Panera Case Gives an Early Interpretation of the Defend Trade Secrets Act

Panera, LLC v. Nettles and Papa John’s International, Inc., 2016 WL 4124114 (E.D. Mo. Aug. 3, 2016) is one of the first cases under the Defend Trade Secrets Act (DTSA). It both answers and raises questions about how the statute will be interpreted.

Here, Panera sued a former senior IT employee who left to work for Papa John’s, allegedly in violation of a noncompete/nondisclosure agreement. Panera brings claims for breach of contract, violations of the DTSA, and violations of the Missouri Trade Secrets Act. A copy of the order is linked below.

18 U.S.C. 1836(b)(3)(A)(i)(I) provides that any injunction entered under the DTSA cannot “prevent a person from entering into an employment relationship, and that conditions placed on such employment shall be based on evidence of threatened misappropriation and not merely on the information that the person knows[.]”

This raised a question that would need to be answered by the courts: if a plaintiff sues for breaching a restrictive covenant and violating the DTSA, can the court enter an injunction based on the restrictive covenant, or would that injunction violate the provision above?

Since the court here entered an injunction, this case suggests that the provision above does not preclude injunctions in restrictive-covenant cases that also include DTSA claims. (Which strikes me as the obviously correct result.)

Interestingly, the court entered an injunction precluding the defendant from working for Papa John’s based on violations of the DTSA, not only breaches of the restrictive covenant. This at least arguably violates the DTSA prohibition on such injunctions. It will be interesting to see if this issue is addressed on appeal.

The provision above was also intended to preclude arguments based on inevitable disclosure, since the DTSA provides that an injunction setting forth employment conditions could not be based solely on information known by the former employee. But here, the Court explicitly considered, and at least partially relied upon, the inevitable-disclosure doctrine:

Although Missouri has not formally adopted the doctrine of inevitable disclosure–and neither has the Eighth Circuit, with regard to federal trade secrets claims–the Court finds the rationale underpinning such a theory helpful to understanding why Nettles’ performance of his new role would almost certainly require him to draw upon and use trade secrets and the confidential strategic planning to which he was privy at Panera.

Again, this at least arguably violates the DTSA.

Perhaps these apparent contradictions will be addressed if the case progresses, particularly if it reaches the Eighth Circuit. I will also continue to keep my eye out for other cases under the DTSA that address these and other open issues.

Panera v. Papa John’s

Should You Abandon Email to Protect Trade Secrets?

In the wake of the hacking of the Democratic National Committee’s email server, it may be time to explore whether transmitting trade secrets via email—even internally—has become too risky.

Email hacks have become commonplace. It is a virtual certainty that your company has at least been targeted by some sort of hacking attempt. For every high-profile hack, like Sony, Ashley Madison, or the DNC, there are thousands of less-visible companies who also suffered data breaches, often involving emails.

The sad truth is that regardless of protection efforts, no company can keep its emails and centrally stored electronic documents 100% safe. Thus, you need to ask: is it time for my company to ban transmittal of trade-secrets via email?

A wholesale ban on email transmission is not always going to be feasible. But for certain types of trade secrets—particularly ones used only by a small number of employees—this could be workable. For example, I wrote recently about trade-secrets relating to design schematics used in 3D printing. Those types of schematics could potentially be stored offline.

These issues are highly unique to each company. You should speak with an attorney who specializes in trade-secret issues to figure out whether your company could benefit from taking trade-secrets offline.

 

Find a Pokemon, Lose Your Trade Secrets?

Well, that escalated quickly. In what seems like an instant, Pokemon went from a faded memory to an all-encompassing craze unlike anything we’ve seen before from an app. Nintendo, the company behind Pokemon Go, had its market cap increase by $7 billion since it was released last week. I haven’t played the game, but I can’t stop hearing and reading about it. Pretty remarkable.

Pokemon Go’s success has far-reaching implications for how we use technology, and in particular augmented reality. I loved this article about how companies can use Pokemon Go to drive foot traffic for about $1/hour. But for our purposes, Pokemon Go may present some unexpected risks to information security.

