Protecting Trade Secrets Following an M&A Transaction

Many M&A transactions are motivated by a desire to acquire another company’s trade secrets. But the unique nature of trade secrets, as compared to other types of intellectual property, creates risks for the acquiring company.

For example, a company doesn’t know if its proprietary information is a trade secret until a judge says so, usually in the context of a misappropriation claim. If the acquired trade secrets are stolen after the M&A transaction, this determination will involve a judge’s analysis of how the target company protected the information at issue prior to the transaction.

I recently came across a case from the Northern District of Georgia, DS Waters of America, Inc. v. Fontis Water, Inc., that shows how this can play out. A copy of the opinion is linked below. DS Waters, the company behind Crystal Springs bottled water, acquired the assets of a bankrupt water company, including its customer list. In this case, DS Waters brought a claim under the Georgia Trade Secrets Act alleging misappropriation of the customer list.

The defendants argued that because the bankrupt company did not reasonably protect the customer list, the list is not a trade secret. The case ultimately settled. But if it hadn’t, a jury would have decided whether the bankrupt company took appropriate protections. If not, then DS Waters would have paid for a customer list that it cannot protect as a trade secret.

This highlights the need for in-depth due diligence into the target company’s trade secrets, with a focus on the protections used. These tasks are often farmed out to junior lawyers, who may not have sufficient familiarity with the way courts analyze reasonable protections in misappropriation cases. Resist the temptation to reduce costs by having inexperienced lawyers handle this aspect of the due diligence.

Instead, whenever you are involved in an M&A transaction in which there is value assigned to trade secrets, you should engage an attorney who is an expert in this area who can determine whether the target company’s protection efforts are likely to survive judicial scrutiny. Otherwise, you are taking a substantial risk that the assets you are purchasing cannot be protected as trade secrets.

DS Waters v. Fontis Water

5 Warning Signs That Your Trade Secrets Have Been Stolen

Many companies that suffer trade-secret theft have no idea for months, if not longer. In the meantime, these companies often suffer substantial damage. Effective trade-secrets protection thus requires more than just proactive measures, such as restrictive covenants. Active monitoring is necessary to determine whether former employees, business partners, etc. are engaged in misappropriation.

Obviously, someone who is illegally using your trade secrets will try to keep their activity hidden. As a result, misappropriation can be difficult to detect. But there are warning signs. Here are five common red flags:

  1. A new competitor emerges. If a new competitor appears in your industry, investigate whether any of your former employees or business partners is involved. Particularly if there are high barriers to entry in your industry. This usually requires in-depth investigative work, which may require outside counsel, since the bad actors will try to hide their involvement.
  2. Your former employee lied. Hopefully, you’re conducting exit interviews when  employees leave your company. During that interview, ask where the employee will be working next. If he or she ends up at a competitor instead, there’s reason for concern.
  3. Data was downloaded. Whenever an employee with access to your proprietary information and trade secrets leaves, work with your IT department to determine whether there was any unusual downloading or exporting of key documents or information leading up to the employee’s departure.
  4. A business partner terminates an agreement unexpectedly. If your business partner had access to your trade secrets, be wary if they unexpectedly terminate what seemed like a mutually beneficial relationship.
  5. Clients leave suddenly. If one of your key sales/customer-relations employees leaves, keep an eye on the clients they worked with. If those customers take their business to your former employee’s new company, you have a problem.

Some of these may seem obvious, but companies are often so focused on their day-to-day business that they miss these warning signs. If you encounter any of the above, or there’s something else that makes you suspect trade-secrets theft,  contact an attorney who specializes in trade-secrets law immediately. Time is always of the essence in these situations.

Panera Case Gives an Early Interpretation of the Defend Trade Secrets Act

Panera, LLC v. Nettles and Papa John’s International, Inc., 2016 WL 4124114 (E.D. Mo. Aug. 3, 2016) is one of the first cases under the Defend Trade Secrets Act (DTSA). It both answers and raises questions about how the statute will be interpreted.

Here, Panera sued a former senior IT employee who left to work for Papa John’s, allegedly in violation of a noncompete/nondisclosure agreement. Panera brings claims for breach of contract, violations of the DTSA, and violations of the Missouri Trade Secrets Act. A copy of the order is linked below.

18 U.S.C. 1836(b)(3)(A)(i)(I) provides that any injunction entered under the DTSA cannot “prevent a person from entering into an employment relationship, and that conditions placed on such employment shall be based on evidence of threatened misappropriation and not merely on the information that the person knows[.]”

This raised a question that would need to be answered by the courts: if a plaintiff sues for breaching a restrictive covenant and violating the DTSA, can the court enter an injunction based on the restrictive covenant, or would that injunction violate the provision above?

Since the court here entered an injunction, this case suggests that the provision above does not preclude injunctions in restrictive-covenant cases that also include DTSA claims. (Which strikes me as the obviously correct result.)

