Find a Pokemon, Lose Your Trade Secrets?

Well, that escalated quickly. In what seems like an instant, Pokemon went from a faded memory to an all-encompassing craze unlike anything we’ve seen before from an app. Nintendo, the company behind Pokemon Go, had its market cap increase by $7 billion since it was released last week. I haven’t played the game, but I can’t stop hearing and reading about it. Pretty remarkable.

Pokemon Go’s success has far-reaching implications for how we use technology, and in particular augmented reality. I loved this article about how companies can use Pokemon Go to drive foot traffic for about $1/hour. But for our purposes, Pokemon Go may present some unexpected risks to information security.

This article from inc. discusses two of these risks. First,  Pokemon Go users must login using their Google accounts. But Pokemon Go is then automatically granted full access to the user’s Google account. Thus, Pokemon Go “can see and modify nearly all information in your Google Account.” So, as noted in this blog post, users playing Pokemon Go have granted the app permission to read their emails, send emails, access and delete all Google drive documents, and more. Not good. Particularly if your employees have emailed themselves proprietary information.

The developer of Pokemon Go has since issued a statement that this was a mistake, which will soon be fixed. Regardless, this shows how important it is to keep your employees from sending themselves proprietary information, which should be your company’s policy. In addition, various IT solutions can protect against this practice.

Also, Pokemon Go has only been officially released in several countries. Per the inc. article, people living elsewhere have turned to file-sharing services to download the app:

Because the game is popular, people in other countries are obtaining the Android version through unofficial channels – and hackers have already successfully posted malware-infected versions of the app in some file sharing services. One variant of such a malevolent version of the app was discovered by the security firm Proofpoint and is quite serious: it infects Android devices and allows hackers to access the infected devices via a backdoor.

File-sharing services are notoriously dangerous. You should be blocking access to all such services on all company devices.

Issues like these are well-suited for employee training. Employees need to know that seemingly innocent conduct can expose the company to serious risks.

A Landmark Day for Protecting Trade Secrets

Today, President Obama signed into law the Defend Trade Secrets Act. This means that companies whose trade secrets are misappropriated can now sue in federal court. This will likely usher in a new paradigm in the world of trade-secrets litigation. It will be very interesting to see how plaintiffs react and the statute develops in the next few years. In the meantime, take a look at my previous post for an urgent recommendation for all companies now that the DTSA has become effective.

Do This NOW to Prepare for the New Federal Trade Secrets Law

The Defend Trade Secrets Act (DTSA), which creates a federal cause of action for trade-secrets misappropriation, will be signed into law by President Obama in the coming days. This new law will have a substantial effect on where, and how, trade-secrets cases are litigated. Now is the time to figure out if your company is ready for the new law.

Since the DTSA’s definitions of trade secrets and misappropriation are largely similar to those in the Uniform Trade Secrets Act adopted by most states, I’m most concerned about making sure companies are minimizing the risk that they will unexpectedly be hit with a seizure order.

As has been widely discussed and debated, the DTSA contains an ex-parte seizure provision that authorizes judges to order the seizure of property containing the plaintiff’s trade secrets. While there are substantial protections to prevent abuse of this remedy, companies need to make sure they are not at risk of having their property seized.

This brings us to the critical step that all companies need to take now: Look carefully at your employee hiring/onboarding process. Far too many new employees bring proprietary documents from their prior employer; sometimes maliciously, sometimes innocently. Once the DTSA becomes law, if a new employee saves these types of documents on your server, you will be at risk of having law enforcement seize whatever is storing the documents.

Use this opportunity to conduct a comprehensive audit of your onboarding process. Make sure that your restrictive covenants and NDAs require new employees to represent that they are not bringing any proprietary information from a prior employer. Train the employees who conduct the onboarding process to discuss this issue with new employees before they are given access to your server. New employees must understand that they are prohibited from saving any documents from a prior employer on any company property, including servers, employee-issued devices, and media. Finally, work with IT to see if it makes sense to install protections that can alert to any external documents saved on your system by a new employee.

As always, each company needs customized solutions to best address the unique issues affecting your company and industry. Consult with an attorney specializing in trade-secret law who can advise what steps your company should take.