This article from inc. discusses two of these risks. First,  Pokemon Go users must login using their Google accounts. But Pokemon Go is then automatically granted full access to the user’s Google account. Thus, Pokemon Go “can see and modify nearly all information in your Google Account.” So, as noted in this blog post, users playing Pokemon Go have granted the app permission to read their emails, send emails, access and delete all Google drive documents, and more. Not good. Particularly if your employees have emailed themselves proprietary information.

The developer of Pokemon Go has since issued a statement that this was a mistake, which will soon be fixed. Regardless, this shows how important it is to keep your employees from sending themselves proprietary information, which should be your company’s policy. In addition, various IT solutions can protect against this practice.

Also, Pokemon Go has only been officially released in several countries. Per the inc. article, people living elsewhere have turned to file-sharing services to download the app:

Because the game is popular, people in other countries are obtaining the Android version through unofficial channels – and hackers have already successfully posted malware-infected versions of the app in some file sharing services. One variant of such a malevolent version of the app was discovered by the security firm Proofpoint and is quite serious: it infects Android devices and allows hackers to access the infected devices via a backdoor.

File-sharing services are notoriously dangerous. You should be blocking access to all such services on all company devices.

Issues like these are well-suited for employee training. Employees need to know that seemingly innocent conduct can expose the company to serious risks.

A Landmark Day for Protecting Trade Secrets

Today, President Obama signed into law the Defend Trade Secrets Act. This means that companies whose trade secrets are misappropriated can now sue in federal court. This will likely usher in a new paradigm in the world of trade-secrets litigation. It will be very interesting to see how plaintiffs react and the statute develops in the next few years. In the meantime, take a look at my previous post for an urgent recommendation for all companies now that the DTSA has become effective.

Do This NOW to Prepare for the New Federal Trade Secrets Law

The Defend Trade Secrets Act (DTSA), which creates a federal cause of action for trade-secrets misappropriation, will be signed into law by President Obama in the coming days. This new law will have a substantial effect on where, and how, trade-secrets cases are litigated. Now is the time to figure out if your company is ready for the new law.

Since the DTSA’s definitions of trade secrets and misappropriation are largely similar to those in the Uniform Trade Secrets Act adopted by most states, I’m most concerned about making sure companies are minimizing the risk that they will unexpectedly be hit with a seizure order.

As has been widely discussed and debated, the DTSA contains an ex-parte seizure provision that authorizes judges to order the seizure of property containing the plaintiff’s trade secrets. While there are substantial protections to prevent abuse of this remedy, companies need to make sure they are not at risk of having their property seized.

This brings us to the critical step that all companies need to take now: Look carefully at your employee hiring/onboarding process. Far too many new employees bring proprietary documents from their prior employer; sometimes maliciously, sometimes innocently. Once the DTSA becomes law, if a new employee saves these types of documents on your server, you will be at risk of having law enforcement seize whatever is storing the documents.

Use this opportunity to conduct a comprehensive audit of your onboarding process. Make sure that your restrictive covenants and NDAs require new employees to represent that they are not bringing any proprietary information from a prior employer. Train the employees who conduct the onboarding process to discuss this issue with new employees before they are given access to your server. New employees must understand that they are prohibited from saving any documents from a prior employer on any company property, including servers, employee-issued devices, and media. Finally, work with IT to see if it makes sense to install protections that can alert to any external documents saved on your system by a new employee.

As always, each company needs customized solutions to best address the unique issues affecting your company and industry. Consult with an attorney specializing in trade-secret law who can advise what steps your company should take.

 

House Passes Defend Trade Secrets Act

Over the past few years, there has been much discussion and debate over the Defend Trade Secrets Act (DTSA), which amends the Economic Espionage Act to create a federal civil cause of action for trade-secrets misappropriation. Well, we’re on the verge of the DTSA becoming the law of the land. Several weeks ago, the Senate passed the DTSA by a vote of 87-0. Today, the House of Representatives passed the bill by a vote of 410-2. Now, it goes to the President for signature.