Interestingly, the court entered an injunction precluding the defendant from working for Papa John’s based on violations of the DTSA, not only breaches of the restrictive covenant. This at least arguably violates the DTSA prohibition on such injunctions. It will be interesting to see if this issue is addressed on appeal.

The provision above was also intended to preclude arguments based on inevitable disclosure, since the DTSA provides that an injunction setting forth employment conditions could not be based solely on information known by the former employee. But here, the Court explicitly considered, and at least partially relied upon, the inevitable-disclosure doctrine:

Although Missouri has not formally adopted the doctrine of inevitable disclosure–and neither has the Eighth Circuit, with regard to federal trade secrets claims–the Court finds the rationale underpinning such a theory helpful to understanding why Nettles’ performance of his new role would almost certainly require him to draw upon and use trade secrets and the confidential strategic planning to which he was privy at Panera.

Again, this at least arguably violates the DTSA.

Perhaps these apparent contradictions will be addressed if the case progresses, particularly if it reaches the Eighth Circuit. I will also continue to keep my eye out for other cases under the DTSA that address these and other open issues.

Panera v. Papa John’s

Should You Abandon Email to Protect Trade Secrets?

In the wake of the hacking of the Democratic National Committee’s email server, it may be time to explore whether transmitting trade secrets via email—even internally—has become too risky.

Email hacks have become commonplace. It is a virtual certainty that your company has at least been targeted by some sort of hacking attempt. For every high-profile hack, like Sony, Ashley Madison, or the DNC, there are thousands of less-visible companies who also suffered data breaches, often involving emails.

The sad truth is that regardless of protection efforts, no company can keep its emails and centrally stored electronic documents 100% safe. Thus, you need to ask: is it time for my company to ban transmittal of trade-secrets via email?

A wholesale ban on email transmission is not always going to be feasible. But for certain types of trade secrets—particularly ones used only by a small number of employees—this could be workable. For example, I wrote recently about trade-secrets relating to design schematics used in 3D printing. Those types of schematics could potentially be stored offline.

These issues are highly unique to each company. You should speak with an attorney who specializes in trade-secret issues to figure out whether your company could benefit from taking trade-secrets offline.

 

Find a Pokemon, Lose Your Trade Secrets?

Well, that escalated quickly. In what seems like an instant, Pokemon went from a faded memory to an all-encompassing craze unlike anything we’ve seen before from an app. Nintendo, the company behind Pokemon Go, had its market cap increase by $7 billion since it was released last week. I haven’t played the game, but I can’t stop hearing and reading about it. Pretty remarkable.

Pokemon Go’s success has far-reaching implications for how we use technology, and in particular augmented reality. I loved this article about how companies can use Pokemon Go to drive foot traffic for about $1/hour. But for our purposes, Pokemon Go may present some unexpected risks to information security.

This article from inc. discusses two of these risks. First,  Pokemon Go users must login using their Google accounts. But Pokemon Go is then automatically granted full access to the user’s Google account. Thus, Pokemon Go “can see and modify nearly all information in your Google Account.” So, as noted in this blog post, users playing Pokemon Go have granted the app permission to read their emails, send emails, access and delete all Google drive documents, and more. Not good. Particularly if your employees have emailed themselves proprietary information.

The developer of Pokemon Go has since issued a statement that this was a mistake, which will soon be fixed. Regardless, this shows how important it is to keep your employees from sending themselves proprietary information, which should be your company’s policy. In addition, various IT solutions can protect against this practice.

Also, Pokemon Go has only been officially released in several countries. Per the inc. article, people living elsewhere have turned to file-sharing services to download the app:

Because the game is popular, people in other countries are obtaining the Android version through unofficial channels – and hackers have already successfully posted malware-infected versions of the app in some file sharing services. One variant of such a malevolent version of the app was discovered by the security firm Proofpoint and is quite serious: it infects Android devices and allows hackers to access the infected devices via a backdoor.

File-sharing services are notoriously dangerous. You should be blocking access to all such services on all company devices.

Issues like these are well-suited for employee training. Employees need to know that seemingly innocent conduct can expose the company to serious risks.

A Landmark Day for Protecting Trade Secrets

Today, President Obama signed into law the Defend Trade Secrets Act. This means that companies whose trade secrets are misappropriated can now sue in federal court. This will likely usher in a new paradigm in the world of trade-secrets litigation. It will be very interesting to see how plaintiffs react and the statute develops in the next few years. In the meantime, take a look at my previous post for an urgent recommendation for all companies now that the DTSA has become effective.

Do This NOW to Prepare for the New Federal Trade Secrets Law

The Defend Trade Secrets Act (DTSA), which creates a federal cause of action for trade-secrets misappropriation, will be signed into law by President Obama in the coming days. This new law will have a substantial effect on where, and how, trade-secrets cases are litigated. Now is the time to figure out if your company is ready for the new law.