 

House Passes Defend Trade Secrets Act

Over the past few years, there has been much discussion and debate over the Defend Trade Secrets Act (DTSA), which amends the Economic Espionage Act to create a federal civil cause of action for trade-secrets misappropriation. Well, we’re on the verge of the DTSA becoming the law of the land. Several weeks ago, the Senate passed the DTSA by a vote of 87-0. Today, the House of Representatives passed the bill by a vote of 410-2. Now, it goes to the President for signature.

Since President Obama supports the bill, we are just days away from one of the most significant events in the history of trade-secrets law, the creation of a right to sue in federal court to remedy misappropriation. I’ve strongly supported this law, so I’m very pleased with this development. I look forward to litigating trade-secrets actions in federal court.

Would Your Employees Sell Their Network Password?

Sailpoint recently released its 2016 Market Pulse Survey, which examined employees’ roles in IT security. The results should terrify employers. The report can be downloaded here.

This report echos a theme I’ve been repeating here often: employees can be the biggest threat to your trade secrets. Consider the following findings:

  • 65% of respondents admitted using a single password across applications
  • One in three shared passwords with co-workers
  • More than 40% still had access to corporate network accounts from their prior job

And most disturbing:

  • 20% worldwide, and 27% in the U.S., would sell their corporate password to an outsider, often for less than $1,000
  • 26% admitted uploading sensitive information to the cloud with the intent to share outside the company

Some of these issues can be addressed through proper training regarding password hygiene and protection of proprietary information. But it’s more difficult to address malicious insiders who want to sell access to your system or disclose your trade secrets.

The malicious-insider problem requires proactive thinking. Consult with your IT team or an outside expert to implement solutions that monitor system usage and alert to irregular activity. Work with HR and management to identify employees who are dissatisfied with their jobs, or otherwise showing signs of higher risk. And make sure that each employee only has access to the proprietary information necessary for that employee’s job.

Also, restrictive covenants and non-disclosure agreements can both deter this type of wrongdoing and allow for more effective enforcement if misappropriation occurs. Consult with an attorney who specializes in trade-secrets law to determine what types of contracts and other legal protections are best suited to protect your company.

Beware Google Dorking

What is Google dorking? Simply put, it’s using Google’s advanced search-engine features to find detailed information about websites and computer networks. Because Google’s algorithm indexes huge amounts of information, Google dorking can be a very effective method for learning about a company’s computer network. Including the type of information that could allow a hacker easy access to your trade secrets.

Recently, the DOJ brought charges against hackers who were allegedly working with the Iranian government to carry out cyber attacks on various U.S. companies. One of the hackers is charged with accessing the computer network that controls a dam in New York. According to a Wall Street Journal article, the hacker was able to use Google dorking to discover a vulnerable computer, which he hacked into to gain access to the dam’s control systems. Apparently, he had been using Google for months to find vulnerable industrial-control systems.

The WSJ article observes that many companies are unknowingly subjecting themselves to these types of hacking risks, including by connecting outdated infrastructure systems to the internet:

Companies, often against the advice of hacking experts, increasingly have brought such systems online as a way to add “smarts” to U.S. infrastructure. But older systems can have weaknesses that can readily be found through Google dorking, and then exploited, experts said.

It is a very bad idea to connect anything to your company’s network without knowing the implications for network security. The dam-hacking episode shows how easily a bad actor can take advantage.

Also, Google dorking can also help companies identify hacking risks. A company can, and should, “dork” itself, to look for inadvertent or unknown security lapses. Be sure to work with your IT team to make sure that your company is not susceptible to a dork’s hack.

Florida Amends Trade-Secrets Laws to Protect Financial Information

This week, Governor Rick Scott signed into law S.B. 180 and 182, broadening the definition of Florida’s criminal trade-secrets-theft statute to include financial information, and applying that definition to the trade-secrets exception to public-records laws.

