Are IT Employees Your Weakest Link?

This morning, I read this article about how an IT worker at an investment-management firm tried to frame one of his co-workers:

Back in September 2013, executives at a well-known Coral Gables investment management firm got a shocking e-mail from a tech employee demanding to be promoted.

Jeffrey Bau threatened to leak “sensitive information” that would spur clients to “withdraw” their business from Bayview Asset Management.

But Coral Gables police detectives say Bau never sent the e-mail – in fact, it was a former co-worker scheming to frame Bau.

It’s not clear what motivated the IT worker. But he was sloppy. According to the article, he used his credit card to pay for the VPN connection he used to send the email.

While it sounds like the company’s sensitive information was not actually at risk, this article highlights a major security problem when it comes to protecting proprietary information: your IT employees/consultants.

These employees typically have complete access to your servers, including all proprietary information and trade secrets stored there. Thus, these employees have a unique ability to cause damage.

I litigated a case dealing with this issue. One of my client’s disgruntled IT employees downloaded a huge amount of customer data, including sensitive personal information, to a hard drive. He then threatened to make that info public. Although we were able to obtain an ex parte injunction and recover the hard drive before any damage was done, it was a harrowing experience for the client.

It is critical that your company implements protections to mitigate the risk that these employees will abuse their power to your detriment. For example, all IT employees or consultants should, at a minimum, sign a confidentiality agreement.

The confidentiality agreement you are using for other employees may not work for your IT employees. Consult with a lawyer who can help decide whether the IT employees’ agreements need to be altered in light of the unique access that IT employees have. Consider putting in a liquidated damages provision for unauthorized disclosure of any company information.

By the way, you may have noticed that I haven’t posted in a few weeks. I’ve been dealing with multiple evidentiary hearings, including for an emergency injunction. since I last posted. This hasn’t left me with much time for blogging. Hopefully, I’ll be posting more frequently starting soon.

Professors Invent Threat of “Trade Secret Trolls”

I’ve written several times in the past about the proposed legislation to create a federal cause of action for trade-secrets misappropriation (see herehere, and here). I also wrote a response to a letter signed by a number of professors who opposed this legislation. Now, Professors David S. Levine and Sharon K. Sandeen have written a law review article titled “Here Come the Trade Secret Trolls.” This article misses the mark by a mile.

Here is the article’s core argument:

The [proposed federal] Acts are most likely to spawn a new intellectual property predator: the heretofore unknown “trade secret troll,” an alleged trade secret owning entity that uses broad trade secret law to exact rents via dubious threats of litigation directed at unsuspecting defendants.

The use of the term “troll” is meant to evoke patent trolls, who have been the subject of much scorn. But the so-called “trade secret troll” is far different than a patent troll. The latter actually own patent rights, which they wield to seek licensing fees. The article’s mythical trade-secret troll is simply someone willing to bring a frivolous lawsuit to extort an undeserved settlement. I suspect the authors chose this term to piggyback on the negative attention heaped on patent trolls, thereby arming the legislation’s opponents with a pejorative term that may scare legislators or their constituents.

Putting titles aside, the article can’t reconcile its core argument with the fact that, as the authors acknowledge, “trade secrecy has been generally free of similar trolling behavior.” In other words, there is no epidemic of frivolous trade-secret lawsuits under the current state-law framework. (Certainly, there are weak misappropriation cases, just like with any cause of action. But I haven’t seen any evidence to suggest that such cases are disproportionately filed.)

The authors try to make the point that the proposed federal acts would transform trade-secrets law such that threatening and filing frivolous lawsuits would become commonplace. Yet the article does not really explain why this is so. It gets closest when discussing the proposed ex parte seizure provisions. But as I mentioned in my response to the professors’ letter, this risk is highly overblown. Convincing a federal judge to enter ex parte relief is no simple matter. And the defendant will have the right to challenge any seizure order very soon after its entry. Federal judges will not be amused if they have been manipulated into entering unnecessary ex parte orders.

The article fears that “trolls” will be able to threaten an ex parte seizure, which will be sufficient to scare a defendant into paying up before the suit is filed. Yet any innocent defendant will know that the likelihood of such an order being entered is slim. Further, simply sending the letter would undermine an attempt to get an ex parte seizure order. If the plaintiff was able to send a demand letter, thereby putting the defendant on notice of the possible claim, then a judge would be highly skeptical of a claimed need for an ex parte order.