Since the DTSA’s definitions of trade secrets and misappropriation are largely similar to those in the Uniform Trade Secrets Act adopted by most states, I’m most concerned about making sure companies are minimizing the risk that they will unexpectedly be hit with a seizure order.

As has been widely discussed and debated, the DTSA contains an ex-parte seizure provision that authorizes judges to order the seizure of property containing the plaintiff’s trade secrets. While there are substantial protections to prevent abuse of this remedy, companies need to make sure they are not at risk of having their property seized.

This brings us to the critical step that all companies need to take now: Look carefully at your employee hiring/onboarding process. Far too many new employees bring proprietary documents from their prior employer; sometimes maliciously, sometimes innocently. Once the DTSA becomes law, if a new employee saves these types of documents on your server, you will be at risk of having law enforcement seize whatever is storing the documents.

Use this opportunity to conduct a comprehensive audit of your onboarding process. Make sure that your restrictive covenants and NDAs require new employees to represent that they are not bringing any proprietary information from a prior employer. Train the employees who conduct the onboarding process to discuss this issue with new employees before they are given access to your server. New employees must understand that they are prohibited from saving any documents from a prior employer on any company property, including servers, employee-issued devices, and media. Finally, work with IT to see if it makes sense to install protections that can alert to any external documents saved on your system by a new employee.

As always, each company needs customized solutions to best address the unique issues affecting your company and industry. Consult with an attorney specializing in trade-secret law who can advise what steps your company should take.

 

House Passes Defend Trade Secrets Act

Over the past few years, there has been much discussion and debate over the Defend Trade Secrets Act (DTSA), which amends the Economic Espionage Act to create a federal civil cause of action for trade-secrets misappropriation. Well, we’re on the verge of the DTSA becoming the law of the land. Several weeks ago, the Senate passed the DTSA by a vote of 87-0. Today, the House of Representatives passed the bill by a vote of 410-2. Now, it goes to the President for signature.

Since President Obama supports the bill, we are just days away from one of the most significant events in the history of trade-secrets law, the creation of a right to sue in federal court to remedy misappropriation. I’ve strongly supported this law, so I’m very pleased with this development. I look forward to litigating trade-secrets actions in federal court.

Would Your Employees Sell Their Network Password?

Sailpoint recently released its 2016 Market Pulse Survey, which examined employees’ roles in IT security. The results should terrify employers. The report can be downloaded here.

This report echos a theme I’ve been repeating here often: employees can be the biggest threat to your trade secrets. Consider the following findings:

  • 65% of respondents admitted using a single password across applications
  • One in three shared passwords with co-workers
  • More than 40% still had access to corporate network accounts from their prior job

And most disturbing:

  • 20% worldwide, and 27% in the U.S., would sell their corporate password to an outsider, often for less than $1,000
  • 26% admitted uploading sensitive information to the cloud with the intent to share outside the company

Some of these issues can be addressed through proper training regarding password hygiene and protection of proprietary information. But it’s more difficult to address malicious insiders who want to sell access to your system or disclose your trade secrets.

The malicious-insider problem requires proactive thinking. Consult with your IT team or an outside expert to implement solutions that monitor system usage and alert to irregular activity. Work with HR and management to identify employees who are dissatisfied with their jobs, or otherwise showing signs of higher risk. And make sure that each employee only has access to the proprietary information necessary for that employee’s job.

Also, restrictive covenants and non-disclosure agreements can both deter this type of wrongdoing and allow for more effective enforcement if misappropriation occurs. Consult with an attorney who specializes in trade-secrets law to determine what types of contracts and other legal protections are best suited to protect your company.

Beware Google Dorking

What is Google dorking? Simply put, it’s using Google’s advanced search-engine features to find detailed information about websites and computer networks. Because Google’s algorithm indexes huge amounts of information, Google dorking can be a very effective method for learning about a company’s computer network. Including the type of information that could allow a hacker easy access to your trade secrets.

Recently, the DOJ brought charges against hackers who were allegedly working with the Iranian government to carry out cyber attacks on various U.S. companies. One of the hackers is charged with accessing the computer network that controls a dam in New York. According to a Wall Street Journal article, the hacker was able to use Google dorking to discover a vulnerable computer, which he hacked into to gain access to the dam’s control systems. Apparently, he had been using Google for months to find vulnerable industrial-control systems.

The WSJ article observes that many companies are unknowingly subjecting themselves to these types of hacking risks, including by connecting outdated infrastructure systems to the internet:

Companies, often against the advice of hacking experts, increasingly have brought such systems online as a way to add “smarts” to U.S. infrastructure. But older systems can have weaknesses that can readily be found through Google dorking, and then exploited, experts said.

It is a very bad idea to connect anything to your company’s network without knowing the implications for network security. The dam-hacking episode shows how easily a bad actor can take advantage.

Also, Google dorking can also help companies identify hacking risks. A company can, and should, “dork” itself, to look for inadvertent or unknown security lapses. Be sure to work with your IT team to make sure that your company is not susceptible to a dork’s hack.