on what your trade secrets are and how to handle them, and keep the sign-off.
Exit:
- Conduct an exit interview that reminds the person, in writing, of their continuing confidentiality obligations.
- Recover devices and credentials, and disable all access immediately — accounts, VPN, cloud, repositories, and building access.
- Preserve the departing person’s access and download logs before wiping anything, in case a dispute follows.
This lifecycle is involved enough to warrant its own deep dive — see protecting trade secrets when employees leave, which also covers the jurisdiction-specific “inevitable disclosure” doctrine (which California rejects).
What about vendors, contractors, and the cloud?
Your secrets are only as protected as the weakest third party who can see them. Vendor and cloud diligence is now a standard part of a reasonable program:
- Bind every vendor and contractor with confidentiality and IP-assignment terms before sharing anything.
- Limit what any single supplier can see — split a manufacturing process across vendors so none holds the whole picture.
- Vet your cloud and SaaS providers’ security terms, and confirm the data-protection and confidentiality obligations in their contracts.
- Get local-law advice for offshore vendors, since trade secret enforcement varies widely abroad and cross-border theft is far harder to remedy. Our guide on protecting IP when you manufacture overseas covers the supply-chain side.
Treat every external integration as a place your secret can leak, and paper it accordingly.
Why is documentation the measure that ties it all together?
Here’s the trap that catches careful companies: they do take reasonable measures but can’t prove it when it counts. In litigation, you must show a judge the concrete steps you took before the theft — not narrate them afterward. Build the record as you go:
- Signed NDAs and invention-assignment agreements, organized and retrievable.
- Written confidentiality policies and an employee handbook section on trade secrets.
- Training records and acknowledgment sign-offs.
- Access logs and records of who could see what, and when.
- Onboarding and exit checklists, completed and dated.
- A dated trade secret inventory showing what you identified and protected.
To see how courts weigh the presence — or absence — of these measures in real disputes, browse our trade secret case analysis archive. The pattern is consistent: plaintiffs with a documented program win the “reasonable measures” fight; those relying on “we were always careful” tend to lose it.
The bottom line
Reasonable secrecy measures are not a formality — they are the element that most often decides whether you have a trade secret at all. The good news is that the standard is achievable: it scales to your size and resources, and no single item on this list is expensive. Bind everyone who touches the secret with an NDA, limit access to who truly needs it, layer in modern IT controls, mark what’s confidential, lock down the physical and vendor edges, manage the employee lifecycle, and — above all — document every step as you take it. Do that, and when someone walks off with your most valuable information, the law gives you real teeth. Skip it, and you may discover you never had a protectable secret in the first place.
This guide is general education, not legal advice, and does not create an attorney-client relationship. What counts as “reasonable” secrecy depends on your specific facts and your state’s law — consult an attorney licensed in your jurisdiction before acting.
Frequently asked questions
What are 'reasonable measures' to protect a trade secret?
Reasonable measures are the security steps courts require you to take to keep information secret under both the Defend Trade Secrets Act and the Uniform Trade Secrets Act. They include NDAs with everyone who touches the information, need-to-know access controls, IT security like encryption and multi-factor authentication, confidentiality markings, physical security, and onboarding and exit protocols. The law does not require perfect security — only measures reasonable under the circumstances, given the information's value and your company's size.
Does a small startup have to take the same security steps as a big company?
No. The 'reasonable measures' standard scales with your resources and the value of the secret. Courts do not expect a five-person startup to run a Fortune 500 security operation. A small company can satisfy the standard with signed NDAs, restricted file access, password and multi-factor protection, and confidentiality markings. What courts punish is doing effectively nothing — sharing sensitive files openly, skipping agreements, and never limiting access.
Do I have to mark documents 'Confidential' to protect a trade secret?
It is not strictly required, but marking is powerful evidence and cheap to do. Labeling documents, files, and folders 'Confidential' removes any ambiguity about what you consider protected and shows you treated the information as a secret. Courts weigh marking heavily, and its absence is a favorite argument for defendants. Mark selectively, though — if you stamp everything 'Confidential,' the label loses meaning and can undercut you.
How do I prove I took reasonable measures if I get sued?
Documentation. Keep signed NDAs and invention-assignment agreements, access logs, records of who could see what and when, confidentiality policies, training sign-offs, and exit-interview checklists. When a dispute arises, you must show a judge the concrete steps you took before the theft, not describe them after the fact. Undocumented 'we were careful' claims routinely fail, so build the paper trail as you go, not in a crisis.