The article also argues that unsettled interpretative questions relating to the acts will fuel frivolous lawsuits. But the article forgets that creating a federal cause of action will quickly lead to a much more robust body of published caselaw interpreting the statute. While there are very few published trial-court-level decisions in state courts, U.S. district court orders are widely available.

Frankly, state courts are much more susceptible to frivolous trade-secrets suits than federal courts. Take Florida, for example. Here, state court judges have to deal with remarkably bloated dockets. In fact, I’ve had multiple cases where it took months to get an emergency injunction hearing. State-court judges generally don’t have law clerks. And in Florida, judges often rotate between civil, criminal, family, and dependency divisions. This latter point is critical: judges often don’t spend enough time in the civil division to develop a familiarity with trade-secrets law. All of these issues lead to uncertainty, which would seemingly aid the unscrupulous litigant looking to extort a settlement. Yet, as the authors themselves acknowledge, we simply have not seen this so-called trolling.

There’s no question that frivolous lawsuits would be filed under the proposed federal legislation, just as like every other cause of action. But there is absolutely no credible reason to believe that such suits can’t be remedied with the typical mechanisms deigned to ferret out meritless claims, like Rule 11 motions.

As I’ve argued in the past, the proposed legislation has tangible benefits that aid trade-secrets owners in protecting their critical proprietary information. The arguments lobbed up in opposition—including the manufactured risk of “trolling”—don’t hold up to careful scrutiny.

2-Minute Jimmy Kimmel Clip Shows Our Cybersecurity Culture Crisis

This video speaks volumes about our country’s attitudes towards cybersecurity:

Last week, I wrote about the importance of creating a culture that makes protection of trade secrets a top-line priority. This video shows why this culture is so important. Your employees need to be constantly aware of surreptitious attempts to get passwords. Spear phishing attacks are becoming more and more sophisticated; your employees need to be immediately suspicious of any attempt to get personal information, particularly passwords.

In the real world, bad actors are far more subtle than a Jimmy Kimmel reporter with a microphone and a video camera. The fact that people are willing to turn over their passwords on TV shows—particularly now, when cybersecurity issues have never been more visible—is depressing. Make sure your employees know better.

Trade Secrets Best Practices: Exit Interviews

This is the next in a series of posts addressing best practices for protecting trade secrets and proprietary information. Today’s topic: exit interviews, which can be a powerful tool to avoid, or at least anticipate, unwanted disclosure.

An exit interview is exactly what it sounds like. When an employee is leaving your company, you have someone meet with him to discuss various aspects of his departure. There are several goals: remind the employee of his legal obligations; make sure he has returned all company information, documents, and devices; and gather intelligence about his next job to determine the risk of unwanted disclosure.

The key is to have a set process that is automatically followed each time an employee leaves. Depending on the size and structure of your company, a single person or department should be responsible for conducting the interviews. That person should work from a checklist that includes all topics that must be discussed. To develop this process, consult with an attorney who specializes in trade-secrets issues who can help customize it to fit your company’s needs.

The checklist should include, at a minimum, the following:

Review of restrictive covenants and related agreements: Give the employee copies of any agreements he signed and remind him of specific noncompete, nonsolicitation, nondisclosure, and related obligations.

Review of non-contractual legal obligations: Remind the employee of his ongoing legal obligations to, for example, keep certain information confidential. The applicable laws vary state-by-state, so make sure to consult with an attorney familiar with your state’s laws.

Review inventory of all company devices: Hopefully, you are keeping an inventory of all company devices issued to the employee. Go through this inventory and make sure he has returned all of these devices.

Company information and documents: Ask whether the employee has any hard-copy documents or electronically stored information on his personal computer, devices, and storage medium. If he does, give a set date for him to return or destroy the documents/information.

Sign acknowledgment: Have the employee sign an acknowledgment form that confirms he is aware of his legal obligations, has returned all company devices, and returned or destroyed all company documents/information.

Gather information: Ask the employee where he will be working next, and in what capacity. Also make sure you have the employee’s updated contact information.

Additionally, prior to the interview, you should work with your IT department to see if the departing employee recently accessed or used trade-secret information, particularly in an out-of-the-ordinary manner. If so, consult with an attorney, since it may be advisable to address this issue with the employee during the exit interview.

Often, this process will allow you to handicap the risk that the departing employee will illegally use your trade secrets and proprietary information. For example, be wary of an employee who refuses to tell you where he will be working next. Or an employee who refuses to attend the exit interview. In cases where you suspect something is amiss, consult with an attorney right away, since time is of the essence in these cases.

Again, there is no one-size-fits-all approach to exit interviews. Speak with with an attorney to develop the process that best fits your company’s needs.

The One Question All Trade-Secret Owners Must Ask In 2015

Happy_New_Year_2015

It seems like threats to trade secrets and proprietary information are increasing exponentially. News reports of large-scale data thefts have become an almost daily occurrence. And employees are more likely to switch jobs, taking your proprietary information with them. Meanwhile, technology has increased the risk of inadvertent disclosure, since most employees are walking around with critical business information on their smartphones.

This leads to the question all trade-secrets owners must ask: What am I doing to create a culture of protection at my company?

Company culture comes up in a lot of settings, but not often enough in the context of protecting trade secrets. Since your employees are on the front lines, working with your trade secrets, they need to have protection at the front of their minds.

It is not easy to create a culture of protection. It takes a clear strategy, implemented consistently over time. It must start when employees are hired, with trade-secrets training included in the onboarding process. But training is nowhere near enough.

Trade-secret protection needs to be a part of every employee’s daily routine. The goal is to build habits that decrease the risk of disclosure. For example, employees need to lock their computers every time they leave. They need to be aware of and on the lookout for spear phishing scams. And they need to know exactly how to handle documents containing trade secrets or other critical proprietary information.

At the risk of sounding like a speaker at a corporate retreat, culture starts at the top. Employees need to hear from your company’s most senior executives that trade-secret protection is one of everyone’s core job responsibilities.

The new year provides an excellent opportunity to consider your company’s culture of protection. This culture has never been more important. If your company falls short, now is the time to make changes. If you do not have a formal trade-secrets policy, speak to an attorney to implement one.

Happy new year, everyone.

Guest Post: Proving Damages in Trade-Secrets Cases

By Solomon Genet

Proving damages can be difficult in a wide range of cases, often especially so in a trade-secrets case. In a recent Federal appellate decision, the 5th Circuit (painfully for the plaintiffs) identified some of the risks involved. A link to the decision, In re Mandel, 2014 WL 3973479 (5th Cir. Aug. 15, 2014), is below.

Here, two individuals, an IP lawyer and a database expert, came together through a joint-venture entity to develop what they conceived to be a new type of search-engine. This JV hired personnel, retained a development team, and searched for investors.  The relationship then went sour, with misrepresentations made, one partner forming a competing company without disclosing it to the other partner, and that new company raising investor funds.  Suits, counter-suits, and a bankruptcy petition followed.

Later, the bankruptcy court presided over a trial as to whether the chapter 11 debtor (before filing for bankruptcy) misappropriated trade secrets under Texas law.  While finding that the debtor-defendant was liable, the court rejected each of the plaintiffs’ damages theories (they proposed a number of them).  But then, the bankruptcy court awarded damages—$1 Million to one plaintiff and $400k to another—“without explaining the damages theory on which it relied or identifying the evidence that supported these awards.”

Although the Fifth Circuit stated that in trade-secret misappropriation cases: (1) damages need not be proved with great specificity; (2) a flexible damages approach is appropriate; (3) uncertainty as to damages does not preclude recovery; and (4) only an approximation is needed, as long as there is a just and reasonable inference in support; it held that since the trial / bankruptcy court neither identified the theory of damages nor explained the evidentiary support for the amounts awarded, even this relaxed standard was not satisfied. The Fifth Circuit remanded back to the bankruptcy court to clarify the damages issue.

Accordingly, as a practice pointer, a plaintiff harmed by trade-secret misappropriation should ensure that the court identifies how it arrived to the amount of damage suffered, and not just identify the amount of monetary damage.

Note: this decision applied Texas common law, which has since been superseded by Texas’ adoption of the Uniform Trade Secrets Act.