Section 812.081, Florida Statutes, criminalizes trade-secrets theft. Previously, the definition of “Trade Secret” did not explicitly reference financial information. As of this week, the definition has been amended as follows, with the new language underlined:

“Trade secret” means the whole or any portion or phase of any formula, pattern, device, combination of devices, or compilation of informa- tion which is for use, or is used, in the operation of a business and which provides the business an advantage, or an opportunity to obtain an advantage, over those who do not know or use it. The term includes any scientific, technical, or commercial information, including financial information, and includes any design, process, procedure, list of suppliers, list of customers, business code, or improvement thereof. Irrespective of novelty, invention, patentability, the state of the prior art, and the level of skill in the business, art, or field to which the subject matter pertains, a trade secret is considered to be:

1. Secret; 2. Of value; 3. For use or in use by the business; and 4. Of advantage to the business, or providing an opportunity to obtain an advantage, over those who do not know or use it

when the owner thereof takes measures to prevent it from becoming available to persons other than those selected by the owner to have access thereto for limited purposes.

While this is a criminal statue, it could affect civil actions as well. First, Section 812.035(6) allows an “aggrieved person” to sue for an injunction that remedies a violation of the statute. Notably, under the civil-remedy provision, the plaintiff does not need to show special or irreparable damage. This is another tool for companies harmed by trade-secret misappropriation.

Second, even though there was no corresponding change to Florida’s Uniform Trade Secret Act, Sec. 688.001, Fla. Stat., the broadened criminal definition could affect actions under the UTSA where financial information is at issue. The fact that the legislature has criminalized theft of financial information bolsters a claim that an injunction is necessary to remedy that type of misappropriation.

Finally, a number of other Florida Statutes were also amended to make clear that trade secrets, as defined in the newly amended Sec. 812.081, are exempted from disclosure under Florida’s public-records laws. Companies involved in “P3s”—public/private partnerships—lobbied heavily for the passage of this bill. The amended statute affects just about all companies that do government contracting. Those companies now have statutory protection against having their financial information disclosed when bidding for or performing government contracts.

“You’re going to accept this offer or we’re going to … take your company … and do it ourselves.”

Guest post by Solomon B. Genet.

It is worth reading Bailey v. St Louis, if for no other reason than it is a good story where the good guys seem to have won, and the bad guys got smacked – and when I say “smacked,” I mean hit with an award of punitive damages.

All of the details (as found by the court) won’t fit in this post, but in summary, a private equity (“PE”) firm met with a profitable medical center (plaintiff), to consider giving the plaintiff loan. The plaintiff provided the PE firm with confidential materials, including a copy of the business plan and financial information, to perform due diligence.

The PE firm did not offer a loan, but instead offered to purchase a controlling interest in the plaintiff, and accompanied that offer with the following threat: “you’re going to accept this offer or we’re going to take your doctors and we’re going to take your company.  And we’re going to go up the street, and we’re going to do it ourselves.”

And to the PE firm’s credit (maybe the only thing to its credit), the PE firm did as it promised. The PE firm created dissent among the plaintiff’s employees, using the confidential documents it had received to mislead certain employees as to the plaintiff’s integrity.  It hired away two of the plaintiff’s doctors and established a competing facility.  It used the plaintiff’s business plan, in a “cut and paste job,” to create its own business plan.  A doctor that left the plaintiff to join the PE firm’s competing facility said that one of the a plaintiff’s principals had many aliases, was a wanted felon, and had “possible” sexual offenses, all of which were false. The PE firm even paid certain of the plaintiff’s employees to quit working for the plaintiff. And the plaintiff’s list of patients and leads and accounts payable information were also misappropriated.

The appellate court directed the trial court to award punitive damages, finding that it met the standard of “wanton intentionality, exaggerated recklessness, or such an extreme degree of negligence as to parallel an intentional and reprehensible act.”

For purposes of this post and the focus of this blog, it’s most relevant that the Court’s conclusion flows from the fact that the plaintiff provided the PE firm with a copy of its business plan and certain financial information upon the condition that they would be kept confidential, and that the PE firm disregarded and abused this agreement.  The takeaway is simple and straightforward: if you are contemplating a business relationship of any sort and intend to share confidential information, take the relatively minor step of seeing a lawyer to draft a non-disclosure/limited-use agreement that protects your information.  You could be thanking yourself later.

Bailey v. St. Louis

When Noncompetes Attack

Noncompete agreements aren’t always appropriate. This is a pretty simple concept that sophisticated companies don’t always grasp. I’ve written often about how noncompete agreements can be a company’s most powerful tool to protect its trade secrets and proprietary information. But only if the employee has access to trade secrets and proprietary information. When a big company takes a blunderbuss approach and makes all of its low-level employees sign noncompete agreements, it can backfire.

In the past few months, companies like Jimmy John’s and Amazon have faced backlash after the media learned that they were forcing sandwich makers and warehouse employees to sign noncompetes. This week, the Wall Street Journal ran a story about Stephanie Russell-Kraft, a former reporter—apparently entry level—at Law360. When Ms. Russell-Kraft left to work at Reuters, Law360 informed Reuters that she had signed a noncompete agreement while at Law360. Reuters fired her for not disclosing the noncompete when she applied.

Now, Law360 is facing bad PR (as reflected in these articles in Slate and Above the Law). Far worse, the New York Attorney General is now investigating Law360 to see if it violated New York labor laws.

I’m not going to claim to be an expert in the legal news-wire business. But it’s hard to see how an entry-level reporter would have access to proprietary information justifying a noncompete. In almost all circumstances, companies should limit noncompetes to senior executives and employees with access to proprietary information and trade secrets.

That’s not to say that companies shouldn’t take steps to protect against lower-level employees misusing or disclosing confidential information. Many times, this can be accomplished by less restrictive agreements such as nonsolicitation or nondisclosure agreements. I’ve found that courts are much more willing to enforce these types of agreements.

This brings us back to one of the key themes that you will find throughout my blog posts: each company needs a personalized strategy for protecting its trade secrets and proprietary information. This strategy should implement appropriate protections, which will often include targeted noncompete agreements. But too many companies force all employees to sign noncompetes. As we’ve seen recently, the company can come off as a bully. Or worse.

UPDATE: Here’s an interesting interview with Russell-Kraft.

Beekeepers Show How Not To Protect Trade Secrets

Trade-secret misappropriation actions, not surprisingly, require discovery into the trade secrets at issue. This can create problems, particularly when the action is being litigated between competitors. In a recent case out of Nebraska, the plaintiff appears to be facing a pretty terrible choice: either disclose its proprietary information to a competitor, risk discovery sanctions, or walk away from its claims. Even worse, some simple proactive thinking could have prevented this problem.

In McDonald Apiary, LLC v. Starrh Bees, Inc., 201 WL 299014 (D. Neb. 1/25/16), the plaintiff and defendant are competitors in the beekeeping and honey production industry, with the plaintiff based in Nebraska and the defendant in California. They entered into an oral agreement under which the plaintiff would place a number of the defendant’s bee hives in Oklahoma and Nebraska.

The plaintiff now accuses the defendant of breaching the contract and has sued for misappropriation of trade secrets and other claims. Of course, the defendant has sought discovery into the alleged trade secrets, including information about the locations where the plaintiff places beehives.

As happens routinely in these cases, the plaintiff is only willing to produce its claimed trade-secret documents on an “attorney’s eyes only” (AEO) basis. The defendant objected, leading to this particular order.

The court rejected the AEO designation, focusing on the plaintiff’s failure to protect this information. Including when the plaintiff shared some location information with the defendant and other competitors:

Plaintiff has failed to explain how it can share certain location information with a competitor and simultaneously claim its location information is held strictly confidential. . . . The parties apparently did not enter into any type of confidentiality agreement as part of their oral contract. And this type of undocumented business arrangement does not appear to be unusual for the Plaintiff: McDonald Apiary has entered into similar contracts with other competitors and has not provided evidence it demands a confidentiality agreement in those contracts.

So the plaintiff has spent time and money developing certain information about the best places to locate bee hives. There’s no reason why this information couldn’t be a trade secret — it certainly appears to give the plaintiff benefits by virtue of being unknown to others. But the plaintiff didn’t adequately protect the information when it shared portions of it with third parties under oral contracts with no confidentiality restrictions.

Here, the lesson is simple: First, never enter into oral contracts. Second, any time you are sharing proprietary information with a third party, the contract must include confidentiality/non-disclosure obligations. While this may seem obvious, this case (and many others I’ve seen) show that companies far too often focus on “business” terms, without regard for protecting proprietary information.