Since President Obama supports the bill, we are just days away from one of the most significant events in the history of trade-secrets law, the creation of a right to sue in federal court to remedy misappropriation. I’ve strongly supported this law, so I’m very pleased with this development. I look forward to litigating trade-secrets actions in federal court.

Would Your Employees Sell Their Network Password?

Sailpoint recently released its 2016 Market Pulse Survey, which examined employees’ roles in IT security. The results should terrify employers. The report can be downloaded here.

This report echos a theme I’ve been repeating here often: employees can be the biggest threat to your trade secrets. Consider the following findings:

  • 65% of respondents admitted using a single password across applications
  • One in three shared passwords with co-workers
  • More than 40% still had access to corporate network accounts from their prior job

And most disturbing:

  • 20% worldwide, and 27% in the U.S., would sell their corporate password to an outsider, often for less than $1,000
  • 26% admitted uploading sensitive information to the cloud with the intent to share outside the company

Some of these issues can be addressed through proper training regarding password hygiene and protection of proprietary information. But it’s more difficult to address malicious insiders who want to sell access to your system or disclose your trade secrets.

The malicious-insider problem requires proactive thinking. Consult with your IT team or an outside expert to implement solutions that monitor system usage and alert to irregular activity. Work with HR and management to identify employees who are dissatisfied with their jobs, or otherwise showing signs of higher risk. And make sure that each employee only has access to the proprietary information necessary for that employee’s job.

Also, restrictive covenants and non-disclosure agreements can both deter this type of wrongdoing and allow for more effective enforcement if misappropriation occurs. Consult with an attorney who specializes in trade-secrets law to determine what types of contracts and other legal protections are best suited to protect your company.

Beware Google Dorking

What is Google dorking? Simply put, it’s using Google’s advanced search-engine features to find detailed information about websites and computer networks. Because Google’s algorithm indexes huge amounts of information, Google dorking can be a very effective method for learning about a company’s computer network. Including the type of information that could allow a hacker easy access to your trade secrets.

Recently, the DOJ brought charges against hackers who were allegedly working with the Iranian government to carry out cyber attacks on various U.S. companies. One of the hackers is charged with accessing the computer network that controls a dam in New York. According to a Wall Street Journal article, the hacker was able to use Google dorking to discover a vulnerable computer, which he hacked into to gain access to the dam’s control systems. Apparently, he had been using Google for months to find vulnerable industrial-control systems.

The WSJ article observes that many companies are unknowingly subjecting themselves to these types of hacking risks, including by connecting outdated infrastructure systems to the internet:

Companies, often against the advice of hacking experts, increasingly have brought such systems online as a way to add “smarts” to U.S. infrastructure. But older systems can have weaknesses that can readily be found through Google dorking, and then exploited, experts said.

It is a very bad idea to connect anything to your company’s network without knowing the implications for network security. The dam-hacking episode shows how easily a bad actor can take advantage.

Also, Google dorking can also help companies identify hacking risks. A company can, and should, “dork” itself, to look for inadvertent or unknown security lapses. Be sure to work with your IT team to make sure that your company is not susceptible to a dork’s hack.

Florida Amends Trade-Secrets Laws to Protect Financial Information

This week, Governor Rick Scott signed into law S.B. 180 and 182, broadening the definition of Florida’s criminal trade-secrets-theft statute to include financial information, and applying that definition to the trade-secrets exception to public-records laws.