Solomon Genet is a partner at Meland Russin & Budwick, P.A. in Miami, FL. He specializes in complex commercial litigation, business insolvency, and financial-fraud-related matters in the State and Federal courts.

In re: Mandel

“Shark Tank” Shouldn’t Forget About Trade Secrets

I recently started watching Shark Tank on CNBC. For those who haven’t seen it, the concept is simple: entrepreneurs pitch “sharks”—prominent wealthy investors like Mark Cuban—in an effort to win funding, usually in exchange for equity in the company.

In the episodes I’ve seen thus far, many of the entrepreneurs are pitching companies that sell a single product. Inevitably, the sharks ask whether the company holds a patent. For those products that can be reverse engineered, that’s obviously a critical question. But I’ve noticed that the sharks don’t ask about trade secrets.

For example, I watched one episode where the entrepreneurs sold a disposable, single-use wipe that was designed to clean heavy grease. It was similar to the wet naps you get at a BBQ restaurant. They pitched it as a product to keep in your car. One of the sharks, “Mr. Wonderful,” wanted to know if they had a patent. When they said they did not, Mr. Wonderful decided not to invest.

Even without a patent, this company could have valuable trade secrets. For example, the wipes used concentrated citrus oil. It’s entirely possible that the company’s oil formula could be protected as a trade secret.

Companies need to be aware whether their proprietary information can qualify as a trade secret. That way, the company can take the actions necessary to protect that information. And when trying to raise funding, those trade secrets can be featured, alongside (or in lieu of) the company’s patents. Of course, make sure that the potential investors sign a nondisclosure agreement before providing them with nonpublic details about the trade secrets.

AZ Supreme Court: Trade Secrets Act Does Not Preempt Claims for Misappropriation of Confidential Info

I’ve previously written about the Uniform Trade Secrets Act’s (UTSA) preemption provision, which preempts tort and other claims providing civil remedies for trade-secret misappropriation. Yesterday, the Arizona Supreme Court held that the Arizona Trade Secrets Act (ATSA), which is based on the UTSA, does not preempt common-law claims for misappropriation of information that is not a trade secret.

In this case, the former president of a public relations firm was sued by that firm when she left to start a competing PR firm. The plaintiff PR firm brought a claim for unfair competition, which was based on the use of confidential information the defendant learned while working for the plaintiff. The trial court dismissed the claim, finding that the ATSA preempts claims arising from the misuse of confidential information, even where the information does not rise to the level of a trade secret.

The Arizona Supreme Court disagreed, relying primarily on the plain language of the ATSA. The court did acknowledge the fact that other states have held that these types of claims are preempted. In states where misappropriation claims based on non-trade-secret confidential information are viable, it is often advisable to bring both a trade-secrets misappropriation claim and an alternative (or independent) claim for misappropriation or conversion of confidential information.

This case contains one other point of note. The defendant argued that allowing claims for misappropriation of confidential information would result in an “absurd” result. She noted that a plaintiff could obtain more in punitive damages on the misappropriation claim than it could on an ATSA claim, which allows for exemplary damages of twice actual damages where the misappropriation is willful and malicious.

In response, the court offered very helpful language to a plaintiff seeking to prove exemplary damages under the ATSA:

That AUTSA authorizes a trial court, rather than a jury, to award exemplary damages of no more than twice the amount of actual damages . . . is not necessarily anomalous. In cases of willful and malicious misappropriation, punitive damages might be easier to obtain under AUTSA than under our common law, which requires clear and convincing evidence of a defendant’s “evil mind” for a punitive damages.

Since many misappropriation of trade secrets are based on willful conduct, this case may be worth citing when seeking exemplary damages.

 

Trade Secrets Summit — December 4-5, 2014

The American Intellectual Property Law Association’s Trade Secrets Committee will be presenting its Trade Secrets Summit this December 4-5, at Intel’s headquarters in Santa Clara, CA.

The Summit features a number of very interesting presentations, from judges, prosecutors/FBI agents, professors, and in-house and outside counsel. I will be moderating a panel debating whether Congress should pass a federal cause of action for trade-secrets misappropriation.

Registration costs $350 for AIPLA members and $695 for non-members, with discounts offered for in-house and governmental attorneys, and students. This includes 13 hours of CLE credits.

Sign up here. I hope to see many of you there!

 

Best Practices for Protecting Trade Secrets: Categories of Employee Contracts

This is the first in a series of posts addressing best practices for protecting trade secrets. I’m starting with employee/independent contractor contracts, which are one of the most important and effective ways to protect proprietary information.

Contracts are critical for multiple reasons. First, they inform your employees of their legal responsibilities. Second, it’s generally easier to prosecute a breach-of-contract claim instead of relying solely on a trade-secrets misappropriation claim. Third, a competitor that hires your former employee may be more likely to cut ties with that employee when presented with a cease-and-desist letter attaching a contract. Finally, requiring these types of agreements can help you win a misappropriation case, since their existence bolsters the argument that you reasonably protected your trade secrets (a prerequisite to establishing a trade secret under the Uniform Trade Secrets Act).

There are three general categories of contractual protections: confidentiality/nondisclosure, nonsolicitation, and noncompete. Remember that the law applicable to these contracts varies widely from state-to-state, so you need to consult with an attorney who can make sure your agreements comply with and will be enforced under the applicable law.

Confidentiality/NDA

This is the lowest level of contractual protection. It’s also the easiest to implement, since employees are less likely to push back when asked to sign a NDA. From a best-practices perspective, it’s worth at least considering whether to require that all employees sign a NDA. Even low-level employees may have access to some proprietary information. The trick is drafting the language in a way that best defines what precisely needs to be kept confidential. In particular, you need to decide whether to define “confidential information” broadly vs. specifically. Each comes with benefits and risks. Speak with a lawyer who can learn about your unique situation to determine what language best suits your business.

Nonsolicitation Agreements

A nonsolicitation agreement prohibits your employee from soliciting some or all of your current or prospective customers and/or employees once she leaves your company, for a certain period of time. These contracts offer an intermediate level protection, more than a NDA but not as much as a noncompete. It’s best to have all employees with access to proprietary customer information, or who have relationships with prospective/actual customers, sign a nonsolicitation agreement. Again, consult with an attorney who can help craft the scope of the restrictions to your company, based on the applicable law.

Noncompete Agreements

These agreements offer the highest level of protection, since they prohibit your employee from working for your competitors or in your industry, within a certain area and for a certain amount of time. Recently, there has been media coverage of corporate overuse of noncompete agreements. For example, Jimmy Johns took a lot of heat for having its sandwich makers sign noncompete agreements. This type of practice can turn off a judge.

There’s no question that noncompete agreements can be a powerful tool for protecting your proprietary information. But you should consider only requiring that key employees sign a noncompete agreement. The other contracts above may be sufficient to protect against misappropriation by lower-level employees.

You also need to think about the noncompete’s temporal and geographic scope. Depending on the law in your state, an overbroad agreement may not be enforceable. In Florida, where judges are required to narrow an overbroad agreement, I’ve seen judges soured towards employers that overreached when drafting the agreement. Generally, it’s best to limit the agreement the area in which you can prove you compete. An attorney can work with you to determine the proper scope.

Procedure

Deciding to require some or all of the above agreements, and having an attorney draft the agreements, is only the first step. Next, you need to make sure the agreements are actually signed and dated. Then, you need to make sure the signed agreements are properly maintained. You would not believe how often companies forget to have an employee sign or date the agreement. Or how often I’ve seen a company struggle to find the signed agreement when it became necessary to enforce it.

The key is to develop a protocol that can be repeated for each new employee. When the decision is made to hire a new employee, a designated person should be responsible for creating a checklist of all documents that she needs to sign. Of course, the checklist may be different for each employee. Either the person who creates the checklist or another designated person needs to be responsible for making sure all items on the list are actually completed. I recommend including on the checklist the signing, dating, and filing of all required contracts. The responsible person should sign the checklist once everything has been completed, and the checklist should be filed along with the signed documents.

If the contracts are to be signed electronically, your IT people need to set up the software so it will not allow a signature unless all mandatory clickwrap “boxes” are checked. If you are old school and the contracts are manually signed, I recommend keeping an electronic copy along with the original.

In future posts, I’ll discuss specific contractual provisions that should be included in these agreements, as well as best practices for contractual protections when dealing with third parties, like vendors, consultants, and joint-venture partners.