CREATe.org/PwC Report Makes the Case for Investing in Trade-Secret Protections

“Historically, . . . [trade secret protections] have been viewed as a cost, not an investment.” CREATe.org and PwC recently released a report titled “Economic Impact of Trade Secret Theft: A framework for companies to safeguard trade secrets and mitigate potential threats.” If you read this blog, you should read the report.

Next week, I will be interviewing for this blog one of CREATe.org’s principals responsible for the report. (CREATe.org is a non-profit “dedicated to helping companies and their suppliers and business partners reduce counterfeiting, piracy, trade secret theft and corruption.”)

The report seeks to change the mentality described in the above quote. It starts by estimating the cost of trade-secret theft, and concludes (based on a review of various proxies for trade-secret theft) that economic losses based on trade-secret theft amount to between 1 and 3 percent of GDP. Hopefully, numbers like this draw greater attention to the real risks companies face.

It next outlines of categories of “threat actors” — those who seek to steal trade secrets. These include nation states, malicious insiders (including current and former employees, third-party consultants, and suppliers), competitors, transnational organized crime, and hacktivists (who try to use corporate information for political or social purposes).

Regarding employees, the report notes that “cultural and technological factors may heighten the insider threat in coming years . . . The nature of U.S. employees’ loyalties to their employers is changing because of the much higher rate of lifetime job changes.” The report also identifies “bring your own device” policies as an increased risk.

The report presents a framework for companies to identify and evaluate their trade secrets, audit their current protections, and make value-based improvements to these protections based on measuring ROI. This approach involves key stakeholders, educates them about the risks of trade-secret theft, and helps make the business case for protections.

While I have some issues with the framework (which, if handled improperly, could create documents that may undermine litigation efforts, and would likely need to be altered for many small mid-sized businesses), it provides a comprehensive, incredibly useful starting point and roadmap.

Next week, I’ll examine the report in greater depth when I interview CREATe.org.

Trade Secrets and the First Amendment

Before this week, I had never thought much about trade-secrets issues intersecting with the First Amendment. But then I read the complaint in a lawsuit filed by hedge fund Greenlight Capital Inc. against the owner of a website called seekingalpha.com, which published a post disclosing Greenlight’s then-confidential investment strategy. The suit seeks to compel the website owner to disclose the writer’s identity so that Greenlight can sue for trade-secret misappropriation. A copy of the complaint is linked below.

Greenlight Capital, led by David Einhorn, is a hedge fund whose “activity in the investment markets is well known and closely watched by other traders and investment advisors.” In the complaint, Greenlight describes how it develops its investment strategies “at considerable expense,” and how it must keep this information confidential, since disclosure of its investment strategies could move the market.

In November 2013, Greenlight was building an equity position in Micron Technologies. This information was not public knowledge. On November 14, 2013, a writer on the seekingalpha.com website, writing under a pseudonym, disclosed Greenlight’s intentions regarding Micron. As a result, Micron’s share prices rose immediately. Greenlight now needs the writer’s identity, so that it can sue him or her for misappropriating trade secrets.

In a New York Times article discussing this lawsuit, high-profile First Amendment lawyer Floyd Abrams offered thoughts on how the suit implicated constitutional issues:

Floyd Abrams, a First Amendment lawyer with Cahill Gordon & Reindel, said there might be reasons for a judge to compel an anonymous blogger to be identified in a libel case. But he said there weren’t many good reasons for doing so in what would appear to be a largely commercial dispute. “There is a serious First Amendment issue here,” Mr. Abrams said. “He will have a pretty tough job persuading a judge.”

While Floyd Abrams has forgotten more about the First Amendment than I’ve ever known, his position strikes me as off point. Laws prohibiting trade-secret misappropriation by definition restrict speech. Essentially, the Uniform Trade Secrets Act* recognizes that, for example, if you obtain a trade secret you know was acquired by improper means, you are not permitted to disclose that information. Allowing someone to hide behind an online pseudonym could render these laws ineffective.

