2-Minute Jimmy Kimmel Clip Shows Our Cybersecurity Culture Crisis

This video speaks volumes about our country’s attitudes towards cybersecurity:

Last week, I wrote about the importance of creating a culture that makes protection of trade secrets a top-line priority. This video shows why this culture is so important. Your employees need to be constantly aware of surreptitious attempts to get passwords. Spear phishing attacks are becoming more and more sophisticated; your employees need to be immediately suspicious of any attempt to get personal information, particularly passwords.

In the real world, bad actors are far more subtle than a Jimmy Kimmel reporter with a microphone and a video camera. The fact that people are willing to turn over their passwords on TV shows—particularly now, when cybersecurity issues have never been more visible—is depressing. Make sure your employees know better.

Trade Secrets Best Practices: Exit Interviews

This is the next in a series of posts addressing best practices for protecting trade secrets and proprietary information. Today’s topic: exit interviews, which can be a powerful tool to avoid, or at least anticipate, unwanted disclosure.

An exit interview is exactly what it sounds like. When an employee is leaving your company, you have someone meet with him to discuss various aspects of his departure. There are several goals: remind the employee of his legal obligations; make sure he has returned all company information, documents, and devices; and gather intelligence about his next job to determine the risk of unwanted disclosure.

The key is to have a set process that is automatically followed each time an employee leaves. Depending on the size and structure of your company, a single person or department should be responsible for conducting the interviews. That person should work from a checklist that includes all topics that must be discussed. To develop this process, consult with an attorney who specializes in trade-secrets issues who can help customize it to fit your company’s needs.

The checklist should include, at a minimum, the following:

Review of restrictive covenants and related agreements: Give the employee copies of any agreements he signed and remind him of specific noncompete, nonsolicitation, nondisclosure, and related obligations.

Review of non-contractual legal obligations: Remind the employee of his ongoing legal obligations to, for example, keep certain information confidential. The applicable laws vary state-by-state, so make sure to consult with an attorney familiar with your state’s laws.

Review inventory of all company devices: Hopefully, you are keeping an inventory of all company devices issued to the employee. Go through this inventory and make sure he has returned all of these devices.

Company information and documents: Ask whether the employee has any hard-copy documents or electronically stored information on his personal computer, devices, and storage medium. If he does, give a set date for him to return or destroy the documents/information.

Sign acknowledgment: Have the employee sign an acknowledgment form that confirms he is aware of his legal obligations, has returned all company devices, and returned or destroyed all company documents/information.

Gather information: Ask the employee where he will be working next, and in what capacity. Also make sure you have the employee’s updated contact information.

Additionally, prior to the interview, you should work with your IT department to see if the departing employee recently accessed or used trade-secret information, particularly in an out-of-the-ordinary manner. If so, consult with an attorney, since it may be advisable to address this issue with the employee during the exit interview.

Often, this process will allow you to handicap the risk that the departing employee will illegally use your trade secrets and proprietary information. For example, be wary of an employee who refuses to tell you where he will be working next. Or an employee who refuses to attend the exit interview. In cases where you suspect something is amiss, consult with an attorney right away, since time is of the essence in these cases.

Again, there is no one-size-fits-all approach to exit interviews. Speak with with an attorney to develop the process that best fits your company’s needs.

The One Question All Trade-Secret Owners Must Ask In 2015

Happy_New_Year_2015

It seems like threats to trade secrets and proprietary information are increasing exponentially. News reports of large-scale data thefts have become an almost daily occurrence. And employees are more likely to switch jobs, taking your proprietary information with them. Meanwhile, technology has increased the risk of inadvertent disclosure, since most employees are walking around with critical business information on their smartphones.

This leads to the question all trade-secrets owners must ask: What am I doing to create a culture of protection at my company?

Company culture comes up in a lot of settings, but not often enough in the context of protecting trade secrets. Since your employees are on the front lines, working with your trade secrets, they need to have protection at the front of their minds.

It is not easy to create a culture of protection. It takes a clear strategy, implemented consistently over time. It must start when employees are hired, with trade-secrets training included in the onboarding process. But training is nowhere near enough.

Trade-secret protection needs to be a part of every employee’s daily routine. The goal is to build habits that decrease the risk of disclosure. For example, employees need to lock their computers every time they leave. They need to be aware of and on the lookout for spear phishing scams. And they need to know exactly how to handle documents containing trade secrets or other critical proprietary information.

At the risk of sounding like a speaker at a corporate retreat, culture starts at the top. Employees need to hear from your company’s most senior executives that trade-secret protection is one of everyone’s core job responsibilities.

The new year provides an excellent opportunity to consider your company’s culture of protection. This culture has never been more important. If your company falls short, now is the time to make changes. If you do not have a formal trade-secrets policy, speak to an attorney to implement one.

Happy new year, everyone.

Guest Post: Proving Damages in Trade-Secrets Cases

By Solomon Genet

Proving damages can be difficult in a wide range of cases, often especially so in a trade-secrets case. In a recent Federal appellate decision, the 5th Circuit (painfully for the plaintiffs) identified some of the risks involved. A link to the decision, In re Mandel, 2014 WL 3973479 (5th Cir. Aug. 15, 2014), is below.

Here, two individuals, an IP lawyer and a database expert, came together through a joint-venture entity to develop what they conceived to be a new type of search-engine. This JV hired personnel, retained a development team, and searched for investors.  The relationship then went sour, with misrepresentations made, one partner forming a competing company without disclosing it to the other partner, and that new company raising investor funds.  Suits, counter-suits, and a bankruptcy petition followed.

Later, the bankruptcy court presided over a trial as to whether the chapter 11 debtor (before filing for bankruptcy) misappropriated trade secrets under Texas law.  While finding that the debtor-defendant was liable, the court rejected each of the plaintiffs’ damages theories (they proposed a number of them).  But then, the bankruptcy court awarded damages—$1 Million to one plaintiff and $400k to another—“without explaining the damages theory on which it relied or identifying the evidence that supported these awards.”

Although the Fifth Circuit stated that in trade-secret misappropriation cases: (1) damages need not be proved with great specificity; (2) a flexible damages approach is appropriate; (3) uncertainty as to damages does not preclude recovery; and (4) only an approximation is needed, as long as there is a just and reasonable inference in support; it held that since the trial / bankruptcy court neither identified the theory of damages nor explained the evidentiary support for the amounts awarded, even this relaxed standard was not satisfied. The Fifth Circuit remanded back to the bankruptcy court to clarify the damages issue.

Accordingly, as a practice pointer, a plaintiff harmed by trade-secret misappropriation should ensure that the court identifies how it arrived to the amount of damage suffered, and not just identify the amount of monetary damage.

Note: this decision applied Texas common law, which has since been superseded by Texas’ adoption of the Uniform Trade Secrets Act.

Solomon Genet is a partner at Meland Russin & Budwick, P.A. in Miami, FL. He specializes in complex commercial litigation, business insolvency, and financial-fraud-related matters in the State and Federal courts.

In re: Mandel

“Shark Tank” Shouldn’t Forget About Trade Secrets

I recently started watching Shark Tank on CNBC. For those who haven’t seen it, the concept is simple: entrepreneurs pitch “sharks”—prominent wealthy investors like Mark Cuban—in an effort to win funding, usually in exchange for equity in the company.

In the episodes I’ve seen thus far, many of the entrepreneurs are pitching companies that sell a single product. Inevitably, the sharks ask whether the company holds a patent. For those products that can be reverse engineered, that’s obviously a critical question. But I’ve noticed that the sharks don’t ask about trade secrets.

For example, I watched one episode where the entrepreneurs sold a disposable, single-use wipe that was designed to clean heavy grease. It was similar to the wet naps you get at a BBQ restaurant. They pitched it as a product to keep in your car. One of the sharks, “Mr. Wonderful,” wanted to know if they had a patent. When they said they did not, Mr. Wonderful decided not to invest.

Even without a patent, this company could have valuable trade secrets. For example, the wipes used concentrated citrus oil. It’s entirely possible that the company’s oil formula could be protected as a trade secret.

Companies need to be aware whether their proprietary information can qualify as a trade secret. That way, the company can take the actions necessary to protect that information. And when trying to raise funding, those trade secrets can be featured, alongside (or in lieu of) the company’s patents. Of course, make sure that the potential investors sign a nondisclosure agreement before providing them with nonpublic details about the trade secrets.

AZ Supreme Court: Trade Secrets Act Does Not Preempt Claims for Misappropriation of Confidential Info

I’ve previously written about the Uniform Trade Secrets Act’s (UTSA) preemption provision, which preempts tort and other claims providing civil remedies for trade-secret misappropriation. Yesterday, the Arizona Supreme Court held that the Arizona Trade Secrets Act (ATSA), which is based on the UTSA, does not preempt common-law claims for misappropriation of information that is not a trade secret.

In this case, the former president of a public relations firm was sued by that firm when she left to start a competing PR firm. The plaintiff PR firm brought a claim for unfair competition, which was based on the use of confidential information the defendant learned while working for the plaintiff. The trial court dismissed the claim, finding that the ATSA preempts claims arising from the misuse of confidential information, even where the information does not rise to the level of a trade secret.

The Arizona Supreme Court disagreed, relying primarily on the plain language of the ATSA. The court did acknowledge the fact that other states have held that these types of claims are preempted. In states where misappropriation claims based on non-trade-secret confidential information are viable, it is often advisable to bring both a trade-secrets misappropriation claim and an alternative (or independent) claim for misappropriation or conversion of confidential information.

This case contains one other point of note. The defendant argued that allowing claims for misappropriation of confidential information would result in an “absurd” result. She noted that a plaintiff could obtain more in punitive damages on the misappropriation claim than it could on an ATSA claim, which allows for exemplary damages of twice actual damages where the misappropriation is willful and malicious.

In response, the court offered very helpful language to a plaintiff seeking to prove exemplary damages under the ATSA:

That AUTSA authorizes a trial court, rather than a jury, to award exemplary damages of no more than twice the amount of actual damages . . . is not necessarily anomalous. In cases of willful and malicious misappropriation, punitive damages might be easier to obtain under AUTSA than under our common law, which requires clear and convincing evidence of a defendant’s “evil mind” for a punitive damages.

Since many misappropriation of trade secrets are based on willful conduct, this case may be worth citing when seeking exemplary damages.

 

Trade Secrets Summit — December 4-5, 2014

The American Intellectual Property Law Association’s Trade Secrets Committee will be presenting its Trade Secrets Summit this December 4-5, at Intel’s headquarters in Santa Clara, CA.

The Summit features a number of very interesting presentations, from judges, prosecutors/FBI agents, professors, and in-house and outside counsel. I will be moderating a panel debating whether Congress should pass a federal cause of action for trade-secrets misappropriation.

Registration costs $350 for AIPLA members and $695 for non-members, with discounts offered for in-house and governmental attorneys, and students. This includes 13 hours of CLE credits.

Sign up here. I hope to see many of you there!

 

Best Practices for Protecting Trade Secrets: Categories of Employee Contracts

This is the first in a series of posts addressing best practices for protecting trade secrets. I’m starting with employee/independent contractor contracts, which are one of the most important and effective ways to protect proprietary information.

Contracts are critical for multiple reasons. First, they inform your employees of their legal responsibilities. Second, it’s generally easier to prosecute a breach-of-contract claim instead of relying solely on a trade-secrets misappropriation claim. Third, a competitor that hires your former employee may be more likely to cut ties with that employee when presented with a cease-and-desist letter attaching a contract. Finally, requiring these types of agreements can help you win a misappropriation case, since their existence bolsters the argument that you reasonably protected your trade secrets (a prerequisite to establishing a trade secret under the Uniform Trade Secrets Act).

There are three general categories of contractual protections: confidentiality/nondisclosure, nonsolicitation, and noncompete. Remember that the law applicable to these contracts varies widely from state-to-state, so you need to consult with an attorney who can make sure your agreements comply with and will be enforced under the applicable law.

Confidentiality/NDA

This is the lowest level of contractual protection. It’s also the easiest to implement, since employees are less likely to push back when asked to sign a NDA. From a best-practices perspective, it’s worth at least considering whether to require that all employees sign a NDA. Even low-level employees may have access to some proprietary information. The trick is drafting the language in a way that best defines what precisely needs to be kept confidential. In particular, you need to decide whether to define “confidential information” broadly vs. specifically. Each comes with benefits and risks. Speak with a lawyer who can learn about your unique situation to determine what language best suits your business.

Nonsolicitation Agreements

A nonsolicitation agreement prohibits your employee from soliciting some or all of your current or prospective customers and/or employees once she leaves your company, for a certain period of time. These contracts offer an intermediate level protection, more than a NDA but not as much as a noncompete. It’s best to have all employees with access to proprietary customer information, or who have relationships with prospective/actual customers, sign a nonsolicitation agreement. Again, consult with an attorney who can help craft the scope of the restrictions to your company, based on the applicable law.

Noncompete Agreements

These agreements offer the highest level of protection, since they prohibit your employee from working for your competitors or in your industry, within a certain area and for a certain amount of time. Recently, there has been media coverage of corporate overuse of noncompete agreements. For example, Jimmy Johns took a lot of heat for having its sandwich makers sign noncompete agreements. This type of practice can turn off a judge.

There’s no question that noncompete agreements can be a powerful tool for protecting your proprietary information. But you should consider only requiring that key employees sign a noncompete agreement. The other contracts above may be sufficient to protect against misappropriation by lower-level employees.

You also need to think about the noncompete’s temporal and geographic scope. Depending on the law in your state, an overbroad agreement may not be enforceable. In Florida, where judges are required to narrow an overbroad agreement, I’ve seen judges soured towards employers that overreached when drafting the agreement. Generally, it’s best to limit the agreement the area in which you can prove you compete. An attorney can work with you to determine the proper scope.

Procedure

Deciding to require some or all of the above agreements, and having an attorney draft the agreements, is only the first step. Next, you need to make sure the agreements are actually signed and dated. Then, you need to make sure the signed agreements are properly maintained. You would not believe how often companies forget to have an employee sign or date the agreement. Or how often I’ve seen a company struggle to find the signed agreement when it became necessary to enforce it.

The key is to develop a protocol that can be repeated for each new employee. When the decision is made to hire a new employee, a designated person should be responsible for creating a checklist of all documents that she needs to sign. Of course, the checklist may be different for each employee. Either the person who creates the checklist or another designated person needs to be responsible for making sure all items on the list are actually completed. I recommend including on the checklist the signing, dating, and filing of all required contracts. The responsible person should sign the checklist once everything has been completed, and the checklist should be filed along with the signed documents.

If the contracts are to be signed electronically, your IT people need to set up the software so it will not allow a signature unless all mandatory clickwrap “boxes” are checked. If you are old school and the contracts are manually signed, I recommend keeping an electronic copy along with the original.

In future posts, I’ll discuss specific contractual provisions that should be included in these agreements, as well as best practices for contractual protections when dealing with third parties, like vendors, consultants, and joint-venture partners.

 

Data Breaches Increase Seven-Fold In One Year

According to a report by California’s attorney general, 18.5 million Californians were victims of cyber intrusions or data breaches in 2013. Remarkably, this was up from 2.5 million in 2012, a seven-fold increase. (Note that two major data breaches at Target and LivingSocial account for much of the increase.) A copy of the report is linked below, and this article summarizes the report.

The study breaks down the cause of the various breaches, with 53% caused by cyber incursions (e.g., hacking and malware), 26% arising from physical loss or theft, and the remainder coming from unintentional errors or deliberate misuse.

This report is yet another sign that the threat of data loss continues to increase dramatically. While the report focuses on breaches affecting consumer information, it has broader application to companies seeking to protect their proprietary information. Measures necessary to enhance data security and protect trade secrets overlap. Network security is at the heart of these efforts, and companies need to be willing to invest significant resources to keep their networks safe.

But network security is not the only area of concern. This report shows that the loss or theft of computers and other storage media presents another significant risk. For companies seeking to protect their trade secrets, this problem presents on various fronts. For example, companies need to make sure that company-issued computers, smartphones, and media have sufficient protections in case they are lost or stolen. Also, and more problematic, companies need to understand how their employees are using company documents and information on their personal devices. Similarly, companies need to keep tabs on how third parties, like vendors and consultants, are protecting shared proprietary documents.

I have frequently written about the need for companies to implement a trade-secrets policy. This policy would address these issues. For example, it could require that all proprietary documents are encrypted. And it could make sure that these documents are disseminated narrowly, to those employees who need them to do their jobs. For those companies that fail to implement and enforce necessary restrictions, the loss of proprietary information may be inevitable.

2014 California Data Breach Report

Recycled Passwords Can Trash Your Trade Secrets

Recently, a hacker posted a number of usernames and passwords for Dropbox. Considering how many companies are now using Dropbox and other cloud-based providers to share documents, this is obviously a problem. But it does not appear that Dropbox itself was hacked. Instead, as noted by this Slate article, the hacker likely targeted smaller sites with weaker security:

The most likely source of the information is a third-party site that had poor security. Hackers know that most internet users re-use their passwords, so they often target smaller apps made by amateur developers. These easy targets have poor security — so usernames, passwords or files may be stored in a way that’s easy for hackers to steal them.

In other words, most people use the same passwords across multiple sites. Including your employees. This is a BIG problem. Forgive the cliché, but password protection is only as good as the weakest link in the chain. You can spend millions of dollars protecting your network and proprietary information. But if another site where your employees have accounts is hacked, and your employees use the exact same passwords there as they use for your network, your network and information is at risk.

I cannot overstate the importance of making sure that your employees don’t use the same password for your system that they use for other sites. You need to make employees aware of this rule, and strictly enforce it. One option is to create passwords for your employees instead of allowing them to create their own. And change the passwords routinely. Also, as biometric technology develops and becomes more affordable, it presents another option.

There’s a reason we all use the same passwords across multiple sites: it makes life easier. But you need to ensure that your employees don’t allow their convenience to threaten your company.