Section 812.081, Florida Statutes, criminalizes trade-secrets theft. Previously, the definition of “Trade Secret” did not explicitly reference financial information. As of this week, the definition has been amended as follows, with the new language underlined:

“Trade secret” means the whole or any portion or phase of any formula, pattern, device, combination of devices, or compilation of informa- tion which is for use, or is used, in the operation of a business and which provides the business an advantage, or an opportunity to obtain an advantage, over those who do not know or use it. The term includes any scientific, technical, or commercial information, including financial information, and includes any design, process, procedure, list of suppliers, list of customers, business code, or improvement thereof. Irrespective of novelty, invention, patentability, the state of the prior art, and the level of skill in the business, art, or field to which the subject matter pertains, a trade secret is considered to be:

1. Secret; 2. Of value; 3. For use or in use by the business; and 4. Of advantage to the business, or providing an opportunity to obtain an advantage, over those who do not know or use it

when the owner thereof takes measures to prevent it from becoming available to persons other than those selected by the owner to have access thereto for limited purposes.

While this is a criminal statue, it could affect civil actions as well. First, Section 812.035(6) allows an “aggrieved person” to sue for an injunction that remedies a violation of the statute. Notably, under the civil-remedy provision, the plaintiff does not need to show special or irreparable damage. This is another tool for companies harmed by trade-secret misappropriation.

Second, even though there was no corresponding change to Florida’s Uniform Trade Secret Act, Sec. 688.001, Fla. Stat., the broadened criminal definition could affect actions under the UTSA where financial information is at issue. The fact that the legislature has criminalized theft of financial information bolsters a claim that an injunction is necessary to remedy that type of misappropriation.

Finally, a number of other Florida Statutes were also amended to make clear that trade secrets, as defined in the newly amended Sec. 812.081, are exempted from disclosure under Florida’s public-records laws. Companies involved in “P3s”—public/private partnerships—lobbied heavily for the passage of this bill. The amended statute affects just about all companies that do government contracting. Those companies now have statutory protection against having their financial information disclosed when bidding for or performing government contracts.

“You’re going to accept this offer or we’re going to … take your company … and do it ourselves.”

Guest post by Solomon B. Genet.

It is worth reading Bailey v. St Louis, if for no other reason than it is a good story where the good guys seem to have won, and the bad guys got smacked – and when I say “smacked,” I mean hit with an award of punitive damages.

All of the details (as found by the court) won’t fit in this post, but in summary, a private equity (“PE”) firm met with a profitable medical center (plaintiff), to consider giving the plaintiff loan. The plaintiff provided the PE firm with confidential materials, including a copy of the business plan and financial information, to perform due diligence.

The PE firm did not offer a loan, but instead offered to purchase a controlling interest in the plaintiff, and accompanied that offer with the following threat: “you’re going to accept this offer or we’re going to take your doctors and we’re going to take your company.  And we’re going to go up the street, and we’re going to do it ourselves.”

And to the PE firm’s credit (maybe the only thing to its credit), the PE firm did as it promised. The PE firm created dissent among the plaintiff’s employees, using the confidential documents it had received to mislead certain employees as to the plaintiff’s integrity.  It hired away two of the plaintiff’s doctors and established a competing facility.  It used the plaintiff’s business plan, in a “cut and paste job,” to create its own business plan.  A doctor that left the plaintiff to join the PE firm’s competing facility said that one of the a plaintiff’s principals had many aliases, was a wanted felon, and had “possible” sexual offenses, all of which were false. The PE firm even paid certain of the plaintiff’s employees to quit working for the plaintiff. And the plaintiff’s list of patients and leads and accounts payable information were also misappropriated.

The appellate court directed the trial court to award punitive damages, finding that it met the standard of “wanton intentionality, exaggerated recklessness, or such an extreme degree of negligence as to parallel an intentional and reprehensible act.”

For purposes of this post and the focus of this blog, it’s most relevant that the Court’s conclusion flows from the fact that the plaintiff provided the PE firm with a copy of its business plan and certain financial information upon the condition that they would be kept confidential, and that the PE firm disregarded and abused this agreement.  The takeaway is simple and straightforward: if you are contemplating a business relationship of any sort and intend to share confidential information, take the relatively minor step of seeing a lawyer to draft a non-disclosure/limited-use agreement that protects your information.  You could be thanking yourself later.

Bailey v. St. Louis