There are other interesting issues in this case. For example, Greenlight says it takes the following measures to protect this confidential information:

Greenlight’s employees are required pursuant to both firm policy and their employment agreements to keep information regarding Greenlight’s non-public investment strategies confidential. In addition, Greenlight’s prime brokers and custodians are required by confidentiality agreements and other duties to Greenlight to keep non-public information concerning Greenlight’s securities positions confidential.

Later, it notes that at the time seekingalpha.com published the post, “the only persons who lawfully possessed information regarding Greenlight’s position in Micron were persons with a contractual, fiduciary, or other duty to maintain the confidentiality of Greenlight’s position: Greenlight’s employees, counsel, prime and executing brokers and other agents.”

It’s not possible to tell from the complaint whether all of Greenlight’s employees, brokers, and agents are required to sign a confidentiality agreement. If not, Greenlight has a major gap in its confidentiality protections that could undermine its misappropriation claims — the defendant could argue that Greenlight did not reasonably protect its proprietary information. As I’ve discussed often before, it is critical to make sure that all employees, vendors, etc. with access to confidential or proprietary information sign agreements that, at a minimum, require them to keep this information confidential.

*Greenlight filed the case in New York, which is one of the few states that has not adopted some form of the UTSA.

Greenlight Complaint

Small Business Data Theft: Risks and Solutions

Data theft is a hot topic now, with the recent high-profile thefts at Target and others. This issue has consequences for companies trying to protect trade secrets. For example, if a company is not taking measures to protect against data theft, a court could easily conclude that the company has not reasonably protected its proprietary information, and thus is not entitled to trade-secret protection under the Uniform Trade Secret Act.

Two recent articles in Entepreneur address this problem head on. In “Why Your Small Business Is At Risk of a Hack Attack,” Heesun Wee explains the risks facing small businesses:

Last year, 31 percent of all attacks were aimed at companies with less than 250 employees, according to Symantec’s 2013 Internet Security Threat Report.

But many small businesses do not appreciate this risk:

Smaller ventures are particularly vulnerable because cybercriminals know they likely spend less to protect their digital information and infrastructure. Cheaper security measures also tend to be static, meaning those systems don’t evolve to keep up with criminals’ newest tricks. . . . Roughly 77 percent of small firms believe their company is safe from a cyberattack–even though 83 percent of those firms do not have a written security policy in place, according to the National Cyber Security Alliance and Symantec.

Small businesses need to do more to protect their sensitive data and proprietary information. In “Preventing Another Target Attack,” Eric Basu offers some suggestions for retailers that apply with equal force to many small businesses.

First, you should use network-monitoring software:

There are next generation software solutions that effectively visualize network traffic, break down machine-to-machine connections by service protocols and allow filtering by machine, service or even internet destination. For example, a North American-based retailer using a payment processing partner from the same continent should not see outbound connections from a POS terminal to places like Russia, China or Brazil.  If they do, the connection should be dropped and the security administrator should be notified of the machine initiating the connection.

Second, improve application-level security:

Keeping [software applications] up to date with the latest versions and patches as well as performing penetration tests on both internal- and external-facing interfaces would have gone a long way to preventing the lateral movements the Target attackers were able to pull off in a short amount of time. Companies that develop in-house applications should also ensure they are designed securely from the get go, performing both static and active secure code reviews at every minor release. Furthermore, only authorized white-listed applications should be allowed to run and properly identified.

Many small business do not have the know-how or resources to deal with this issue in-house. In that case, perhaps the most important step you can take is to speak with an IT expert to obtain customized recommendations for protecting your business’ sensitive information. Combining up-to-date IT solutions with proactive legal protections gives you the best chance of avoiding a problem in the first place. And it gives you the best chance to mitigate the damage if a breach occurs.

%d bloggers like this: